Legal
Sentry Transfer Impact Assessment
This Transfer Impact Assessment ("TIA") documents watchtower's assessment of the transfer of personal data to Sentry, Inc., a US-based error-telemetry provider, as required by the European Data Protection Board's Schrems II Recommendations 01/2020 and the Standard Contractual Clauses (Commission Implementing Decision 2021/914).
Implementation status. The technical safeguards described below
(sendDefaultPii: false on both server and browser init, the
/monitoring tunnel route, tracesSampleRate defaulting to 0) are
implemented by watchtower's Sentry instrumentation and pinned by an
automated contract test. Sentry is OFF unless
SENTRY_DSN is configured; with no DSN the SDK is a no-op and no data
leaves the deployment. This TIA describes the controls that apply once
Sentry is enabled with that configuration.
1. The transfer
1.1 Data exporter
Ampliosoft AB ("Watchtower"), Sweden (EU).
1.2 Data importer
Sentry, Inc., a Delaware corporation headquartered in San Francisco, California, United States. Sentry processes data on behalf of Watchtower under its standard Sentry Data Processing Addendum.
1.3 Categories of data transferred
When watchtower's SENTRY_DSN is configured:
- Application error events (server-side and browser-side)
- Stack traces and source location of the failing code
- Request metadata: HTTP method and route path only. Under the current
configuration (
sendDefaultPii: false) the user-agent, source IP, cookies, and request body are NOT transferred (see section 2.2.1). - Release tag, environment label, server hostname (operational metadata)
- Custom context that watchtower explicitly attaches in
audit-bearing paths (e.g.
Sentry.setUser({id})is permitted per watchtower's observability policy for specific operations; in those cases the actor id - which is a Better Auth opaque identifier, not an email or name - is included in the event)
Excluded by configuration (sendDefaultPii: false):
- Client IP addresses
- Cookies
- Request body content
Excluded by application code (these are never passed to Sentry under any configuration):
- Customer tenant data polled from Microsoft (configuration, policies, settings)
- Customer credentials
- Audit-chain rows
- Evidence-pack content
1.4 Frequency of the transfer
Continuous while the watchtower service is running and an error
occurs that triggers captureException (or the browser equivalent).
Volume varies; expected at low single-digit events per minute
sustained for a healthy deployment, spiking during incidents.
1.5 Purpose and lawful basis
Purpose: error telemetry to identify and remediate production failures.
Lawful basis (under GDPR Article 6): legitimate interest (Art. 6(1)(f)) of watchtower in maintaining a secure and reliable service, balanced against the interests of data subjects whose data MAY appear in error events. The configuration choices in section 1.3 are the specific safeguards adopted to minimise that data subject impact.
2. Transfer mechanism
2.1 SCC module
Watchtower-to-Sentry transfers are governed by the Standard Contractual Clauses, Module 3 (processor-to-processor) under Commission Implementing Decision (EU) 2021/914. The SCCs are incorporated into Sentry's published DPA.
2.2 Supplementary measures
Watchtower applies the following supplementary measures (per the EDPB Recommendations 01/2020 taxonomy):
2.2.1 Technical measures
- PII suppression by configuration.
sendDefaultPii: falseis set in both server and browser Sentry init (verified by an automated contract test). Source IP, user-agent, cookies, and request body content are excluded. - Encryption in transit. Sentry's ingest endpoint enforces TLS 1.2+ (latest TLS supported by Sentry's edge).
- Tunnel routing. Browser events are routed through
watchtower's own
/monitoringendpoint (the Sentry tunnel feature). Browser TLS terminates at watchtower; events are re-emitted server-side over TLS to Sentry. This means a network observer at the client cannot identify watchtower as the source of a Sentry transfer. - Sampling.
tracesSampleRatedefaults to 0; transaction payloads (which include more contextual data) are not transferred unless this is explicitly raised.
2.2.2 Contractual measures
- Sentry's Data Processing Addendum (incorporating Module 3 SCCs) is in place.
- Sub-processor restriction. Sentry's published sub-processor list is reviewed in this TIA's annual review.
- Audit rights. Sentry's DPA provides for audit assistance.
2.2.3 Organisational measures
- No customer-attributable querying. Watchtower personnel
searching Sentry events use filters by
environmentandrelease, not by customer identifier. (Watchtower's Better Auth user ids that may appear are opaque to Sentry support staff.) - Data minimisation by code review. Code review checklist includes "is any new field attached to Sentry events necessary?" Customer-supplied free-text inputs are never attached.
2.3 Customer opt-out
Customer may instruct watchtower via the DPA Section 9 to disable
Sentry for the Customer's workspace. The effect is loss of error
telemetry for that workspace; other service features are unaffected.
The opt-out is implemented by clearing SENTRY_DSN for the
workspace's deployment, which the per-PR test guarantees results in a
no-op (verified by the contract test referenced above).
3. Legal assessment of the destination
3.1 US surveillance law
The principal concerns identified in Schrems II with respect to US transfers are:
- FISA Section 702: permits the US government to compel certain US-based electronic communications service providers to assist in surveillance of non-US persons. Sentry as a US corporation could in principle be subject to Section 702 orders.
- Executive Order 12333: permits collection of communications in transit, including outside US territory.
3.2 Sentry's exposure to those laws
Sentry is a corporation that processes communications-style data (application telemetry). It is plausible that Sentry could be served with a FISA 702 order. Sentry's published transparency reports historically have not disclosed receipt of FISA orders; absence of disclosure is not evidence that none have occurred.
3.3 Likely materiality to Customer Data
We assess the materiality of this exposure as low for the following reasons:
- Customer Data as defined in the DPA (Customer's tenant configuration, finding history, evidence packs) is NEVER transferred to Sentry.
- The personal data that IS transferred under section 1.3 is application-error context. It contains stack traces and Better Auth opaque user ids; it does not contain content that would be meaningful as a surveillance target.
- The supplementary measures (PII suppression, tunnel routing, sampling defaults) further reduce the value of any intercepted event to a surveillance interest.
3.4 EU-US Data Privacy Framework
As of June 2026 the EU-US Data Privacy Framework remains in force. Its legal standing was strengthened on 3 September 2025, when the EU General Court dismissed the action for annulment in Case T-553/23 (Latombe v Commission), ruling on the merits and confirming the Commission's adequacy decision (verified 2026-06-03). Sentry, Inc. has self-certified to the EU-US DPF, the UK Extension to the DPF, and the Swiss-US DPF, and appears on the published participant list (verified 2026-06-03 at https://www.dataprivacyframework.gov/; the operator should re-confirm the active certification on each TIA renewal, as certification status can lapse). For transfers within the scope of the DPF, the SCC supplementary measures above are belt-and-suspenders; the legal basis for the transfer is the adequacy decision underlying the DPF.
If the DPF were invalidated (as occurred with Privacy Shield in Schrems II), watchtower's transfer continues to rely on the SCCs plus supplementary measures, and the assessment in section 3.3 remains the basis for considering the transfer permissible. Note the General Court's September 2025 dismissal is appealable to the Court of Justice; counsel should track any appeal.
4. Conclusion
Watchtower assesses the Sentry transfer as permissible under SCC Module 3 + the documented supplementary measures.
The assessment is documented for transparency and to assist Customer's own DPIA. Customer may rely on this assessment or require modifications (e.g. Sentry opt-out for their workspace, additional measures, etc.) via the DPA.
5. Review cadence
This TIA is reviewed:
- Annually, on or about the anniversary of the effective date.
- When the EU-US Data Privacy Framework or its successor changes status.
- When Sentry's DPA, sub-processors, or technical capabilities change materially.
- When watchtower's Sentry configuration changes (e.g.
tracesSampleRateraised above 0,sendDefaultPiiflipped).
Each review produces a dated update in this file. Material changes notify Customer per the DPA.
6. References
- Secret management (OpenBao stays in EEA)
- Hetzner (primary processing in EEA)
- Data Processing Agreement, Sections 5, 6, 9
- Sub-processors
- watchtower's internal observability policy
- The automated contract test guaranteeing
sendDefaultPii: falseand the tunnel route - Sentry DPA
- EDPB Recommendations 01/2020 on supplementary measures
- Commission Implementing Decision (EU) 2021/914 (SCCs)