SENTINEL processes sensitive financial transaction data on behalf of regulated entities. This page documents our architecture, controls, and obligations in plain language — for compliance officers, procurement teams, and data protection officers conducting vendor due diligence.
We do not claim certifications we have not yet completed. Where a control is live, we say so. Where it is in progress or planned, we say that too. If you have specific security requirements not addressed here, contact contact@micaready.eu before contracting.
Data hosting and residency
Customer transaction data submitted to SENTINEL for Modelo 172/173/721 generation is processed and stored on infrastructure operated by True Nordic Capital in Oslo, Norway. Norway is a member of the European Economic Area (EEA) and subject to the same data protection standards as EU member states under the GDPR.
- Processing location: Oslo, Norway (EEA) Live
- Data at rest: SQLite database on encrypted storage (AES-256 via OS-level full-disk encryption) Live
- Backup: Encrypted daily backups retained for 30 days, stored within the EEA Live
- Cloud migration to EU-hosted managed infrastructure (AWS EU-WEST-1 or Hetzner Falkenstein): In progress — Q3 2026
The marketing website (micaready.eu) is hosted on Vercel's global CDN. No customer transaction data passes through Vercel. The website serves static content only — product information, blog posts, and the waitlist form.
Encryption
- In transit: TLS 1.3 enforced on all API endpoints and the marketing website. Older protocol versions (TLS 1.0, 1.1) are disabled. Live
- At rest: AES-256 full-disk encryption on all storage hosting customer data. Live
- Database-level encryption (field-level encryption for PII within the database): In progress — Q3 2026
- API keys and secrets: Stored in environment variables, never in code or version control. Rotated on personnel change. Live
Access controls
- Customer data is accessible only to True Nordic Capital personnel who require it for product delivery and support. At current stage, this is the founding team only.
- No third-party staff, contractors, or partners have access to raw customer transaction data.
- Access is authenticated via strong unique credentials. Multi-factor authentication is enforced for all internal systems. Live
- Role-based access control (RBAC) for multi-user enterprise deployments: In progress — Q3 2026
- Access logging and audit trail: In progress — Q3 2026
Sub-processors
The following third parties process data as part of SENTINEL's operation. Customer transaction data (your financial records) is not shared with any sub-processor. Sub-processors below handle payment, website, and analytics data only.
| Sub-processor | Purpose | Data processed | Location | DPA |
|---|---|---|---|---|
| Stripe | Payment processing | Billing data, payment card details (not stored by us) | US / EU data processing available | Stripe DPA |
| Formspree | Waitlist and contact forms | Name, email, message content from form submissions | US | Standard Contractual Clauses |
| Vercel | Static website hosting and CDN | Web request metadata (IP, user agent) for the marketing site only. No transaction data. | Global CDN / US headquarters | Vercel DPA |
| Plausible Analytics | Website analytics | Anonymised page view data, no cookies, no cross-site tracking | EU (Germany) | GDPR-compliant by design; no DPA required |
We will notify customers of any new sub-processor additions with a minimum of 30 days' notice before the sub-processor begins processing data.
GDPR — Article 28 statement
Under the GDPR, True Nordic Capital acts as a data processor when handling customer transaction data submitted for Modelo 172/173/721 generation. The customer (the CASP or their appointed compliance officer) is the data controller.
As data processor, True Nordic Capital commits to:
- Process personal data only on documented instructions from the controller
- Ensure personnel authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational measures (Article 32) — as described on this page
- Not engage sub-processors without prior written authorisation from the controller (the sub-processor list above constitutes general authorisation; specific authorisation is obtained for any new additions)
- Assist the controller in responding to data subject rights requests
- Delete or return all personal data at the end of the service relationship, at the controller's choice
- Make available all information necessary to demonstrate compliance with Article 28 obligations
A formal Data Processing Agreement (DPA) compliant with GDPR Article 28 is included in the SENTINEL subscription agreement. If your procurement process requires a standalone DPA before contract signature, contact us at contact@micaready.eu.
Incident response and breach notification
- Detection: Automated monitoring for anomalous access patterns and system alerts. Live
- Notification timeline: In the event of a personal data breach, True Nordic Capital will notify affected customers within 72 hours of becoming aware of the breach — in line with GDPR Article 33 obligations. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address it.
- Formal incident response runbook: In progress — Q2 2026
Vulnerability management and penetration testing
- Dependencies are reviewed for known CVEs on a monthly basis and updated promptly on critical disclosures.
- Code is maintained in a private repository with branch protection and reviewed before deployment.
- Third-party penetration test: Planned — Q4 2026, prior to enterprise tier launch
Certifications and compliance roadmap
| Standard | Status | Target date |
|---|---|---|
| GDPR (data processor obligations) | Live | — |
| Data Processing Agreement (Article 28) | Live — included in subscription agreement | — |
| SOC 2 Type I | Planned | Q1 2027 |
| ISO 27001 | Planned | Q2 2027 |
| Penetration test (third-party) | Planned | Q4 2026 |
| EU-hosted managed infrastructure migration | In progress | Q3 2026 |
Data retention and deletion
- Customer transaction data is retained for the duration of the subscription and for a maximum of 12 months following contract termination, unless a shorter retention period is requested.
- On request, all customer data is deleted within 30 days and a deletion confirmation is provided in writing.
- Filing outputs (Modelo 172/173/721 XML) generated by SENTINEL remain the property of the customer. True Nordic Capital retains no copies after delivery unless explicitly agreed.
Security questions and DPA requests
Email: contact@micaready.eu
For security-specific enquiries, DPA requests, penetration test reports, or to submit a vulnerability disclosure, use the email above with subject line "Security — [topic]". We aim to respond to security disclosures within 24 hours.