Introduction
This Data Processing Addendum ("DPA") supplements the Terms of Service (the "Agreement") between CertSeal.com ("CertSeal") and the customer named in the Agreement ("Customer"). It governs the processing of Personal Data by CertSeal on behalf of Customer in connection with the Service.
If you are a Customer and need a signed copy of this DPA on your letterhead or via a contract portal, email sales@certseal.com and we will countersign within two business days.
Definitions
- Applicable Data Protection Law — the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Singapore Personal Data Protection Act, and any other privacy or data-protection law applicable to either party's processing of Personal Data under the Agreement.
- Personal Data, Controller, Processor, Data Subject, Processing, and Personal Data Breach have the meanings given in Applicable Data Protection Law.
- Customer Personal Data — Personal Data processed by CertSeal on behalf of Customer in the course of providing the Service.
- Sub-processor — any third party engaged by CertSeal to process Customer Personal Data.
Roles & scope
The parties acknowledge that for the purposes of Applicable Data Protection Law and with respect to Customer Personal Data, Customer is the Controller, CertSeal is the Processor, and CertSeal will engage Sub-processors in accordance with this DPA.
Subject matter and duration — the provision of the Service for the term of the Agreement. Nature and purpose — designing, generating, delivering, and verifying digital credentials on Customer's behalf. Types of data — recipient identifiers (name, email), credential metadata (course/program, dates, scores), engagement events. Categories of data subject — Customer's credential recipients and authorized users.
CertSeal's obligations
CertSeal will:
- Process Customer Personal Data only on documented instructions from Customer, including with respect to transfers, except as required by applicable law.
- Ensure that personnel authorized to process Customer Personal Data are under appropriate obligations of confidentiality.
- Implement and maintain the technical and organisational measures described in the Security Measures section.
- Assist Customer in responding to Data Subject requests and in meeting Customer's obligations under Articles 32–36 of the GDPR (security, breach notification, DPIAs, consultation with supervisory authorities), taking into account the nature of the processing and the information available to CertSeal.
- Make available to Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR.
- Notify Customer without undue delay of any Personal Data Breach affecting Customer Personal Data.
Customer's obligations
Customer warrants and undertakes that:
- It has all necessary rights, legal bases, consents, and notices to provide Customer Personal Data to CertSeal for processing as contemplated by the Agreement.
- Its instructions to CertSeal comply with Applicable Data Protection Law and any other laws applicable to Customer.
- It will respond directly to Data Subjects who contact Customer about Customer Personal Data, using CertSeal's assistance where reasonably required.
Sub-processors
Customer authorizes CertSeal to engage Sub-processors to assist with the provision of the Service. CertSeal will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA.
The current list of Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Application hosting, storage, backups | EU (Ireland), US (Virginia) |
| Cloudflare | Edge network, WAF, DDoS protection | Global edge |
| Stripe | Payment processing | Global |
| Postmark | Transactional email delivery | United States |
| Sentry | Application error monitoring | United States, EU |
| Plausible Analytics | Privacy-friendly product analytics | Germany |
| Intercom | Customer support messaging | United States |
| Linear | Issue & roadmap management | United States |
CertSeal will give Customer at least 30 days' advance notice of any intended addition or replacement of a Sub-processor (via email to the account's billing contact and an update to this page). Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection; if it cannot be resolved, Customer may terminate the affected portion of the Service without further charge for the unused portion of the term.
International transfers
Where the transfer of Customer Personal Data outside the European Economic Area, the United Kingdom, or Switzerland is required, CertSeal relies on appropriate safeguards, including:
- The European Commission's Standard Contractual Clauses (2021/914), incorporated by reference into this DPA.
- The UK International Data Transfer Addendum to the SCCs (where the UK GDPR applies).
- The Swiss Federal Data Protection and Information Commissioner's amendments (where Swiss data protection law applies).
- The EU–US Data Privacy Framework, where the recipient is certified.
Security measures
CertSeal maintains a documented Information Security Programme aligned with ISO 27001 and SOC 2. Measures include, at minimum:
- Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (AES-256).
- Least-privilege access controls, SSO, and mandatory hardware-key MFA for all CertSeal personnel.
- Network segmentation, hardened production environments, and continuous vulnerability scanning.
- Encrypted, geo-redundant backups with quarterly restore tests.
- Centralized logging, intrusion detection, and 24×7 on-call security response.
- Annual independent penetration testing and a published responsible-disclosure programme.
- Mandatory security and privacy training for all personnel, refreshed annually.
- Documented incident-response and business-continuity plans, tested at least annually.
Incident notification
CertSeal will notify Customer of a confirmed Personal Data Breach affecting Customer Personal Data without undue delay and, where feasible, no later than 72 hours after becoming aware of the Breach. Notifications will include, to the extent then known, the nature and likely consequences of the Breach, the measures taken or proposed, and a point of contact for further information.
Assisting with data subject rights
Taking into account the nature of the processing, CertSeal will assist Customer with appropriate technical and organisational measures to fulfil Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR.
Audits
CertSeal will make available, on Customer's reasonable request and no more than once per year, copies of its most recent third-party audit reports (e.g. SOC 2, ISO 27001) and a written security questionnaire response. Where Applicable Data Protection Law requires an on-site audit, the parties will agree to a scope and schedule in advance and Customer will bear its own costs.
Return and deletion
On termination of the Agreement, Customer may export Customer Personal Data from the Service using self-service tools or by request. CertSeal will delete or anonymize remaining Customer Personal Data within 30 days of termination, except (a) where retention is required by law, and (b) for already-issued credentials that Customer or the relevant recipient wishes to keep verifiable, which will be retained per the Terms of Service.
Term
This DPA takes effect on the Effective Date stated above and continues for the duration of the Agreement and, with respect to provisions that by their nature should survive, for as long as CertSeal processes Customer Personal Data.
How to sign
To countersign this DPA, email sales@certseal.com with your organization's legal name, the email of the signatory, and any procurement-portal links we should use. We will return a signed PDF within two business days.
Questions about this document? Email hello@certseal.com — a real human will reply.