Skip to content

Legal

Data Processing Addendum

This DPA forms part of the agreement between CertSeal and its customers and reflects our commitments under GDPR, UK GDPR, and other applicable data-protection laws.

Effective: May 1, 2026

Last updated: May 1, 2026

Introduction

This Data Processing Addendum ("DPA") supplements the Terms of Service (the "Agreement") between CertSeal.com ("CertSeal") and the customer named in the Agreement ("Customer"). It governs the processing of Personal Data by CertSeal on behalf of Customer in connection with the Service.

If you are a Customer and need a signed copy of this DPA on your letterhead or via a contract portal, email sales@certseal.com and we will countersign within two business days.

Definitions

  • Applicable Data Protection Law — the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Singapore Personal Data Protection Act, and any other privacy or data-protection law applicable to either party's processing of Personal Data under the Agreement.
  • Personal Data, Controller, Processor, Data Subject, Processing, and Personal Data Breach have the meanings given in Applicable Data Protection Law.
  • Customer Personal Data — Personal Data processed by CertSeal on behalf of Customer in the course of providing the Service.
  • Sub-processor — any third party engaged by CertSeal to process Customer Personal Data.

Roles & scope

The parties acknowledge that for the purposes of Applicable Data Protection Law and with respect to Customer Personal Data, Customer is the Controller, CertSeal is the Processor, and CertSeal will engage Sub-processors in accordance with this DPA.

Subject matter and duration — the provision of the Service for the term of the Agreement. Nature and purpose — designing, generating, delivering, and verifying digital credentials on Customer's behalf. Types of data — recipient identifiers (name, email), credential metadata (course/program, dates, scores), engagement events. Categories of data subject — Customer's credential recipients and authorized users.

CertSeal's obligations

CertSeal will:

  • Process Customer Personal Data only on documented instructions from Customer, including with respect to transfers, except as required by applicable law.
  • Ensure that personnel authorized to process Customer Personal Data are under appropriate obligations of confidentiality.
  • Implement and maintain the technical and organisational measures described in the Security Measures section.
  • Assist Customer in responding to Data Subject requests and in meeting Customer's obligations under Articles 32–36 of the GDPR (security, breach notification, DPIAs, consultation with supervisory authorities), taking into account the nature of the processing and the information available to CertSeal.
  • Make available to Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR.
  • Notify Customer without undue delay of any Personal Data Breach affecting Customer Personal Data.

Customer's obligations

Customer warrants and undertakes that:

  • It has all necessary rights, legal bases, consents, and notices to provide Customer Personal Data to CertSeal for processing as contemplated by the Agreement.
  • Its instructions to CertSeal comply with Applicable Data Protection Law and any other laws applicable to Customer.
  • It will respond directly to Data Subjects who contact Customer about Customer Personal Data, using CertSeal's assistance where reasonably required.

Sub-processors

Customer authorizes CertSeal to engage Sub-processors to assist with the provision of the Service. CertSeal will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA.

The current list of Sub-processors:

Sub-processor Purpose Location
Amazon Web Services Application hosting, storage, backups EU (Ireland), US (Virginia)
Cloudflare Edge network, WAF, DDoS protection Global edge
Stripe Payment processing Global
Postmark Transactional email delivery United States
Sentry Application error monitoring United States, EU
Plausible Analytics Privacy-friendly product analytics Germany
Intercom Customer support messaging United States
Linear Issue & roadmap management United States

CertSeal will give Customer at least 30 days' advance notice of any intended addition or replacement of a Sub-processor (via email to the account's billing contact and an update to this page). Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection; if it cannot be resolved, Customer may terminate the affected portion of the Service without further charge for the unused portion of the term.

International transfers

Where the transfer of Customer Personal Data outside the European Economic Area, the United Kingdom, or Switzerland is required, CertSeal relies on appropriate safeguards, including:

  • The European Commission's Standard Contractual Clauses (2021/914), incorporated by reference into this DPA.
  • The UK International Data Transfer Addendum to the SCCs (where the UK GDPR applies).
  • The Swiss Federal Data Protection and Information Commissioner's amendments (where Swiss data protection law applies).
  • The EU–US Data Privacy Framework, where the recipient is certified.

Security measures

CertSeal maintains a documented Information Security Programme aligned with ISO 27001 and SOC 2. Measures include, at minimum:

  • Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (AES-256).
  • Least-privilege access controls, SSO, and mandatory hardware-key MFA for all CertSeal personnel.
  • Network segmentation, hardened production environments, and continuous vulnerability scanning.
  • Encrypted, geo-redundant backups with quarterly restore tests.
  • Centralized logging, intrusion detection, and 24×7 on-call security response.
  • Annual independent penetration testing and a published responsible-disclosure programme.
  • Mandatory security and privacy training for all personnel, refreshed annually.
  • Documented incident-response and business-continuity plans, tested at least annually.

Incident notification

CertSeal will notify Customer of a confirmed Personal Data Breach affecting Customer Personal Data without undue delay and, where feasible, no later than 72 hours after becoming aware of the Breach. Notifications will include, to the extent then known, the nature and likely consequences of the Breach, the measures taken or proposed, and a point of contact for further information.

Assisting with data subject rights

Taking into account the nature of the processing, CertSeal will assist Customer with appropriate technical and organisational measures to fulfil Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR.

Audits

CertSeal will make available, on Customer's reasonable request and no more than once per year, copies of its most recent third-party audit reports (e.g. SOC 2, ISO 27001) and a written security questionnaire response. Where Applicable Data Protection Law requires an on-site audit, the parties will agree to a scope and schedule in advance and Customer will bear its own costs.

Return and deletion

On termination of the Agreement, Customer may export Customer Personal Data from the Service using self-service tools or by request. CertSeal will delete or anonymize remaining Customer Personal Data within 30 days of termination, except (a) where retention is required by law, and (b) for already-issued credentials that Customer or the relevant recipient wishes to keep verifiable, which will be retained per the Terms of Service.

Term

This DPA takes effect on the Effective Date stated above and continues for the duration of the Agreement and, with respect to provisions that by their nature should survive, for as long as CertSeal processes Customer Personal Data.

How to sign

To countersign this DPA, email sales@certseal.com with your organization's legal name, the email of the signatory, and any procurement-portal links we should use. We will return a signed PDF within two business days.


Questions about this document? Email hello@certseal.com — a real human will reply.