Version 2.2
Last updated: 14 November 2025
These Terms and Conditions govern access to and use of the Site and the Services provided by CertCrowd. Please read these Terms and our Privacy Policy carefully. Clients and other users who use the Site or the Services agree to be bound by the following Terms and Conditions and our Privacy Policy. Use of the Site or any of the Services indicates acceptance of these Terms and Conditions and our Privacy Policy. If you do not accept these Terms and our Privacy Policy, you are not authorised to use the Site or any of the Services.
CertCrowd may amend these Terms and Conditions from time to time. The scope or content of the Services may also be changed by CertCrowd from time to time. The amended terms will be published on certcrowd.com and are effective from the date of publication. CertCrowd will make every effort to communicate changes to you via email or notification on the Site. Use of the Site or the Services after such amendment indicates acceptance of the amended Terms and Conditions.
You can review the current version of the Terms and Conditions at certcrowd.com. Breach of any of these Terms may result, among other things, in termination of your account.
Incorporation by reference: The following documents form part of these Terms: our Privacy Policy (available at /legal/privacy) and our Data Processing Addendum (DPA) (available at /legal/dpa). By accessing or using the Services, you agree to these Terms, the Privacy Policy, and—where you are a controller of personal data—the DPA.
| Term | Meaning |
|---|---|
| Account Holder | The individual who registers to use the Service on behalf of a Client. |
| Agreement | The agreement concluded between the Account Holder and CertCrowd regarding use of the Services and governed by these Terms and the CertCrowd Privacy Policy. |
| Client | The entity or organisation, represented by the Account Holder, that uses the Services. |
| CertCrowd, We, Us | CertCrowd Pty Ltd (ABN 68 634 250 758) and its associated entities. |
| Invited User | Any person or entity, other than the Client and Account Holder, that uses the Service from time to time at the invitation of the Account Holder. |
| License Fee | The fees to use the Standard/Professional/Enterprise version of the Services. |
| Personal Data | Information that relates to an identified or identifiable natural person. |
| Services | The various sites made available through the Site and otherwise provided or made available by us. |
| Site | The internet sites available including certcrowd.com, app.certcrowd.com, and any other site operated by CertCrowd. |
| Standard/Professional/Enterprise Version | Versions of the Service subject to payment of a license fee. |
| You, Your | All users of the Site and Services, including Clients, Invited Users, and the Account Holder, unless expressly specified otherwise and agreed in writing by CertCrowd. |
| Customer Personal Data | Personal Data that the Client uploads to or processes via the Services. |
| Data Processing Addendum (DPA) | The then-current data processing terms published at /legal/dpa. |
The Service is a web-based compliance tool that allows you to create actions, pages, custom fields, templates, and more. Account Holders can explore the Service; however, the Account Holder must first create an Account on behalf of a Client. Although the Service is available for free use, you must subscribe to the paid version of the Service (the “Standard/Professional/Enterprise Version”) to access all features.
Any notice under these Terms must be in writing and is deemed given on transmission. Notices to CertCrowd must be sent to info@certcrowd.com or another email address notified by CertCrowd. Notices to you will be sent to the email address provided during account setup.
Version 2.0
Last updated: 5 November 2025
Applies to: certcrowd.com, app.certcrowd.com and related sites (the "Services")
At CertCrowd, we know that our customers care about how their information is used and shared, and we take your privacy seriously. This policy explains what information CertCrowd collects about you, why we collect it, how we use and share it, and your choices.
By registering for or using our Services you consent to the collection, transfer, processing, storage, disclosure and other uses described in this Privacy Policy.
CertCrowd Pty Ltd (ABN 68 634 250 758) and its associated entities (collectively, "CertCrowd", "we", "us").
We collect personal information when you register for an account, create or modify your profile, or otherwise use, access, or interact with our Services. Personal information we collect may include name, business email address, role/title, phone and similar identifiers. You may enter this information yourself, or an administrator from your organisation may enter it for you.
To provide compliance and risk-management functionality, CertCrowd allows you to import or create content, such as company details, employee names/emails/titles, compliance obligations and status, incidents and hazards, risk registers and ratings, and other records you choose to store in the Services. You control the substance of this information.
If you contact us (for example support tickets, chat, email) we collect the information you provide (including any files you attach) to resolve your request and improve our Services.
Like most online services, we gather certain information and store it in log files when you interact with the Services. This may include browser type, IP address, language, referrer URL, operating system, and time/date of interactions. Some URLs you access may contain your email address as necessary to perform requested operations and therefore may appear in logs.
We collect usage data as you interact with the Services to understand performance and improve user experience. Where we associate usage data with an identifiable user (for example to provide support) we treat the combined data in accordance with this Policy.
The Services use cookies and similar technologies to authenticate users, remember preferences, measure performance and (where permitted) support analytics/advertising. You can control cookies via your browser settings; essential cookies are required for the Services to function.
If you choose to authenticate via a third-party identity provider (for example Google), we receive identity information as permitted by that service (such as name, email address, profile picture URL) and use it in accordance with this Policy. You can manage the information that third-party services share via their settings.
We use trusted providers (for example hosting, backups, email delivery, payments, CRM/support, analytics) who may process personal information on our behalf strictly to provide their services to us. Each is bound by confidentiality and data-protection obligations. We maintain a current list on our Sub-processor Register.
We may disclose information as required by law or where we believe it necessary to protect rights, safety or security (for example to comply with lawful requests, to investigate fraud or security incidents, or to enforce our terms).
We may use remarketing services (for example Google Ads) to display relevant ads about CertCrowd. You can opt out via the provider's ad settings and the CertCrowd website disables these cookies by default unless you opt in.
If we undergo a merger, acquisition or asset sale, we may transfer relevant information as part of that transaction. We will notify you of any ownership changes and related choices.
You may request access to, correction or deletion of your personal information. Depending on your jurisdiction, you may also request restriction or object to certain processing. To exercise rights, contact privacy@certcrowd.com. We aim to respond within one month and may extend by up to two months for complex requests; we will notify you if we need more time.
We operate a multi-region architecture.
For transfers from the EEA/UK/CH to countries without an adequacy decision (including the United States and Australia), we rely on the EU Standard Contractual Clauses (2021) and, for the UK, the UK International Data Transfer Addendum, plus supplementary measures (encryption in transit/at rest, least-privilege access, logging, and vendor due diligence). See the EU/UK/CH Addendum below for more detail and our Sub-processor Register for current vendors and regions.
We may update this Policy from time to time. The "Last updated" date shows the latest revision. For material changes we will provide additional notice (for example in-app or email) before they take effect.
CertCrowd Pty Ltd
4/1027 Manly Road, Tingalpa, QLD 4173, Australia
General: info@certcrowd.com
Privacy/rights requests: privacy@certcrowd.com
This addendum applies to individuals in the European Economic Area (EEA), the United Kingdom (UK) and Switzerland and supplements the main CertCrowd Privacy Policy.
Controller (for Business Data): CertCrowd Pty Ltd, 4/1027 Manly Road, Tingalpa QLD 4173, Australia
Data Protection Officer: Not appointed (you may always contact privacy@certcrowd.com)
If you are located in the EU or UK and have questions or concerns regarding your personal data, you may contact our appointed GDPR representative.
EU Representative
Euverify Ltd (Ireland)
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork
T23 AT2P
Ireland
Email: gdpr@euverify.com
UK Representative
Euverify Ltd (UK)
3rd Floor
86-90 Paul Street
London
EC2A 4NE
United Kingdom
Email: gdpr@euverify.com
To submit a Data Subject Access Request (DSAR), data deletion request, or any other GDPR-related inquiry, please use our secure portal at: GDRP Portal
This link allows you to verify our appointed representative and submit GDPR requests directly. Requests submitted through this portal are logged and tracked to ensure timely response and compliance.
We process personal data for the purposes set out in the main Policy under the following legal bases:
Hosting regions: By default, EEA/UK customer tenants are hosted in Germany (EU). We also operate regions in Australia, the United States, and Singapore for non-EEA/UK customers.
Service providers: Certain functions (such as authentication, email delivery, payments, support/CRM, and analytics) are provided by third parties that may process personal data in the United States and other regions where they operate.
Safeguards: Where personal data originating in the EEA/UK/CH is transferred to a country without an adequacy decision (for example the United States or Australia), we implement the EU Standard Contractual Clauses (2021) and, for the UK, the UK International Data Transfer Addendum, along with supplementary measures (encryption in transit/at rest, access controls, logging, vendor due diligence, and regional data hosting for Customer Data). See our Sub-processor Register for current vendors/regions.
We keep personal data only for as long as necessary to provide the Services, comply with law, resolve disputes, and enforce agreements. We use objective criteria (for example account status, regulatory limits, and record type) to decide when data is no longer needed. Where deletion is not immediately possible (for example immutable backups), the data is isolated from further processing and removed once the backup rotates. You can request deletion at any time (subject to legal exceptions) via our GDPR portal; we will cascade your request to our processors.
You have the right to access, rectify, erase, restrict, object to processing, and data portability. You also have the right to withdraw consent and to lodge a complaint with your local supervisory authority. We will respond within one month of receiving a request at privacy@certcrowd.com and may extend by up to two months for complex or multiple requests.
Important: If your request concerns Customer Data (data in a workspace/tenant controlled by your organisation), please contact your organisation (the controller). If you send such a request to us directly, we will forward it to the controller and assist them in fulfilling it, in accordance with our DPA.
Non-essential cookies (for example analytics/advertising) are off by default until you choose Accept in our cookie banner. The first layer of the banner provides Accept All / Reject Non-Essential with equal prominence. You can change or withdraw consent at any time via Cookie Settings.
We do not knowingly process the personal data of children under 16 in the EEA/UK/CH.
We do not use automated decision-making or profiling that produces legal or similarly significant effects.
CertCrowd Pty Ltd (Processor) & Customer (Controller)
Last updated: 14 November 2025
This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement").
Controller: The Company (customer of CertCrowd Pty Ltd)
Processor: CertCrowd Pty Ltd (ABN 68 634 250 758)
4/1027 Manly Road, Tingalpa QLD 4173, Australia
privacy@certcrowd.com
(together, the "Parties")
WHEREAS
IT IS AGREED AS FOLLOWS:
1.1 Unless otherwise defined herein, capitalised terms and expressions have the meanings below:
1.1.1 “Agreement” means this Data Processing Agreement and the contract of services between CertCrowd and Company and all Schedules/Annexes.
1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Company pursuant to or in connection with the Principal Agreement.
1.1.3 “Contracted Processor” means a Subprocessor.
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, including the UK GDPR and Swiss FADP.
1.1.5 “EEA” means the European Economic Area.
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC as replaced or superseded by the GDPR and laws implementing or supplementing the GDPR.
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679.
1.1.8 “Data Transfer” means: (i) a transfer of Company Personal Data from the Company to a Contracted Processor; or (ii) an onward transfer of Company Personal Data from a Contracted Processor to a Subprocessor, or between two establishments of a Contracted Processor, in each case where such transfer would be restricted by Data Protection Laws.
1.1.9 “Services” means the CertCrowd software and related services the Data Processor provides to the Company under the Principal Agreement.
1.1.10 “Subprocessor” means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Company in connection with the Agreement.
1.2 The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” have the meanings set out in the GDPR (and cognate terms shall be construed accordingly).
2.1 The Data Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 not Process Company Personal Data other than on the Company’s instructions, including as set out in the Principal Agreement, this Agreement, and Company’s configuration/use of the Services.
2.2 The Company instructs the Data Processor to process Company Personal Data as necessary to provide, secure, support, and improve the Services.
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring that access is limited to those individuals who need to know/access such data for the Principal Agreement and subject to confidentiality obligations.
4.1 Taking into account the state of the services, costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk to individuals, the Processor shall implement appropriate technical and organisational measures as required by Article 32 GDPR.
4.2 In assessing the appropriate level of security, the Processor shall take account of the risks presented by Processing, in particular from a Personal Data Breach.
4.3 A summary of current technical and organisational measures is available in the Processor’s security documentation and may include: access control and authentication, encryption in transit/at rest, secrets management, time‑synchronised logging, backup/restore, vulnerability management, and secure development practices.
5.1 The Company authorises the Processor to appoint Subprocessors to deliver the Services. The current list is published at https://https://certcrowd.com/resources/legal/subprocessor-register (the “Register”) and is incorporated by reference.
5.2 CertCrowd ensures each Sub-processor is bound by written terms that, in substance, provide protections for Customer Personal Data equivalent to those required of a processor under Data Protection Laws, including any necessary transfer safeguards (e.g., EU SCCs/UK Addendum). Where a Sub-processor only offers standard terms, CertCrowd may rely on those terms and publicly available attestations. CertCrowd remains responsible for such Sub-processors.
5.3 The Processor will provide:
(a) ≥30 days’ prior notice of any addition or replacement of a Sub-processor by updating the Sub-processor Register and notifying subscribed contacts. The Company may object on reasonable privacy/security grounds; if no commercially reasonable alternative is available, the Company may suspend or terminate the affected Services without penalty for the unused portion.
(b) Notwithstanding (a), in order to maintain or restore service availability, address a security incident or critical vulnerability, comply with law, or provide urgent support, the Processor may appoint or replace a Sub-processor without prior notice. In such cases, the Processor will (i) ensure the Sub-processor is bound by protections no less protective in substance than required by this DPA, (ii) notify the Company as soon as reasonably practicable and in any event within 5 business days, and (iii) promptly update the Sub-processor Register. The Company may object within 10 business days of such notice; if no commercially reasonable alternative is available within a reasonable time, the Company may suspend or terminate the affected Services without penalty for the unused portion.
6.1 Taking into account the nature of Processing, the Processor shall assist the Company by appropriate technical and organisational measures to respond to Data Subject requests under Data Protection Laws.
6.2 The Processor shall (i) promptly notify the Company of any Data Subject request relating to Company Personal Data that it receives; and (ii) not respond except on the Company’s documented instructions or where required by Applicable Laws (in which case it shall, to the extent permitted, inform the Company before responding).
7.1 The Processor shall notify the Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing sufficient information to enable the Company to meet its reporting/informing obligations.
7.2 The Processor shall cooperate with the Company and take reasonable steps as directed by the Company to assist in the investigation, mitigation and remediation of such Personal Data Breach.
The Processor shall provide reasonable assistance to the Company with data protection impact assessments and prior consultations with Supervisory Authorities, solely in relation to Processing of Company Personal Data by the Processor and taking into account the nature of Processing and information available to the Processor.
Subject to this section, the Processor shall, as soon as reasonably practicable and in any event within ninety (90) days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”): (a) delete Company Personal Data from active systems or (b) return it to the Company in a commonly used, machine-readable format (at the Company’s choice). Where immediate deletion is not possible (e.g., immutable backups, disaster-recovery archives, security/event logs required by Applicable Laws), such data will be isolated from active use and deleted upon the next scheduled rotation/overwriting cycle, which shall occur no later than one hundred eighty (180) days after production deletion, unless a longer period is required by law or for the establishment, exercise, or defence of legal claims; in that case, deletion will occur within thirty (30) days after the expiry of that requirement. The Processor may retain minimal records evidencing the deletion/return operations. Upon the Company’s written request, the Processor will provide a deletion certificate confirming completion of the above steps.
To satisfy the requirements of GDPR Art. 28(3)(h), the Processor will, as the primary means of demonstrating compliance, make available upon written request: current third-party security/privacy certificates and/or reports or summaries (e.g., ISO 27001 certificate, SOC 2 report or summary, penetration-test summaries, trust-center materials, and relevant policies/procedures or control mappings), together with a written description of applicable technical and organisational measures.
The Processor will provide the materials in 10.1 no more than once in any rolling twelve (12)-month period, and otherwise within a reasonable period following a written request (or sooner where required by applicable law or a Supervisory Authority).
If, after reviewing the materials in 10.1, the Company reasonably determines they are insufficient to meet its legal obligations under Applicable Data Protection Laws, the Company may request an audit limited to verifying the Processor’s compliance with this Agreement. Audits shall:
(a) occur no more than once in any rolling twelve (12)-month period (unless a substantiated Personal Data Breach has occurred affecting Company Personal Data, or a regulator requires it);
(b) be conducted during business hours, on at least thirty (30) days’ prior written notice;
(c) be performed by the Company or an independent, reputable third-party auditor not a competitor of the Processor, each bound by a confidentiality agreement acceptable to the Processor;
(d) be scope-limited to facilities, systems, and records relevant to Processing of Company Personal Data; and
(e) be conducted in a manner that avoids disruption, protects the security and confidentiality of the Processor’s and other customers’ data, and complies with applicable law.
The Processor may satisfy audit rights via remote document review, interviews, and virtual walkthroughs. Onsite inspection will be provided only where (i) required by Applicable Data Protection Laws or a Supervisory Authority, or (ii) remote methods are objectively insufficient. Where Processing occurs on infrastructure operated by hyperscale Sub-processors (e.g., cloud providers) that offer standard, non-negotiable audit terms, the Company agrees that audits of such environments are satisfied by those providers’ published audit reports and certifications; the Processor is not required to facilitate onsite access to those third-party facilities.
Audits are at the Company’s expense. The Company will reimburse the Processor’s reasonable out-of-pocket costs and reasonable internal time spent supporting the audit (at standard professional rates) unless the audit discovers a material breach of this DPA. The Processor will address any confirmed material non-conformities through a written remediation plan with commercially reasonable timelines.
The Company will not receive access to raw logs, data, or environments that would compromise the security or confidentiality of the Processor’s other customers or intellectual property; the Processor may provide redacted or aggregated information where necessary.
The Parties agree this Section 10 meets the audit requirements of GDPR Article 28(3)(h).
11.1 Scope. The Processor (and its Sub-processors, as listed in the Sub-processor Register) may Process or transfer Company Personal Data outside the EEA, the United Kingdom, or Switzerland where permitted by Applicable Data Protection Laws and subject to appropriate safeguards under this Section 11.
11.2 Transfer mechanisms. For any transfer to a country without an adequacy decision, the Parties rely on one or more of the following, as applicable:
(a) the EU Standard Contractual Clauses (Commission Decision 2021/914), Modules 2 (C→P) and/or 3 (P→P), which are incorporated by reference and completed by this DPA (Annex 1/2 provide Annex I/II information);
(b) the UK International Data Transfer Addendum or UK Addendum to the EU SCCs (as applicable), incorporated by reference and completed by this DPA;
(c) the Swiss FADP-approved approach (reading references to GDPR to include the Swiss FADP), as applicable; and
(d) where available, an adequacy decision (e.g., EU/UK-recognized adequacy frameworks) for the relevant recipient and transfer context.
11.3 Sub-processors & onward transfers. The Processor will ensure that any Sub-processor engaged for Processing involving a cross-border transfer is bound by written terms that: (i) require appropriate transfer safeguards consistent with this Section 11 (including Sub-processor-to-Sub-processor onward transfers), and (ii) flow down relevant obligations in substance under GDPR Art. 28(3)/(4).
11.4 Supplementary measures & TIAs. Where required, the Processor will implement supplementary measures (e.g., encryption in transit/at rest, access controls, logging, regional data hosting) and maintain a transfer impact assessment (or equivalent record) appropriate to the transfer.
11.5 Region pinning (where applicable). For EEA/UK/CH tenants configured to be hosted in an EEA/UK/CH region, the Processor will not intentionally relocate primary Customer Personal Data outside that region except (i) as instructed by the Company, (ii) to provide the Services via approved Sub-processors under this Section 11, or (iii) to comply with law or respond to a verified emergency/security event, in which case the Processor will notify the Company as soon as reasonably practicable.
11.6 Evolving safeguards. If a relied-upon transfer mechanism is replaced, invalidated, or superseded, the Processor may implement replacement or supplementary mechanisms to lawfully continue the transfers and will update the DPA/Annexes and Register accordingly.
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement confidential and must not use or disclose that Confidential Information without the other Party’s prior written consent, except where disclosure is required by law or the information is in the public domain.
12.2 Notices. All notices under this Agreement must be in writing and delivered personally, by post, or by email to the addresses specified above (or as updated by notice).
This Agreement is governed by the laws of the State of Queensland, Australia, excluding its conflict-of-laws rules. For clarity, any international data transfer instrument used by the Parties (e.g., the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum/UK Addendum) will be governed and interpreted in accordance with the governing-law/venue specified within those instruments (for the EU SCCs: Irish law and Irish courts; for the UK Addendum: its Mandatory Clauses).
Any dispute arising in connection with this Agreement that the Parties cannot resolve amicably will be submitted to the exclusive jurisdiction of the courts of the State of Queensland, Australia.
This Agreement forms part of the Principal Agreement (e.g., Terms of Service or Order). It is binding without signature and takes effect when the Company accepts the Principal Agreement, clicks to accept, or accesses or uses the Services. By using the Services, the Company agrees to this Data Processing Agreement. If a countersigned copy is required for the Company’s records, contact privacy@certcrowd.com.