This Data Processing Agreement ("DPA") forms part of the agreement between Certify.App ("Processor") and the organization subscribing to an Enterprise plan ("Controller"). It governs how we process personal data on your behalf when you use the Certify.App platform.
1. Scope and roles
You act as the data controller for recipient and organization data you upload to Certify.App. We act as a data processor, processing that data only on your documented instructions to provide the Service described in our Terms of Service.
2. Subject matter and duration
Processing covers certificate templates, recipient records, generated certificates, verification logs, and related metadata for the duration of your Enterprise subscription and any retention period specified in your contract or our Privacy Policy.
3. Nature and purpose of processing
- Storing and managing certificate templates and campaign data
- Generating PDF certificates and unique verification identifiers
- Delivering certificates to recipients via email on your behalf
- Providing public certificate verification
- Maintaining audit and verification logs as configured
4. Categories of data subjects and personal data
- Data subjects: your staff users, certificate recipients, and third parties who verify credentials.
- Personal data: names, email addresses, organization names, certificate metadata, IP addresses in verification logs, and any custom fields you map from recipient imports.
5. Processor obligations
Certify.App will:
- Process personal data only on documented instructions from you
- Ensure personnel authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject requests where technically feasible
- Notify you without undue delay after becoming aware of a personal data breach affecting your data
- Delete or return personal data upon termination, subject to legal retention requirements
6. Sub-processors
We use trusted sub-processors for cloud hosting, database services, and email delivery. A current list is available on request. We will inform you of material changes to sub-processors and provide an opportunity to object where required by applicable law.
7. International transfers
Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, as described in our Privacy Policy.
8. Audits
Upon reasonable notice, Enterprise customers may request information necessary to demonstrate compliance with this DPA. On-site audits may be conducted no more than once per year unless required by a supervisory authority.
9. Executing a signed DPA
This page summarizes our standard Enterprise DPA. For a countersigned agreement with your legal entity details, contact sales@usecertify.app or visit our contact page.