Data Processing Agreement.
This page is the procurement-facing summary of the executable Data Processing Agreement (DPA) that binds when a paying customer subscribes to CertiFlow. It is written so a procurement officer can assess the contract surface in five minutes, then request the full executable document for legal review. The DPA satisfies the controller-processor requirements of the EU GDPR (Arts. 26–28), UK GDPR, Swiss FADP (Art. 9), and South African POPIA (s.55).
Last updated 2026-06-08
01 · Parties and relationship
You are the Controller. We are the Processor.
Customer is the Controller of any personal data processed via the Services.
Direct Consulting Solutions SA (Geneva, Switzerland) is the Processor, acting on Customer’s documented instructions.
The DPA forms part of the Order Form or Master Service Agreement under which we provide the Services. In the event of conflict between the DPA and the underlying agreement, the DPA prevails on data-protection matters.
02 · Scope, data subjects, and categories of personal data
Subject matter. The processing of personal data as required to provide the CertiFlow service to Customer.
Duration. The term of the Order Form plus the retention period in Section 09.
Data subjects. Customer’s personnel, customer’s clients and contractual counterparties whose information may appear in evidence Customer uploads, and Customer’s compliance personnel.
Personal data categories. Names, contact details, employment information, signatures, and other personal data as may incidentally appear in evidence Customer uploads.
Special-category data. Customer should not upload special-category data (Art. 9 GDPR) unless explicitly contracted. We do not process special-category data as a routine matter.
03 · Documented instructions
We process personal data only on Customer’s documented instructions. The instructions are constituted by (a) the Principal Agreement, (b) this DPA and its Annexes, (c) the functional configuration Customer makes in the product, and (d) any further written instructions Customer provides to trust@certiflow.com. If we believe an instruction infringes applicable data protection law we will tell you.
04 · Security measures
Annex II covers the technical and organisational measures in detail.
The detailed security architecture is published at /security and forms Annex II of the executable DPA. Headline elements: zero-knowledge encryption of customer evidence, hash-chained audit log with hourly Merkle anchor to S3 Object Lock in compliance mode, no long-lived AWS credentials, multi-LLM cross-review per ADR-0012, out-of-band backup vault.
05 · Sub-processors
Customer grants us general authorisation to engage sub-processors. The complete current list is published at /legal/sub-processors and forms Annex I of the executable DPA.
30-day advance notice of any addition, removal, or material scope change. Customer has 15 days to object on reasonable grounds. If unresolved, Customer may terminate the affected Service without penalty and we refund any prepaid fees for the unused remainder.
Every sub-processor is contractually bound to data-protection obligations no less protective than those in the DPA.
06 · International transfers
Primary data residency is the European Union (Supabase Frankfurt for application data; AWS Ireland for evidence ciphertext + audit log). Some sub-processors (Stripe payments, AWS Bedrock for AI evidence translation, Anthropic as the model provider) may involve cross-border processing. We rely on the EU Standard Contractual Clauses (2021 Module 2), the Swiss Annex, and the UK International Data Transfer Addendum as transfer mechanisms, plus the supplementary measure of Zero-Knowledge Encryption, which means transferred ciphertext is not legible to the receiving party.
07 · Data subject rights
We provide reasonable assistance to Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). Where the request relates to data that is held under Zero-Knowledge Encryption, only Customer can actually fulfil the request because only Customer holds the decryption key. We will guide Customer through the relevant in-product tooling and provide ciphertext exports plus metadata on request.
08 · Breach notification
We notify Customer without undue delay and in any case within 48 hours of becoming aware of a personal-data breach affecting Customer’s data. The notification includes the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate. We cooperate with Customer’s own breach-notification obligations to supervisory authorities and data subjects under applicable law.
09 · Retention and deletion
We retain personal data for the term of the Principal Agreement plus 30 days post-termination for evidence ciphertext and 90 days post-termination for account data. Audit-log metadata is retained per the compliance-frame retention period applicable to Customer’s industry (typically 7 years for SOC 2 evidence, 6 years for HIPAA).
At Customer’s written request after termination, we delete or return all personal data unless retention is required by applicable law. Deletion of ciphertext from production is irreversible because we do not hold the decryption key.
10 · Audit and inspections
Customer has the right to audit our compliance with the DPA once per calendar year. We satisfy audit obligations through (a) our own SOC 2 Type I / II attestation (when available), (b) our tamper-evident audit log accessible via the in-product Auditor View, (c) responses to procurement security questionnaires, and (d) reasonable written enquiries to trust@certiflow.com. Physical site visits are available on reasonable notice for Assurance and Governance tier customers.
Annex III · Zero-Knowledge Encryption clauses
The architectural commitment, contractually bound.
The executable DPA includes a dedicated Annex III that binds Direct Consulting Solutions SA to the Zero-Knowledge Encryption design described at /security. The headline commitments:
- Customer evidence is encrypted in Customer’s browser with a key derived from a master passphrase that we never see and never store.
- We hold ciphertext only. No sub-processor in our trust path holds the decryption key.
- Any material change that would weaken this property requires Customer’s prior written consent and triggers the 30-day sub-processor change notice mechanism.
- We commit to independent cryptographic review on request from Customers at Assurance and Governance tiers, with reasonable cost-sharing arrangements.
This is the contractual back-stop to the marketing claim that we “mathematically cannot read your evidence.” Annex III is what turns the architectural choice into an enforceable promise.
Request the full executable DPA
The full DPA, including Annexes I (sub-processors), II (security measures), and III (Zero-Knowledge Encryption clauses), is available on request for legal review. We send it as a PDF/DocuSign envelope at the start of the Order Form process for Assurance and Governance tier customers. Attestation and Certification tier customers receive the same DPA at signup if they request it via trust@certiflow.com.
See also: our sub-processor list (Annex I), security architecture (Annex II preview), Privacy notice, Terms of Service.