CertCrowd Pty Ltd (Processor) & Customer (Controller)
Last updated: 14 November 2025
This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement").
Controller: The Company (customer of CertCrowd Pty Ltd)
Processor: CertCrowd Pty Ltd (ABN 68 634 250 758)
4/1027 Manly Road, Tingalpa QLD 4173, Australia
privacy@certcrowd.com
(together, the "Parties")
WHEREAS
IT IS AGREED AS FOLLOWS:
1.1 Unless otherwise defined herein, capitalised terms and expressions have the meanings below:
1.1.1 “Agreement” means this Data Processing Agreement and the contract of services between CertCrowd and Company and all Schedules/Annexes.
1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Company pursuant to or in connection with the Principal Agreement.
1.1.3 “Contracted Processor” means a Subprocessor.
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, including the UK GDPR and Swiss FADP.
1.1.5 “EEA” means the European Economic Area.
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC as replaced or superseded by the GDPR and laws implementing or supplementing the GDPR.
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679.
1.1.8 “Data Transfer” means: (i) a transfer of Company Personal Data from the Company to a Contracted Processor; or (ii) an onward transfer of Company Personal Data from a Contracted Processor to a Subprocessor, or between two establishments of a Contracted Processor, in each case where such transfer would be restricted by Data Protection Laws.
1.1.9 “Services” means the CertCrowd software and related services the Data Processor provides to the Company under the Principal Agreement.
1.1.10 “Subprocessor” means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Company in connection with the Agreement.
1.2 The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” have the meanings set out in the GDPR (and cognate terms shall be construed accordingly).
2.1 The Data Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 not Process Company Personal Data other than on the Company’s instructions, including as set out in the Principal Agreement, this Agreement, and Company’s configuration/use of the Services.
2.2 The Company instructs the Data Processor to process Company Personal Data as necessary to provide, secure, support, and improve the Services.
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring that access is limited to those individuals who need to know/access such data for the Principal Agreement and subject to confidentiality obligations.
4.1 Taking into account the state of the services, costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk to individuals, the Processor shall implement appropriate technical and organisational measures as required by Article 32 GDPR.
4.2 In assessing the appropriate level of security, the Processor shall take account of the risks presented by Processing, in particular from a Personal Data Breach.
4.3 A summary of current technical and organisational measures is available in the Processor’s security documentation and may include: access control and authentication, encryption in transit/at rest, secrets management, time‑synchronised logging, backup/restore, vulnerability management, and secure development practices.
5.1 The Company authorises the Processor to appoint Subprocessors to deliver the Services. The current list is published at https://certcrowd.com/legal/subprocessors (the “Register”) and is incorporated by reference.
5.2 CertCrowd ensures each Sub-processor is bound by written terms that, in substance, provide protections for Customer Personal Data equivalent to those required of a processor under Data Protection Laws, including any necessary transfer safeguards (e.g., EU SCCs/UK Addendum). Where a Sub-processor only offers standard terms, CertCrowd may rely on those terms and publicly available attestations. CertCrowd remains responsible for such Sub-processors.
5.3 The Processor will provide:
(a) ≥30 days’ prior notice of any addition or replacement of a Sub-processor by updating the Sub-processor Register and notifying subscribed contacts. The Company may object on reasonable privacy/security grounds; if no commercially reasonable alternative is available, the Company may suspend or terminate the affected Services without penalty for the unused portion.
(b) Notwithstanding (a), in order to maintain or restore service availability, address a security incident or critical vulnerability, comply with law, or provide urgent support, the Processor may appoint or replace a Sub-processor without prior notice. In such cases, the Processor will (i) ensure the Sub-processor is bound by protections no less protective in substance than required by this DPA, (ii) notify the Company as soon as reasonably practicable and in any event within 5 business days, and (iii) promptly update the Sub-processor Register. The Company may object within 10 business days of such notice; if no commercially reasonable alternative is available within a reasonable time, the Company may suspend or terminate the affected Services without penalty for the unused portion.
6.1 Taking into account the nature of Processing, the Processor shall assist the Company by appropriate technical and organisational measures to respond to Data Subject requests under Data Protection Laws.
6.2 The Processor shall (i) promptly notify the Company of any Data Subject request relating to Company Personal Data that it receives; and (ii) not respond except on the Company’s documented instructions or where required by Applicable Laws (in which case it shall, to the extent permitted, inform the Company before responding).
7.1 The Processor shall notify the Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing sufficient information to enable the Company to meet its reporting/informing obligations.
7.2 The Processor shall cooperate with the Company and take reasonable steps as directed by the Company to assist in the investigation, mitigation and remediation of such Personal Data Breach.
The Processor shall provide reasonable assistance to the Company with data protection impact assessments and prior consultations with Supervisory Authorities, solely in relation to Processing of Company Personal Data by the Processor and taking into account the nature of Processing and information available to the Processor.
Subject to this section, the Processor shall, as soon as reasonably practicable and in any event within ninety (90) days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”): (a) delete Company Personal Data from active systems or (b) return it to the Company in a commonly used, machine-readable format (at the Company’s choice). Where immediate deletion is not possible (e.g., immutable backups, disaster-recovery archives, security/event logs required by Applicable Laws), such data will be isolated from active use and deleted upon the next scheduled rotation/overwriting cycle, which shall occur no later than one hundred eighty (180) days after production deletion, unless a longer period is required by law or for the establishment, exercise, or defence of legal claims; in that case, deletion will occur within thirty (30) days after the expiry of that requirement. The Processor may retain minimal records evidencing the deletion/return operations. Upon the Company’s written request, the Processor will provide a deletion certificate confirming completion of the above steps.
To satisfy the requirements of GDPR Art. 28(3)(h), the Processor will, as the primary means of demonstrating compliance, make available upon written request: current third-party security/privacy certificates and/or reports or summaries (e.g., ISO 27001 certificate, SOC 2 report or summary, penetration-test summaries, trust-center materials, and relevant policies/procedures or control mappings), together with a written description of applicable technical and organisational measures.
The Processor will provide the materials in 10.1 no more than once in any rolling twelve (12)-month period, and otherwise within a reasonable period following a written request (or sooner where required by applicable law or a Supervisory Authority).
If, after reviewing the materials in 10.1, the Company reasonably determines they are insufficient to meet its legal obligations under Applicable Data Protection Laws, the Company may request an audit limited to verifying the Processor’s compliance with this Agreement. Audits shall:
(a) occur no more than once in any rolling twelve (12)-month period (unless a substantiated Personal Data Breach has occurred affecting Company Personal Data, or a regulator requires it);
(b) be conducted during business hours, on at least thirty (30) days’ prior written notice;
(c) be performed by the Company or an independent, reputable third-party auditor not a competitor of the Processor, each bound by a confidentiality agreement acceptable to the Processor;
(d) be scope-limited to facilities, systems, and records relevant to Processing of Company Personal Data; and
(e) be conducted in a manner that avoids disruption, protects the security and confidentiality of the Processor’s and other customers’ data, and complies with applicable law.
The Processor may satisfy audit rights via remote document review, interviews, and virtual walkthroughs. Onsite inspection will be provided only where (i) required by Applicable Data Protection Laws or a Supervisory Authority, or (ii) remote methods are objectively insufficient. Where Processing occurs on infrastructure operated by hyperscale Sub-processors (e.g., cloud providers) that offer standard, non-negotiable audit terms, the Company agrees that audits of such environments are satisfied by those providers’ published audit reports and certifications; the Processor is not required to facilitate onsite access to those third-party facilities.
Audits are at the Company’s expense. The Company will reimburse the Processor’s reasonable out-of-pocket costs and reasonable internal time spent supporting the audit (at standard professional rates) unless the audit discovers a material breach of this DPA. The Processor will address any confirmed material non-conformities through a written remediation plan with commercially reasonable timelines.
The Company will not receive access to raw logs, data, or environments that would compromise the security or confidentiality of the Processor’s other customers or intellectual property; the Processor may provide redacted or aggregated information where necessary.
The Parties agree this Section 10 meets the audit requirements of GDPR Article 28(3)(h).
11.1 Scope. The Processor (and its Sub-processors, as listed in the Sub-processor Register) may Process or transfer Company Personal Data outside the EEA, the United Kingdom, or Switzerland where permitted by Applicable Data Protection Laws and subject to appropriate safeguards under this Section 11.
11.2 Transfer mechanisms. For any transfer to a country without an adequacy decision, the Parties rely on one or more of the following, as applicable:
(a) the EU Standard Contractual Clauses (Commission Decision 2021/914), Modules 2 (C→P) and/or 3 (P→P), which are incorporated by reference and completed by this DPA (Annex 1/2 provide Annex I/II information);
(b) the UK International Data Transfer Addendum or UK Addendum to the EU SCCs (as applicable), incorporated by reference and completed by this DPA;
(c) the Swiss FADP-approved approach (reading references to GDPR to include the Swiss FADP), as applicable; and
(d) where available, an adequacy decision (e.g., EU/UK-recognized adequacy frameworks) for the relevant recipient and transfer context.
11.3 Sub-processors & onward transfers. The Processor will ensure that any Sub-processor engaged for Processing involving a cross-border transfer is bound by written terms that: (i) require appropriate transfer safeguards consistent with this Section 11 (including Sub-processor-to-Sub-processor onward transfers), and (ii) flow down relevant obligations in substance under GDPR Art. 28(3)/(4).
11.4 Supplementary measures & TIAs. Where required, the Processor will implement supplementary measures (e.g., encryption in transit/at rest, access controls, logging, regional data hosting) and maintain a transfer impact assessment (or equivalent record) appropriate to the transfer.
11.5 Region pinning (where applicable). For EEA/UK/CH tenants configured to be hosted in an EEA/UK/CH region, the Processor will not intentionally relocate primary Customer Personal Data outside that region except (i) as instructed by the Company, (ii) to provide the Services via approved Sub-processors under this Section 11, or (iii) to comply with law or respond to a verified emergency/security event, in which case the Processor will notify the Company as soon as reasonably practicable.
11.6 Evolving safeguards. If a relied-upon transfer mechanism is replaced, invalidated, or superseded, the Processor may implement replacement or supplementary mechanisms to lawfully continue the transfers and will update the DPA/Annexes and Register accordingly.
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement confidential and must not use or disclose that Confidential Information without the other Party’s prior written consent, except where disclosure is required by law or the information is in the public domain.
12.2 Notices. All notices under this Agreement must be in writing and delivered personally, by post, or by email to the addresses specified above (or as updated by notice).
This Agreement is governed by the laws of the State of Queensland, Australia, excluding its conflict-of-laws rules. For clarity, any international data transfer instrument used by the Parties (e.g., the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum/UK Addendum) will be governed and interpreted in accordance with the governing-law/venue specified within those instruments (for the EU SCCs: Irish law and Irish courts; for the UK Addendum: its Mandatory Clauses).
Any dispute arising in connection with this Agreement that the Parties cannot resolve amicably will be submitted to the exclusive jurisdiction of the courts of the State of Queensland, Australia.
This Agreement forms part of the Principal Agreement (e.g., Terms of Service or Order). It is binding without signature and takes effect when the Company accepts the Principal Agreement, clicks to accept, or accesses or uses the Services. By using the Services, the Company agrees to this Data Processing Agreement. If a countersigned copy is required for the Company’s records, contact privacy@certcrowd.com.
