Version 1.0 — Effective July 15, 2026
This DPA forms part of the CertForge Terms of Service and applies to all customers who create an account.
This Data Processing Agreement ("DPA") is entered into between:
This DPA is incorporated into and forms part of the CertForge Terms of Service. By accepting the Terms of Service and creating an account, the Customer agrees to the terms of this DPA. Acceptance is recorded electronically at the time of email verification and is legally binding.
In this DPA, the following terms have the meanings set out below:
Subject matter: CertForge processes Personal Data on behalf of the Customer to deliver the certificate governance Service, including certificate lifecycle management, approval workflows, audit trails, compliance monitoring, and related features.
Duration: This DPA is effective from the date the Customer creates an account and remains in force until the Customer's account is permanently deleted or the Terms of Service are otherwise terminated.
Nature: Storage, retrieval, organization, structuring, use, and deletion of Personal Data in the course of providing the Service. CertForge acts solely on the documented instructions of the Customer.
Purpose: To provide, maintain, and improve the CertForge Service as described in the Terms of Service, and to fulfill CertForge's legal obligations.
CertForge does not process special categories of sensitive personal data (health, biometric, political, religious, or racial data) as part of the Service. Customers must not submit such data through the Service.
The Customer, as Data Controller, agrees to:
CertForge, as Data Processor, agrees to:
CertForge engages the following sub-processors in the delivery of the Service. CertForge ensures each sub-processor is bound by data protection obligations no less protective than this DPA.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Akamai / Linode | Cloud infrastructure and virtual private servers hosting the Service | USA, EU (Frankfurt) |
| Cloudflare | DNS, CDN, DDoS protection, TLS termination, and load balancing | USA / Global |
| Let's Encrypt / ZeroSSL | ACME-based public certificate issuance for customer domains | USA |
| Resend | Transactional email delivery (account verification, notifications, invitations) | USA |
| Stripe | Payment processing and subscription billing | USA / Global |
| crt.sh (Sectigo) | Certificate Transparency log monitoring for public certificate discovery | USA |
CertForge will notify Customers of any intended changes to the above sub-processor list via the status page or email at least 14 days in advance, giving Customers the opportunity to object. If a Customer objects and CertForge cannot accommodate the objection, either party may terminate the affected Services without penalty.
CertForge implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration, including:
CertForge offers regional node deployments to help Customers meet data residency requirements:
Where Personal Data originating in the EEA or UK is transferred to the United States (e.g., for sub-processors listed in Section 7), such transfers are made on the basis of the EU Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914, or the UK International Data Transfer Agreement (IDTA) as applicable. CertForge is committed to self-certification under the EU-US Data Privacy Framework (DPF) when applicable.
Customers with strict data residency requirements should contact privacy@certforge.xyz to confirm the appropriate regional node for their use case.
CertForge will assist the Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, including the rights to access, rectification, erasure, restriction, portability, and objection.
Customers may fulfill many data subject rights directly through the Service (e.g., user account management, data export, and account deletion). For assistance with requests that cannot be self-served, contact privacy@certforge.xyz.
CertForge will forward any data subject requests received directly from individuals to the relevant Customer within 5 business days and will not respond to such requests without the Customer's instruction unless required by law.
In the event of a confirmed Security Incident affecting Personal Data, CertForge will:
Notification will be sent to the email address on file for the account administrator. Customers are responsible for ensuring this contact information is current.
CertForge will make available upon written request all information reasonably necessary to demonstrate compliance with this DPA. CertForge may fulfill this obligation by providing:
On-site audits may be permitted no more than once per calendar year and subject to reasonable advance notice (at least 30 days), confidentiality obligations, and a mutually agreed scope. The Customer bears the cost of any audit it commissions.
CertForge will retain Personal Data for as long as the Customer's account is active and as reasonably required to provide the Service. Upon termination of the Customer's account:
Retention may be extended where required by applicable law (e.g., financial record-keeping obligations).
This DPA is governed by the laws of the State of Colorado, United States, without regard to conflict of law principles, except where overriding mandatory provisions of EU or UK data protection law apply to EU/UK data subjects.
CertForge may update this DPA from time to time to reflect changes in applicable law, sub-processors, or processing activities. Material changes will be communicated via email or in-app notice at least 30 days before taking effect. Continued use of the Service after that period constitutes acceptance of the revised DPA.
The current version of this DPA is always available at certgovernance.app/dpa. Prior versions are available upon request.
Contact our privacy team — we'll respond within 2 business days.