Legal & Policies

Data Processing Agreement

Version 1.0 · Profectify LLC (Certiva)

This is a template prepared for Certiva and is not legal advice. It will be reviewed by qualified counsel in each operating jurisdiction before it takes effect.

1. Roles

This DPA supplements the Accreditation Services Agreement / Certification T&Cs. Where Certiva processes personal data of students on a school’s behalf, the School is the Controller and Certiva is the Processor.

2. Scope of processing

ItemDetail
Subject matterDelivery of certification, curriculum, and accreditation services
DurationFor the term of the underlying agreement
Nature & purposeHosting learning, assessment, badging, reporting
Data subjectsStudents, staff (as applicable)
Data typesNames, contact, learning/assessment data; no special-category data unless agreed

3. Processor obligations

  • Process personal data only on the Controller’s documented instructions.
  • Ensure confidentiality of personnel and appropriate security measures.
  • Assist with data-subject requests and with the Controller’s compliance duties.
  • Notify the Controller without undue delay of a personal-data breach.
  • Delete or return personal data at the end of the services, subject to legal retention.

4. Sub-processors

Certiva may engage vetted sub-processors under written terms no less protective than this DPA, and maintains a current sub-processor list available on request. The Controller may object to changes.

5. International transfers

Transfers outside the EEA/UK rely on adequacy or appropriate safeguards (e.g., SCCs). Certiva’s default is EU-based storage.

6. Audit & return

Certiva makes available information to demonstrate compliance and allows for audits per agreed, reasonable terms.


Questions about this document? Contact [email protected].