Legal & Policies
Data Processing Agreement
Version 1.0 · Profectify LLC (Certiva)
1. Roles
This DPA supplements the Accreditation Services Agreement / Certification T&Cs. Where Certiva processes personal data of students on a school’s behalf, the School is the Controller and Certiva is the Processor.
2. Scope of processing
| Item | Detail |
|---|---|
| Subject matter | Delivery of certification, curriculum, and accreditation services |
| Duration | For the term of the underlying agreement |
| Nature & purpose | Hosting learning, assessment, badging, reporting |
| Data subjects | Students, staff (as applicable) |
| Data types | Names, contact, learning/assessment data; no special-category data unless agreed |
3. Processor obligations
- Process personal data only on the Controller’s documented instructions.
- Ensure confidentiality of personnel and appropriate security measures.
- Assist with data-subject requests and with the Controller’s compliance duties.
- Notify the Controller without undue delay of a personal-data breach.
- Delete or return personal data at the end of the services, subject to legal retention.
4. Sub-processors
Certiva may engage vetted sub-processors under written terms no less protective than this DPA, and maintains a current sub-processor list available on request. The Controller may object to changes.
5. International transfers
Transfers outside the EEA/UK rely on adequacy or appropriate safeguards (e.g., SCCs). Certiva’s default is EU-based storage.
6. Audit & return
Certiva makes available information to demonstrate compliance and allows for audits per agreed, reasonable terms.
Questions about this document? Contact [email protected].