GDPR Compliance
Event Sentinel is committed to protecting your data in compliance with the General Data Protection Regulation (EU) 2016/679. This page details how we meet our obligations under the GDPR.
Last updated: February 1, 2026
Overview
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to organizations that process personal data of individuals in the European Union (EU) and European Economic Area (EEA), regardless of where the organization is based.
Event Sentinel acts as both a data controller (for data we collect directly, such as account information and website usage) and a data processor (for Customer Data processed on behalf of our customers through the monitoring platform).
This page should be read together with our Privacy Policy, Cookie Policy, and Terms of Service.
Our Commitment
Privacy by Design
Data protection is integrated into every product feature and business process from the start, not as an afterthought.
Data Minimization
We collect only the minimum data necessary to provide our Services and fulfill our contractual obligations.
EU Data Residency
Enterprise customers can choose EU-only data residency (Frankfurt region) to keep all data within the EEA.
Accountability
We maintain detailed records of processing activities (Art. 30), conduct impact assessments, and appoint a DPO.
Legal Basis for Processing
Under the GDPR, we must have a valid legal basis for every processing activity. The table below outlines the legal bases we rely on:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Providing the monitoring platform | Performance of contract | Art. 6(1)(b) |
| Processing Customer Data (telemetry) | Performance of contract | Art. 6(1)(b) |
| Account creation and management | Performance of contract | Art. 6(1)(b) |
| Billing and payment processing | Performance of contract / Legal obligation | Art. 6(1)(b), 6(1)(c) |
| Service notifications and alerts | Performance of contract | Art. 6(1)(b) |
| Security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Product improvement and analytics | Legitimate interest (anonymized data) | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Analytics and marketing cookies | Consent | Art. 6(1)(a) |
| Tax and financial record retention | Legal obligation | Art. 6(1)(c) |
Your Rights Under the GDPR
As a data subject in the EU/EEA, you have the following rights regarding your personal data. Event Sentinel provides tools and processes to exercise each right:
Right of Access
Art. 15Request a copy of all personal data we hold about you, including the purposes of processing, categories of data, and recipients.
Right to Rectification
Art. 16Request correction of inaccurate personal data or completion of incomplete data without undue delay.
Right to Erasure
Art. 17Request deletion of your personal data when it is no longer necessary, you withdraw consent, or you object to processing.
Right to Restriction
Art. 18Request restriction of processing when you contest data accuracy, processing is unlawful, or we no longer need the data.
Right to Portability
Art. 20Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and transfer it to another controller.
Right to Object
Art. 21Object to processing based on legitimate interests, including profiling. We must stop unless we demonstrate compelling legitimate grounds.
Automated Decision-Making
Art. 22Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Right to Withdraw Consent
Art. 7(3)Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.
How to exercise your rights: Email privacy@eventsentinel.ai or use the data management tools in Settings > Privacy. We will respond within 30 days (extendable by 60 days for complex requests, with prior notice). Requests are free of charge unless manifestly unfounded or excessive.
Data Processing Activities
In accordance with Article 30 of the GDPR, we maintain a Record of Processing Activities (ROPA). The following is a summary of our key processing activities:
| Category | Data Types | Retention | Role |
|---|---|---|---|
| Account Data | Name, email, company, password hash | Account duration + 30 days | Controller |
| Device Telemetry | CPU, memory, disk, network metrics, SMART data | Per plan (24h–1yr) | Processor |
| Billing Data | Payment card (via Stripe), invoices, transactions | 7 years | Controller |
| Support Data | Ticket content, attachments, correspondence | 2 years | Controller |
| Usage Analytics | Pages viewed, features used, session data | Anonymized indefinitely | Controller |
| Alert Configuration | Rules, thresholds, notification preferences | Account duration | Processor |
Sub-Processors
Under Article 28 of the GDPR, we inform you of the sub-processors we engage to process personal data on our behalf. We maintain contractual agreements (DPAs) with each sub-processor that include GDPR-compliant data protection terms.
| Sub-Processor | Location | Purpose | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | United States / EU (Frankfurt) | Cloud infrastructure hosting, data storage, and compute | SCCs, AWS DPA, SOC 2, ISO 27001 |
| Stripe | United States | Payment processing and subscription management | SCCs, PCI DSS Level 1 |
| SendGrid (Twilio) | United States | Transactional email delivery (alerts, notifications) | SCCs, SOC 2 |
| Cloudflare | Global (edge network) | CDN, DDoS protection, and DNS | SCCs, ISO 27001, SOC 2 |
| Google Analytics | United States | Website usage analytics (with IP anonymization) | SCCs, consent-based |
| PostHog | EU (Frankfurt) | Product analytics and feature usage tracking | EU hosting, SOC 2 |
| HubSpot | United States | CRM and marketing automation | SCCs, SOC 2 |
We will notify customers at least 30 days in advance before adding or replacing sub-processors. Customers may object to a new sub-processor by contacting us within the notice period.
International Data Transfers
When personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place as required by Chapter V of the GDPR:
- Standard Contractual Clauses (SCCs): We use the European Commission's 2021 SCCs (Decision 2021/914) for all transfers to third countries that lack an adequacy decision.
- Transfer Impact Assessments (TIAs): We conduct TIAs for each sub-processor in a third country to evaluate the legal framework and supplement SCCs with additional safeguards where necessary.
- Supplementary Measures: Encryption in transit and at rest, pseudonymization, and access controls as recommended by the EDPB.
- EU Data Residency: Enterprise customers can opt for EU-only hosting (AWS Frankfurt) where all Customer Data remains within the EEA.
Technical & Organizational Measures
In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
Encryption
- TLS 1.3 for all data in transit
- AES-256 encryption for all data at rest
- End-to-end encryption for agent-to-platform communication
- Encrypted database backups with separate key management
Access Control
- Role-based access control (RBAC) with least-privilege principle
- Multi-factor authentication (MFA) for all staff and available for all users
- SSO/SAML support for Enterprise customers
- Automated access reviews every 90 days
Infrastructure
- SOC 2 Type II certified cloud infrastructure
- Network segmentation and firewall rules
- Intrusion detection and prevention systems (IDS/IPS)
- Automated vulnerability scanning and patching
Organizational
- Annual security awareness training for all employees
- Background checks for employees with data access
- Documented incident response procedures
- Regular third-party penetration testing
Data Breach Notification
In compliance with Articles 33 and 34 of the GDPR, Event Sentinel maintains a documented data breach response procedure:
Detection & Containment
ImmediateOur security team detects and contains the breach, activates the incident response plan, and preserves evidence.
Assessment
Within 24 hoursWe assess the scope, affected data subjects, categories of data, and likely consequences of the breach.
Supervisory Authority Notification
Within 72 hoursIf the breach is likely to result in a risk to rights and freedoms, we notify the relevant supervisory authority within 72 hours of becoming aware.
Customer Notification
Without undue delayWe notify affected customers via email, including the nature of the breach, data affected, measures taken, and recommended actions.
Data Subject Notification
If high riskIf the breach is likely to result in a high risk to individuals, we communicate directly to affected data subjects in clear, plain language.
Post-Incident Review
Within 30 daysWe conduct a root cause analysis, implement corrective actions, and update security measures to prevent recurrence.
Data Protection Impact Assessment (DPIA)
In compliance with Article 35, Event Sentinel conducts Data Protection Impact Assessments for processing activities that are likely to result in a high risk to individuals' rights and freedoms. We have completed DPIAs for:
- AI/ML prediction engine: Processing of telemetry data through machine learning models for hardware failure prediction.
- Real-time monitoring: Continuous collection and processing of device telemetry data at scale.
- Alert and notification system: Automated decision-making for triggering alerts based on thresholds and anomaly detection.
- Analytics and profiling: Product usage analytics and behavioral patterns for service improvement.
DPIA summaries are available upon request for Enterprise customers. Contact dpo@eventsentinel.ai for more information.
Data Protection Officer
Event Sentinel has appointed a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR. The DPO is responsible for:
- Advising on GDPR compliance and data protection obligations.
- Monitoring compliance with data protection policies.
- Acting as the point of contact for data subjects and supervisory authorities.
- Conducting internal audits and staff training.
Contact the DPO
Email: dpo@eventsentinel.ai
Event Sentinel, Inc. — Attn: Data Protection Officer
548 Market St, Suite 35000, San Francisco, CA 94104, United States
Data Processing Agreement (DPA)
Event Sentinel offers a pre-signed Data Processing Agreement (DPA) that meets the requirements of Article 28 of the GDPR. The DPA includes:
- Subject matter, duration, nature, and purpose of processing.
- Types of personal data and categories of data subjects.
- Obligations and rights of the controller.
- Instructions for processing, including cross-border transfers.
- Sub-processor terms and notification procedures.
- Data deletion and return obligations upon termination.
- Audit and inspection rights.
- Standard Contractual Clauses (SCCs) as an appendix.
Request a DPA: Pro and Enterprise customers can request our DPA by emailing legal@eventsentinel.ai. We typically provide the executed DPA within 5 business days.
Contact Us
For any questions about our GDPR compliance, data protection practices, or to exercise your rights, please contact us:
Privacy Team
Data Protection Officer
Legal Department
EU Representative
In accordance with Article 27, Event Sentinel has appointed an EU representative:
Event Sentinel EU Representative
Friedrichstraße 123
10117 Berlin, Germany
Email: eu-representative@eventsentinel.ai