Legal

Data Processing Agreement

Version 1.0 — Effective July 15, 2026

This DPA forms part of the CertForge Terms of Service and applies to all customers who create an account.

1 Parties and Background

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: The customer organization that creates an account and uses the CertForge Service ("Customer").
  • Data Processor: CertForge, LLC, a Colorado limited liability company with its principal place of business in Parker, Colorado, USA ("CertForge").

This DPA is incorporated into and forms part of the CertForge Terms of Service. By accepting the Terms of Service and creating an account, the Customer agrees to the terms of this DPA. Acceptance is recorded electronically at the time of email verification and is legally binding.

2 Definitions

In this DPA, the following terms have the meanings set out below:

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR 2016/679), the UK GDPR, the California Consumer Privacy Act (CCPA), and any successor legislation.
  • "Sub-Processor" means any third party appointed by CertForge to process Personal Data on behalf of the Customer.
  • "Service" means the CertForge certificate governance platform available at certgovernance.app and related services.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

3 Subject Matter, Duration, and Nature of Processing

Subject matter: CertForge processes Personal Data on behalf of the Customer to deliver the certificate governance Service, including certificate lifecycle management, approval workflows, audit trails, compliance monitoring, and related features.

Duration: This DPA is effective from the date the Customer creates an account and remains in force until the Customer's account is permanently deleted or the Terms of Service are otherwise terminated.

Nature: Storage, retrieval, organization, structuring, use, and deletion of Personal Data in the course of providing the Service. CertForge acts solely on the documented instructions of the Customer.

Purpose: To provide, maintain, and improve the CertForge Service as described in the Terms of Service, and to fulfill CertForge's legal obligations.

4 Types of Personal Data and Categories of Data Subjects

Personal Data Processed

  • Name, email address, and company/organization name of account users
  • Authentication credentials (hashed passwords, multi-factor authentication state)
  • IP addresses and session metadata collected during use of the Service
  • Certificate request content (domain names, organizational unit fields, certificate metadata)
  • Audit log entries, approval comments, and activity records
  • Billing contact information (payment details processed directly by Stripe)

Categories of Data Subjects

  • Employees, contractors, and administrators of the Customer organization
  • Individuals whose personal data appears in certificate subject fields or approval workflows

CertForge does not process special categories of sensitive personal data (health, biometric, political, religious, or racial data) as part of the Service. Customers must not submit such data through the Service.

5 Customer Obligations (Data Controller)

The Customer, as Data Controller, agrees to:

  • Ensure a lawful basis exists for processing under applicable Data Protection Laws before submitting Personal Data to the Service.
  • Provide any necessary privacy notices to data subjects whose Personal Data is processed through the Service.
  • Only submit Personal Data that is adequate, relevant, and limited to what is necessary for the purpose of using the Service.
  • Comply with all applicable Data Protection Laws in respect of their use of the Service.
  • Ensure that all authorized users of the Customer's account are aware of and comply with this DPA and the applicable Terms of Service.

6 CertForge Obligations (Data Processor)

CertForge, as Data Processor, agrees to:

  • Process Personal Data only on the documented instructions of the Customer, except where required by applicable law.
  • Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain appropriate technical and organizational security measures as described in Section 8.
  • Assist the Customer in fulfilling its obligations with respect to data subject rights, security, breach notification, and impact assessments, where technically feasible.
  • Delete or return all Personal Data to the Customer upon termination of the Service, and delete existing copies unless applicable law requires otherwise.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 11.
  • Promptly inform the Customer if, in CertForge's opinion, an instruction from the Customer infringes applicable Data Protection Laws.

7 Sub-Processors

CertForge engages the following sub-processors in the delivery of the Service. CertForge ensures each sub-processor is bound by data protection obligations no less protective than this DPA.

Sub-Processor Purpose Location
Akamai / Linode Cloud infrastructure and virtual private servers hosting the Service USA, EU (Frankfurt)
Cloudflare DNS, CDN, DDoS protection, TLS termination, and load balancing USA / Global
Let's Encrypt / ZeroSSL ACME-based public certificate issuance for customer domains USA
Resend Transactional email delivery (account verification, notifications, invitations) USA
Stripe Payment processing and subscription billing USA / Global
crt.sh (Sectigo) Certificate Transparency log monitoring for public certificate discovery USA

CertForge will notify Customers of any intended changes to the above sub-processor list via the status page or email at least 14 days in advance, giving Customers the opportunity to object. If a Customer objects and CertForge cannot accommodate the objection, either party may terminate the affected Services without penalty.

8 Security Measures

CertForge implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration, including:

  • Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest
  • Encrypted storage of sensitive credentials and private keys using AES-256-GCM
  • Role-based access controls with least-privilege principles for all staff and system components
  • Comprehensive audit logging of all access to and modifications of Personal Data
  • Multi-factor authentication support and enforcement options for customer accounts
  • Regular backups with encrypted storage
  • High-availability infrastructure with redundant nodes to ensure service continuity
  • Network segmentation and IP allow-listing capabilities for dashboard access

9 International Data Transfers

CertForge offers regional node deployments to help Customers meet data residency requirements:

  • EU Region (Frankfurt, Germany): Customer data is stored and processed within the European Union on servers located in Frankfurt. EU Customers should use eu.certgovernance.app to ensure their data remains within the EEA.
  • US Region: Customer data is stored and processed in the United States on servers in the Eastern USA.

Where Personal Data originating in the EEA or UK is transferred to the United States (e.g., for sub-processors listed in Section 7), such transfers are made on the basis of the EU Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914, or the UK International Data Transfer Agreement (IDTA) as applicable. CertForge is committed to self-certification under the EU-US Data Privacy Framework (DPF) when applicable.

Customers with strict data residency requirements should contact privacy@certforge.xyz to confirm the appropriate regional node for their use case.

10 Data Subject Rights

CertForge will assist the Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, including the rights to access, rectification, erasure, restriction, portability, and objection.

Customers may fulfill many data subject rights directly through the Service (e.g., user account management, data export, and account deletion). For assistance with requests that cannot be self-served, contact privacy@certforge.xyz.

CertForge will forward any data subject requests received directly from individuals to the relevant Customer within 5 business days and will not respond to such requests without the Customer's instruction unless required by law.

11 Security Incident Notification

In the event of a confirmed Security Incident affecting Personal Data, CertForge will:

  • Notify the affected Customer(s) without undue delay and, where feasible, within 72 hours of becoming aware of the incident.
  • Provide available details of the nature of the incident, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
  • Cooperate fully with the Customer's investigation and regulatory reporting obligations.

Notification will be sent to the email address on file for the account administrator. Customers are responsible for ensuring this contact information is current.

12 Audit Rights and Compliance Demonstration

CertForge will make available upon written request all information reasonably necessary to demonstrate compliance with this DPA. CertForge may fulfill this obligation by providing:

  • Responses to security questionnaires and compliance documentation
  • Relevant third-party audit reports or certifications obtained by CertForge or its sub-processors
  • Access to audit logs for the Customer's own account and data via the Service

On-site audits may be permitted no more than once per calendar year and subject to reasonable advance notice (at least 30 days), confidentiality obligations, and a mutually agreed scope. The Customer bears the cost of any audit it commissions.

13 Data Retention and Deletion

CertForge will retain Personal Data for as long as the Customer's account is active and as reasonably required to provide the Service. Upon termination of the Customer's account:

  • Account data, certificate records, and user information will be deleted within 90 days of account closure.
  • Aggregated, anonymized operational data and system logs may be retained for up to 12 months for security and service improvement purposes.
  • Customers may request a data export via the Service prior to account closure.

Retention may be extended where required by applicable law (e.g., financial record-keeping obligations).

14 Governing Law and Amendments

This DPA is governed by the laws of the State of Colorado, United States, without regard to conflict of law principles, except where overriding mandatory provisions of EU or UK data protection law apply to EU/UK data subjects.

CertForge may update this DPA from time to time to reflect changes in applicable law, sub-processors, or processing activities. Material changes will be communicated via email or in-app notice at least 30 days before taking effect. Continued use of the Service after that period constitutes acceptance of the revised DPA.

The current version of this DPA is always available at certgovernance.app/dpa. Prior versions are available upon request.

Questions about this DPA?

Contact our privacy team — we'll respond within 2 business days.

privacy@certforge.xyz