CertCrowd Achieves Full GDPR Compliance: Our Commitment to Privacy, Security & Trust

At CertCrowd, trust is not just a product feature, it is the foundation of our business. That is why we are excited to announce that CertCrowd is now fully aligned with the General Data Protection Regulation (GDPR), the world’s most stringent privacy and data protection framework.

For a global SaaS platform supporting organisations on their ISO and GRC journeys, GDPR compliance is not optional. It demonstrates that we protect personal data with the same level of rigour we ask our customers to uphold.

This achievement reflects months of focused work across legal, technical, and operational layers, and it now forms a core part of our governance, risk, and compliance ecosystem.

What GDPR Compliance Means for CertCrowd

GDPR compliance ensures that when users entrust us with their information, we:

• Use it lawfully, transparently, and for clear, legitimate purposes
• Minimise data collection to only what is necessary
• Secure personal data with industry-leading controls
• Provide individuals with rights over their personal information
• Maintain accountability through documented processes, reviews, and audits

It is one of the strongest signals of privacy maturity a SaaS provider can demonstrate, especially for customers in Europe, the UK, and any organisation operating with globally distributed data.

Inside CertCrowd’s GDPR Journey

Our compliance program covered all major GDPR pillars, and we have embedded these controls into the heart of our operations.

1. Updated Privacy Policy and Transparency Controls

We rewrote and expanded our Privacy Policy to ensure it meets GDPR transparency requirements, including:

• Lawful bases for processing
• Clear data categories and purposes
• Retention periods
• International data transfers
• Sub-processor commitments
• User rights and how to exercise them

Our Privacy Policy now reflects exactly how CertCrowd uses and protects personal data, with no jargon, no hidden terms, and no ambiguity.

2. Data Processing Agreement (DPA)

Every customer now benefits from a GDPR-aligned DPA that covers:

• Controller and processor roles
• Data handling obligations
• Sub-processor relationships
• Technical and organisational measures (TOMs)
• Breach notification timelines
• Audit and accountability provisions

The DPA is available by default to all customers and is referenced throughout our terms.

3. Cookie Management and Consent Controls

To meet EU and UK requirements for non-essential cookies, we implemented:

• A full cookie consent banner
• Categorised consent (necessary, analytics, marketing)
• Ability for users to withdraw consent at any time
• Documentation of consent for accountability
• Updated cookie policy and vendor list

This ensures users are in complete control over non-essential tracking technologies.

4. GDPR Representative in the EU and UK

Because CertCrowd processes personal data of EU and UK residents without having an establishment in those regions, we appointed:

• An EU GDPR Representative
• A UK GDPR Representative

This ensures local supervisory authorities and individuals have direct contact points within the EU and UK jurisdictions.

5. Sub-processor Register and 30-day Notice Mechanism

We introduced a public Sub-processor Register that:

• Lists all third-party providers we use
• Provides notice before adding or replacing sub-processors
• Allows customers to subscribe for notifications
• Supports objections based on reasonable data protection grounds

This transparency supports compliance for our customers’ own GDPR obligations.

6. Internal Records of Processing Activities (ROPA)

We established a comprehensive ROPA to meet Article 30 requirements, documenting:

• All processing activities
• Data categories
• Purposes
• Systems and storage locations
• Security measures
• Retention schedules
• Legal bases
• Cross-border transfers

This forms a core part of our internal accountability framework.

7. Staff Training and Awareness

All team members completed GDPR and privacy awareness training covering:

• Personal data handling
• Data minimisation
• Secure development practices
• Responding to data subject rights
• Incident reporting and escalation

This ensures privacy is foundational, not optional.

What This Means for Our Customers

Whether you are using CertCrowd to implement ISO 27001, manage audits, or streamline compliance:

• Your data is handled under one of the world’s strongest privacy regimes
• You can show your own auditors, customers, and procurement teams that your platform meets GDPR requirements
• Our processes now support your obligations, from DSAR responses to sub-processor notifications
• You gain a supplier that prioritises responsibility, transparency, and security

In short, GDPR compliance is not just "done". It is embedded.

Privacy Is Not a Destination, It Is a Promise

Achieving GDPR compliance is a major milestone, but not the endpoint.

We will continue to:

• Review and update our privacy governance
• Maintain our ROPA
• Monitor regulatory developments
• Strengthen security controls
• Improve user transparency and data rights
• Perform periodic reviews and internal audits

Because privacy and trust are not static; they are ongoing commitments.

Thank You to Our Team and Community

This achievement reflects deep collaboration across engineering, legal, support, and security. To our customers and partners, thank you for trusting CertCrowd to safeguard what matters most.