Data Protection & GDPR

Scope

This Data Protection Notice applies to the processing of personal data by Certifyd Inc. ("Certifyd," "we," "us," or "our") in connection with our digital certificate and badge management platform, website at certifyd.cloud, and all related services (the "Service"). This notice is intended to provide transparency about our data protection practices and to inform individuals of their rights under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable data protection legislation.

This notice applies to the personal data of all individuals whose data we process, including:

• Account holders and organizational administrators who use our platform
• Recipients of digital certificates and badges issued through our platform
• Visitors to our website
• Individuals who contact us for support or inquiries
• Individuals whose data is processed by our customers (organizations) through the Service

This notice should be read in conjunction with our Privacy Policy, Terms of Service, and Cookie Policy.

Data Controller

For the purposes of the GDPR and applicable data protection laws, the data controller responsible for the processing of your personal data is:

When organizations use Certifyd to issue digital certificates and badges, the organization acts as the data controller with respect to the personal data of their certificate recipients, and Certifyd acts as a data processor processing data on behalf of the organization. In this capacity, Certifyd processes personal data only in accordance with the organization's instructions and the terms of our Data Processing Agreement.

Certifyd acts as a data controller for data collected directly from individuals, such as account registration data, website visitor data, and data collected through direct communications with our support team.

Legal Basis for Processing

We process personal data only when we have a valid legal basis to do so under the GDPR. The legal bases we rely on include:

Performance of a Contract (Article 6(1)(b))

We process personal data when it is necessary to perform our contractual obligations to you, including providing the Service, managing your account, processing subscription payments, issuing and delivering digital certificates and badges, and providing customer support. This legal basis applies to account holders and organizational administrators who have agreed to our Terms of Service.

Legitimate Interests (Article 6(1)(f))

We process personal data when it is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include: improving and optimizing the Service; ensuring the security and integrity of the platform; detecting and preventing fraud and abuse; conducting analytics to understand user behavior and improve user experience; and communicating with users about service updates and relevant information.

Consent (Article 6(1)(a))

In certain cases, we process personal data based on your freely given, specific, informed, and unambiguous consent. This includes the use of non-essential cookies (analytics, performance, and preference cookies), sending marketing communications, and processing data for specific purposes that go beyond what is necessary for the performance of the contract. You have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

Legal Obligation (Article 6(1)(c))

We process personal data when it is necessary to comply with a legal obligation to which Certifyd is subject, such as tax and accounting requirements, responding to lawful requests from law enforcement or regulatory authorities, and fulfilling data protection obligations.

Data We Process

We process the following categories of personal data in connection with the Service:

• Identity Data: Full name, job title, organization name, and profile information
• Contact Data: Email address, phone number, and mailing address
• Account Data: Username, password (hashed), account preferences, and settings
• Financial Data: Payment method details, billing address, and transaction history (processed through our payment processor)
• Certificate Data: Recipient names, email addresses, certificate titles, issuance dates, expiration dates, verification codes, unique verification URLs, badge metadata, and custom fields included in certificates
• Usage Data: Pages visited, features used, click patterns, session duration, navigation paths, and actions taken on the platform
• Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, language preferences, and referring URLs
• Communication Data: Correspondence with our support team, feedback, and survey responses

Data Processing Activities

We carry out the following data processing activities in connection with the Service:

• Account Management: Creating, maintaining, and administering user accounts, including authentication and authorization
• Service Delivery: Processing certificate and badge creation, issuance, delivery via email, and verification through unique verification URLs
• Payment Processing: Processing subscription payments, managing billing records, handling refunds, and tax compliance
• Communication: Sending transactional emails (certificate delivery notifications, account confirmations, password resets), service updates, and responding to support inquiries
• Analytics & Improvement: Analyzing aggregated usage patterns, measuring service performance, identifying areas for improvement, and developing new features
• Security & Fraud Prevention: Monitoring for suspicious activity, preventing unauthorized access, detecting fraud, and maintaining the security and integrity of the platform
• Legal Compliance: Processing data as necessary to comply with legal obligations, respond to legal requests, and enforce our Terms of Service

Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The specific retention periods for different categories of data are as follows:

After the applicable retention period expires, personal data is either securely deleted or irreversibly anonymized so that it can no longer be used to identify an individual. Anonymized data may be retained indefinitely for statistical and analytical purposes.

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR and applicable data protection laws with respect to your personal data:

Right of Access (Article 15)

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data along with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period, and the existence of your other rights. You may request a copy of the personal data we hold about you, which will be provided free of charge. Additional copies may be subject to a reasonable fee.

Right to Rectification (Article 16)

You have the right to request the correction of inaccurate personal data we hold about you and to have incomplete personal data completed. We will take reasonable steps to verify the accuracy of the corrected data and update our records accordingly.

Right to Erasure (Article 17)

You have the right to request the deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent and there is no other legal basis for processing, when you object to processing and there are no overriding legitimate grounds, when the data has been unlawfully processed, or when erasure is required for compliance with a legal obligation. Please note that this right is not absolute, and we may be required to retain certain data for legal, contractual, or legitimate business reasons.

Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data, when processing is unlawful and you oppose erasure, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification of whether our legitimate grounds override your interests.

Right to Data Portability (Article 20)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance from us, where the processing is based on consent or the performance of a contract and is carried out by automated means. Upon request, we will provide your data in JSON or CSV format.

Right to Object (Article 21)

You have the right to object to the processing of your personal data where processing is based on our legitimate interests or is carried out for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing immediately. Where you object to processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

Right Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Certifyd does not currently engage in solely automated decision-making that produces legal or similarly significant effects on individuals. If this changes in the future, we will update this notice and provide appropriate safeguards, including the right to obtain human intervention, to express your point of view, and to contest the decision.

Exercising Your Rights

To exercise any of the rights described above, you may submit a request by contacting us at support@certifyd.cloud with the subject line "Data Protection Rights Request." Please include the following information in your request:

• Your full name and the email address associated with your account
• A description of the specific right you wish to exercise
• Any additional information necessary to verify your identity and locate your data

We will acknowledge receipt of your request within 5 business days and will respond substantively within 30 days of receipt. In complex cases, or where we receive a high volume of requests, we may extend the response period by an additional 60 days, in which case we will inform you of the extension and the reasons for it within the initial 30-day period.

We may need to verify your identity before processing your request to prevent unauthorized access to personal data. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

International Data Transfers

Certifyd is headquartered in the United States, and our primary data processing infrastructure is located in the United States. When personal data is transferred from the EEA, the United Kingdom, or Switzerland to the United States or other countries outside those regions, we ensure that appropriate safeguards are in place to protect your data in compliance with the GDPR.

The safeguards we rely on for international data transfers include:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (as adopted under Commission Implementing Decision (EU) 2021/914) as the primary mechanism for transferring personal data outside the EEA. These clauses impose contractual obligations on the data importer to protect the data to a standard consistent with EU data protection law.
• UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom, we use the UK IDTA or the UK Addendum to the EU SCCs, as applicable.
• Adequacy Decisions: Where available, we rely on adequacy decisions by the European Commission or the UK Secretary of State recognizing that a third country provides an adequate level of data protection.
• Supplementary Measures: Where necessary, we implement additional technical and organizational measures to ensure an adequate level of protection, including encryption in transit and at rest, access controls, and data minimization.

You may request a copy of the appropriate safeguards we have implemented for international data transfers by contacting us at support@certifyd.cloud.

Data Processing Agreements

When Certifyd processes personal data on behalf of organizations (our customers) as a data processor, we enter into Data Processing Agreements ("DPAs") that comply with the requirements of Article 28 of the GDPR. Our DPAs set forth the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data processed, and the categories of data subjects.

Our standard DPA includes commitments to:

• Process personal data only on documented instructions from the data controller
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Engage sub-processors only with prior written authorization and subject to equivalent data protection obligations
• Assist the controller in fulfilling its obligations to respond to data subject rights requests
• Delete or return all personal data upon termination of the processing relationship
• Make available all information necessary to demonstrate compliance and allow for audits

Organizations that require a DPA may request one by contacting us at support@certifyd.cloud.

Sub-processors

Certifyd engages third-party sub-processors to assist in providing the Service. Each sub-processor is bound by contractual obligations that are consistent with the GDPR and our Data Processing Agreements. We conduct due diligence on all sub-processors to ensure they provide sufficient guarantees regarding data protection.

Our current sub-processors include:

We will notify customers of any intended changes to our sub-processors (additions or replacements) by providing at least 30 days' advance notice. If you have concerns about a new sub-processor, you may object by contacting us within the notice period. We will work with you in good faith to address your concerns or, if the concerns cannot be resolved, provide you with the option to terminate the affected services.

Data Breach Notification

Certifyd maintains comprehensive incident response procedures to detect, investigate, and respond to personal data breaches. In the event of a personal data breach, we will comply with the notification requirements under the GDPR and other applicable data protection laws.

Notification to Supervisory Authorities: Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, Certifyd will notify the relevant supervisory authority without undue delay, and where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.

Notification to Data Subjects: Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Certifyd will communicate the breach to affected individuals without undue delay, in accordance with Article 34 of the GDPR, unless appropriate technical or organizational protective measures have been applied that render the personal data unintelligible to unauthorized persons.

Notification to Data Controllers: Where Certifyd is acting as a data processor on behalf of an organization, we will notify the organization (data controller) of a personal data breach without undue delay after becoming aware of it, and will provide sufficient information to enable the organization to meet its own breach notification obligations.

Children's Data

The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. Where the Service is used by organizations to issue certificates to individuals under the age of 16 (for example, in an educational context), the organization is responsible for ensuring that parental or guardian consent has been obtained in accordance with Article 8 of the GDPR and applicable national laws.

If we become aware that personal data has been collected from a child under the age of 16 without appropriate parental or guardian consent, we will take steps to delete the data as soon as possible. If you believe that a child under 16 has provided us with personal data without appropriate consent, please contact us at support@certifyd.cloud.

Data Protection Officer

Certifyd has designated a Data Protection Officer (DPO) to oversee our data protection practices and ensure compliance with the GDPR and other applicable data protection laws. You may contact our DPO for any inquiries related to data protection, privacy, or the exercise of your rights.

Supervisory Authority

If you are located in the European Economic Area or the United Kingdom, you have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates the GDPR or other applicable data protection legislation.

You may lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement. A list of EU Data Protection Authorities and their contact information can be found on the European Data Protection Board website.

For complaints from the United Kingdom, you may contact the Information Commissioner's Office (ICO) at ico.org.uk. While you have the right to lodge a complaint with a supervisory authority at any time, we encourage you to contact us first so that we may address your concerns directly.

Changes to This Notice

We may update this Data Protection Notice from time to time to reflect changes in our data processing practices, changes in applicable law, or other factors. When we make material changes to this notice, we will update the "Last updated" date at the top of this page and, where required by the GDPR, notify affected individuals by email or through a prominent notice on the Service.

We encourage you to review this notice periodically to stay informed about our data protection practices. Your continued use of the Service after the publication of any changes to this notice constitutes your acknowledgment of those changes.

Contact Us

If you have any questions about this Data Protection Notice, our data processing practices, or if you wish to exercise your data protection rights, please contact us:

We aim to respond to all data protection inquiries within 30 days of receipt. For urgent data protection matters, please include "URGENT" in the subject line of your email.