Legal
Privacy Notice
Effective: March 1, 2026 | Version 2.0
Sentinel Authority operates the sentinelauthority.org website and the ODDC conformance platform. This Privacy Notice describes the categories of information collected, the purposes for which it is processed, and the safeguards applied.
Legal Entity and Jurisdiction
Data Controller: Sentinel Authority, an Ontario, Canada-based independent conformance body
Governing Law: Province of Ontario, Canada
Jurisdictional Scope: This Notice applies to information processed in connection with services provided globally by Sentinel Authority
International Transfers: Data may be processed in Canada and internationally. By submitting information, applicants acknowledge transfer to and processing in Canada and other jurisdictions where Sentinel Authority operates
Legal Basis for Processing: Contractual necessity and legitimate interest in maintaining attestation integrity
Information We Collect
Information You Provide
Contact information (name, email, phone, organization)
Application data (system descriptions, ODD specifications, technical documentation)
Account credentials for the attestation portal
Payment information (processed by third-party providers)
Collected Automatically
ENVELO Interlock telemetry data from systems undergoing assessment and attested systems under continuous post-attestation surveillance
Heartbeat signals, session status, and violation-rate metrics collected through continuous surveillance monitoring
Automated enforcement action records (conditional status, suspension, withdrawal) and associated timestamps
API access logs, including request metadata, API key usage, and rate-limit events
Demo and sandbox session data, including simulated telemetry generated during evaluation use
Log data (IP address, browser type, pages visited, request timestamps)
Cookies for session management and authentication
How We Use Your Information
Process and evaluate assessment applications
Conduct CAT-72 conformance testing
Issue and manage ODDC attestations
Perform continuous post-attestation surveillance monitoring of attested systems
Execute automated enforcement actions (suspension, revocation) based on defined thresholds
Communicate about your application or attestation status, including enforcement notifications
Maintain tamper-evident audit records as required for attestation integrity
Administer API access, enforce rate limits, and monitor platform security
Maintain, secure, and administer the attestation platform
Data Retention
We retain attestation records, including CAT-72 evidence, audit logs, surveillance data, and enforcement action records, for the duration of your attestation plus seven (7) years, to preserve evidentiary integrity and support potential regulatory, legal, or contractual review.
Account information is retained while your account is active and for a reasonable period thereafter for legal and business purposes.
API access logs and rate-limit records are retained for twelve (12) months. Demo and sandbox session data is retained for ninety (90) days.
Data Security
All data is encrypted in transit (TLS 1.3) and at rest. We implement industry-standard security measures including access controls, tamper-proof audit logging with cryptographic hash chaining, role-based access controls, two-factor authentication, and regular security assessments.
Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal data. Note that attestation records may be subject to retention requirements that limit deletion rights.
To exercise any of these rights, contact us at the address below. We will respond within thirty (30) days of receiving a verifiable request.
Automated Decision-Making
Sentinel Authority employs automated systems to monitor attested systems and enforce conformance thresholds. Automated decisions that may affect your attestation status include:
Automatic suspension of attestations when ENVELO Interlock connectivity is lost for more than 24 consecutive hours
Automatic withdrawal of attestations when connectivity is lost for more than 72 consecutive hours
Automatic suspension when the violation rate exceeds 20% after a minimum of 100 recorded actions
These automated enforcement actions are applied pursuant to the thresholds described in the Terms of Use (Section 7). You may request human review of any automated enforcement action by contacting Sentinel Authority at the address below.
Third Parties
Sentinel Authority does not sell or monetize personal data. We may share data with:
Service providers who assist in operating our platform (hosting, email delivery, payment processing), subject to confidentiality obligations
Regulatory authorities, upon lawful request, including surveillance data and enforcement action records
Third parties conducting certificate verification through our public registry (limited to certificate status information only). The public registry displays conformance status, certificate identifiers, and enforcement history for all current and historical attestations. Registry entries are publicly accessible and are not subject to deletion requests where retention is required for regulatory or evidentiary purposes.
Updates
The effective date of this Privacy Notice appears above. Material revisions will be communicated via email or platform notification. Prior versions are archived upon revision.