Effective date: May 20, 2026

Version 1.0 — May 20, 2026

Sentient Forms is local-first by default. Customer-controlled configuration, action definitions, form mappings, provider settings, consent records, execution logs, selected results, and migration records may be stored in the Customer’s own WordPress database.

A Data Processing Addendum or service-provider addendum may be needed when a Customer uses Sentient Forms Managed Service to send Customer-selected personal data to the Sentient Forms managed service/CPS.

If your organization requires a DPA, service-provider addendum, Standard Contractual Clauses, UK Addendum, or other data-processing terms for Sentient Forms Managed Service, contact:

[email protected]

Please include:

  1. organization name;
  2. account email;
  3. site URL or site identifier;
  4. applicable jurisdiction;
  5. whether GDPR, UK GDPR, CCPA/CPRA, or another privacy law applies;
  6. whether Standard Contractual Clauses, UK Addendum, or other transfer terms are requested;
  7. requested effective date;
  8. procurement, privacy, or security contact;
  9. a short description of the data you plan to send through Sentient Forms Managed Service; and
  10. whether any regulated or sensitive data is involved.

No HIPAA support or Business Associate Agreement is provided by default. Do not send protected health information or other prohibited regulated data through Sentient Forms unless TWP has signed a separate written addendum that expressly authorizes that use.

U.S.-focused launch posture

Sentient Forms is operated from the United States and is U.S.-focused at launch. TWP does not specifically target EU/UK markets at launch, although it does not necessarily geoblock EU/UK use.

Customers needing EU/UK transfer terms, DPA review, Standard Contractual Clauses, UK Addendum, transfer-impact review, EU representative analysis, UK representative analysis, DPO analysis, or other EU/UK legal review should request that review before relying on Sentient Forms Managed Service for that data.

Current named service providers and subprocessors

The following providers are expected for launch, subject to final production configuration:

ProviderPurposeNotes
Google Cloud Platform / Google Compute EngineManaged service hosting and infrastructureGoogle provides cloud DPA/subprocessor materials; final region and configuration are handled operationally.
StripeBilling, checkout, subscriptions, invoices, payment events, disputes, fraud controls, and payment processingStripe is the payment processor. TWP is the seller/service provider unless a separate merchant-of-record product is adopted. Stripe Tax is not configured at launch.
OpenRouterModel routing where used for Direct OpenRouter Execution or Sentient Forms Managed ServiceOpenRouter self-serve and downstream model-provider terms may vary by model, route, endpoint, account settings, and provider.
Google WorkspaceSupport email and operational communications if email support is offeredSupport email should not be used for secrets or prohibited regulated data unless an approved secure process is provided.
Google Analytics 4Public SentientForms.com/TWP website analytics if enabled and consented/configured as requiredGA4 is not included in the WordPress plugin and is separate from metadata-only Plugin telemetry.

This list does not include third parties selected by Customers for their own WordPress sites, Direct OpenRouter Execution, webhook receivers, hosting, plugins, OpenRouter BYOK configurations, downstream tools, or customer-selected destinations.

OpenRouter and downstream provider caveat

OpenRouter may route requests to downstream model providers. Logging, retention, training, regional handling, zero-data-retention availability, and provider terms can vary by provider, model, endpoint, account settings, and request configuration.

A DPA request involving Sentient Forms Managed Service must account for OpenRouter and downstream model-provider flow-down limits. TWP does not promise universal zero retention, no training, regional routing, or regulated-data readiness unless a signed written addendum expressly says so.

What must be confirmed before a full standard DPA is available

Before TWP publishes or offers a standard full DPA for broad use, TWP expects to confirm:

  1. final processing roles for each data path;
  2. managed execution retention and deletion behavior;
  3. support diagnostics retention and deletion behavior;
  4. security controls and incident-response process;
  5. breach-notice timing;
  6. final subprocessor list and notice period;
  7. OpenRouter and downstream model-provider flow-down terms;
  8. Standard Contractual Clause module selection and UK Addendum posture if EU/UK transfers are supported;
  9. whether TWP will claim Data Privacy Framework participation or rely on Standard Contractual Clauses or other mechanisms;
  10. EU representative, UK representative, and DPO analysis;
  11. audit rights and procurement support boundaries; and
  12. whether regulated data is prohibited entirely or allowed only under specific signed addenda.

Customer responsibility

Customers are responsible for determining whether their own forms, prompts, Site Context, model choices, provider paths, webhooks, and downstream destinations are appropriate for their legal obligations.

Customers needing EU/UK transfer terms or regulated-data support should obtain written approval from TWP before using Sentient Forms Managed Service for that data.

Scroll to Top