Summary: This Data Processing Agreement sets out the terms on which Certiva ApS processes personal data on your behalf as a customer, pursuant to Art. 28 GDPR. It is our standard terms and can be signed as a standalone addendum to your subscription agreement. Need adjustments? Write to mail@certcontrol.pro.

1. The parties

This Data Processing Agreement (the "Agreement") is entered into between:

  • The Customer — the legal entity subscribing to CertControl, acting as the data controller ("the Controller").
  • Certiva ApS, company reg. (CVR) 46450965, Nøddehaven 1, 3500 Værløse, Denmark — provider of CertControl and data processor ("the Processor", "we", "us").

The Agreement is ancillary to the subscription agreement between the parties for the use of CertControl (the "Main Agreement") and governs the Processor's processing of personal data on behalf of the Controller. In the event of conflict between the Agreement and the Main Agreement regarding the processing of personal data, the Agreement prevails.

2. Definitions

The terms "personal data", "processing", "controller", "processor", "sub-processor", "data subject" and "personal data breach" have the meaning given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR"). "Data Protection Law" means the GDPR and the Danish Data Protection Act and associated rules.

3. Subject matter, duration, nature and purpose

  • Subject matter: Processing of personal data in connection with the provision of CertControl — software for discovery, monitoring and lifecycle management of TLS/SSL certificates, plus attack surface analysis and compliance documentation.
  • Duration: Processing continues for as long as the Main Agreement is in force, and until data is deleted or returned under section 11.
  • Nature and purpose: Collection, recording, storage, organisation, display, analysis and deletion of the data listed in Appendix A, solely for the purpose of providing and operating the service for the Controller.

The specific categories of data subjects and personal data are set out in Appendix A.

4. The Controller's instructions

The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do otherwise by EU or Danish law. The Main Agreement, this Agreement and the Controller's use of the service's features constitute the complete documented instructions. If, in the Processor's assessment, an instruction infringes Data Protection Law, the Processor shall inform the Controller.

5. Confidentiality

The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to customer data is limited to staff with a work-related need.

6. Security of processing (Art. 32)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The specific measures are set out in Appendix C and include, among others:

  • Per-customer isolation — each customer runs in a dedicated instance with a separate database and separate network. No multi-tenant database is shared across customers.
  • Encryption in transit via TLS (HTTPS) with HSTS, and encryption at rest of private keys with AES-256-GCM.
  • Access control — authenticated sessions, bcrypt-hashed passwords, brute-force lockout, CSRF protection, scoped API tokens and optional two-factor authentication (TOTP).
  • Audit log per instance of administrative actions, plus daily backups per customer instance, retained in the EU.
  • Data minimisation and redaction — internal hostnames are masked to [masked] before any data leaves the customer's network via the on-premise agent.

7. Sub-processors (Art. 28(2) and (4))

The Controller hereby grants the Processor a general prior authorisation to engage sub-processors for the provision of the service. The current sub-processors are listed in Appendix B.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors with reasonable notice, giving the Controller the opportunity to object before the change takes effect. The Processor imposes on each sub-processor the same data protection obligations as those set out in this Agreement and remains fully liable to the Controller for the sub-processor's performance thereof.

8. Assistance to the Controller

Taking into account the nature of the processing and insofar as possible, the Processor assists the Controller with:

  • fulfilling requests from data subjects exercising their rights (access, rectification, erasure, restriction, data portability and objection). The Controller can at any time export and delete data directly in its instance on a self-service basis;
  • complying with the obligations under Art. 32-36 GDPR (security of processing, breach notification, impact assessments and prior consultation), taking into account the information available to the Processor.

9. Personal data breach (Art. 33(2))

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller. The notification shall contain the information reasonably available, so that the Controller can meet its own notification obligation (if any) to the supervisory authority (per Art. 33(1)) within 72 hours.

10. Transfers to third countries

The personal data is hosted and processed within the EU/EEA. Data is not transferred to countries outside the EU/EEA as part of normal operations. Should a transfer exceptionally become necessary, it will only take place on the Controller's instructions and on a valid transfer basis under Chapter V GDPR (e.g. the European Commission's Standard Contractual Clauses, SCCs).

11. Deletion or return on termination

The Controller may at any time and on a self-service basis export its data from the service (certificate inventory, reports and other data) directly from its instance. On termination of the Main Agreement, the Processor shall, at the Controller's choice, delete or return all personal data and delete existing copies, unless EU or Danish law requires continued storage. Backups expire after the defined retention period.

12. Audits and inspections (Art. 28(3)(h))

The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits are given with reasonable notice, carried out during normal business hours and must not unduly disrupt the Processor's operations. The Processor may satisfy part of this obligation by providing documentation of its security measures and answering security questionnaires.

13. Liability, term and governing law

The parties' liability is governed by the Main Agreement. The Agreement applies for as long as the Processor processes personal data on behalf of the Controller. The Agreement is governed by Danish law, and any dispute shall be settled by the Danish courts, per the venue clause of the Main Agreement.

Appendix A — Details of the processing

Categories of data subjects: The Controller's users/employees (account holders) and any individuals whose data may appear in certificate or domain data.

Categories of personal data:

  • Account data: name, email address, company affiliation and password (bcrypt-hashed).
  • Technical data: certificate metadata, domains and hostnames (internal ones masked), TLS configuration, scan results.
  • Usage and log data: IP addresses, session identifiers and an audit log of actions in the service.

Special categories (sensitive data): Not processed. The service is not intended for processing special categories of personal data under Art. 9 GDPR.

Appendix B — Sub-processors

Sub-processor Purpose Location
Hostinger International Ltd. Hosting and infrastructure (VPS) Frankfurt, Germany (EU)

Transactional email and PDF generation run on the Processor's own self-hosted infrastructure within the same EU environment and involve no additional third parties. The list is maintained; changes are notified under section 7.

Appendix C — Technical and organisational measures

  • EU hosting: data is hosted with an EU-based provider in a data centre in Frankfurt. Data does not leave the EU during normal operations.
  • Per-customer isolation: dedicated instance with a separate database and network; no shared resources across customers.
  • Encryption: TLS/HTTPS in transit with HSTS; private keys encrypted at rest with AES-256-GCM.
  • Access control: authenticated sessions, bcrypt-hashed passwords, brute-force lockout, CSRF protection, Content-Security-Policy, scoped API tokens and optional TOTP two-factor.
  • Logging and resilience: per-instance audit log and daily backups per customer instance, retained in the EU.
  • Data minimisation: redaction of internal hostnames; the on-premise agent communicates exclusively outbound over HTTPS with no inbound ports or remote execution.

Contact

For questions about this Data Processing Agreement or to have it drawn up for signature:
Certiva ApS (CVR: 46450965)
Nøddehaven 1, 3500 Værløse, Denmark
Phone: +45 25 68 14 03
Email: mail@certcontrol.pro
Web: certcontrol.pro/contact