Data Protection

1. Overview

CertifiaWeb Operating Company, LLC ("CertifiaWeb", "we", "us", or "our") is committed to protecting your personal data and ensuring compliance with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other international privacy frameworks.

This Data Protection page provides detailed information about how we protect your data, your rights regarding your personal information, and our compliance with data protection regulations.

2. Our Data Protection Framework

2.1 Compliance Standards

CertifiaWeb maintains compliance with multiple international data protection standards and regulations:

• GDPR (General Data Protection Regulation): Full compliance with EU data protection requirements
• CCPA (California Consumer Privacy Act): Compliance with California privacy laws
• ISO 27001: Information security management system certification
• SOC 2 Type II: Security, availability, and confidentiality controls
• PCI DSS: Payment card industry data security standards
• HIPAA: Healthcare data protection standards (where applicable)

2.2 Data Protection Principles

We adhere to the following core data protection principles:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner
• Purpose Limitation: We collect personal data only for specified, explicit, and legitimate purposes
• Data Minimization: We collect only the personal data that is necessary for our purposes
• Accuracy: We keep personal data accurate and up to date
• Storage Limitation: We retain personal data only for as long as necessary
• Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security
• Accountability: We are responsible for demonstrating compliance with data protection principles

3. Technical and Organizational Measures

3.1 Encryption

We implement strong encryption to protect your data:

• Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security)
• Data at Rest: All stored data is encrypted using AES-256 encryption
• Database Encryption: Database fields containing sensitive information are encrypted at the field level
• Backup Encryption: All backups are encrypted before storage

3.2 Access Controls

We implement strict access controls to ensure only authorized personnel can access your data:

• Role-Based Access Control (RBAC): Access is granted based on job function and necessity
• Multi-Factor Authentication (MFA): All administrative access requires MFA
• Principle of Least Privilege: Users are granted only the minimum access necessary
• Regular Access Reviews: We regularly review and audit access permissions
• Access Logging: All access to personal data is logged and monitored

3.3 Network Security

• Firewalls and intrusion detection systems
• DDoS protection and mitigation
• Network segmentation and isolation
• Regular security assessments and penetration testing
• 24/7 security monitoring and incident response

3.4 Infrastructure Security

• Secure data centers with physical security controls
• Redundant systems and disaster recovery plans
• Regular security updates and patch management
• Vulnerability scanning and remediation
• Security awareness training for all employees

4. Data Processing Activities

4.1 Categories of Personal Data

We process the following categories of personal data:

Category	Examples	Purpose
Identity Data	Name, email address, username	Account creation, authentication, communication
Contact Data	Email, phone number, mailing address	Service delivery, support, billing
Financial Data	Payment card information, billing history	Payment processing, invoicing
Technical Data	IP address, browser type, device information	Service functionality, security, analytics
Usage Data	Pages visited, features used, session duration	Service improvement, analytics
Compliance Data	Certification documents, audit reports	Compliance services, reporting

4.2 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data based on the following legal grounds:

• Consent: When you have given clear consent for specific processing activities
• Contract Performance: To perform our contract with you or take steps before entering into a contract
• Legal Obligation: To comply with legal obligations we are subject to
• Legitimate Interests: For our legitimate business interests, such as improving services, security, and fraud prevention
• Vital Interests: To protect your vital interests or those of another person
• Public Task: To perform a task in the public interest (where applicable)

5. Your Data Protection Rights

5.1 Right of Access

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data and receive information about:

• The purposes of processing
• The categories of personal data concerned
• The recipients or categories of recipients to whom the data has been or will be disclosed
• The retention period or criteria for determining the retention period
• Your rights regarding the data

5.2 Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete personal data completed. You can update most of your information directly through your account settings.

5.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, such as when:

• The data is no longer necessary for the original purpose
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation

5.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing.

5.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible.

5.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

5.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.

5.8 How to Exercise Your Rights

To exercise any of your data protection rights, please:

• Contact us at privacy@certifiaweb.com
• Use our support system to submit a request
• Update your information directly in your account settings (where available)

We will respond to your request within one month, though we may extend this period in complex cases. We may need to verify your identity before processing your request.

6. Data Sharing and Third Parties

6.1 Service Providers

We may share your data with trusted third-party service providers who assist us in operating our Service. These providers are contractually obligated to:

• Process data only as instructed by CertifiaWeb
• Implement appropriate security measures
• Comply with applicable data protection laws
• Not use the data for any other purpose

6.2 Categories of Service Providers

• Cloud Infrastructure: Secure hosting and data storage providers
• Payment Processors: Secure payment processing services
• Analytics Providers: Service usage analytics (with appropriate safeguards)
• Communication Services: Email and messaging services
• Security Services: Security monitoring and threat detection

6.3 International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by relevant data protection authorities
• Binding Corporate Rules (where applicable)
• Other appropriate safeguards as required by law

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Our retention periods are based on:

• The nature and sensitivity of the data
• The purposes for which we collected the data
• Legal and regulatory requirements
• Statutes of limitations for potential legal claims
• Business and operational needs

When personal data is no longer needed, we securely delete or anonymize it in accordance with our data retention policies.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours (where required by law)
• Notify affected individuals without undue delay
• Provide clear information about the nature of the breach
• Explain the likely consequences of the breach
• Describe the measures we are taking to address the breach
• Provide advice on steps you can take to protect yourself

9. Data Protection Officer (DPO)

CertifiaWeb has appointed a Data Protection Officer (DPO) to oversee our data protection activities and ensure compliance with applicable data protection laws.

You can contact our DPO at:

Data Protection Officer
CertifiaWeb Operating Company, LLC
455 Market Street, Suite 1250
San Francisco, CA 94105
United States
Phone: +1 (415) 555-0198
Email: dpo@certifiaweb.com

The DPO is responsible for:

• Monitoring compliance with data protection laws
• Providing advice on data protection impact assessments
• Cooperating with supervisory authorities
• Serving as a point of contact for data protection inquiries

10. Supervisory Authority

If you are located in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates applicable data protection laws.

You can find contact information for your local supervisory authority at:

• European Data Protection Board
• UK Information Commissioner's Office (ICO)

However, we encourage you to contact us first at privacy@certifiaweb.com so we can try to resolve any concerns you may have.

11. Children's Data

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information immediately.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately at privacy@certifiaweb.com.

12. Updates to This Policy

We may update this Data Protection page from time to time to reflect changes in our practices, legal requirements, or other factors. We will notify you of any material changes by:

• Updating the "Effective Date" at the top of this page
• Posting a notice on our Service
• Sending you an email notification (for significant changes)

We encourage you to review this page periodically to stay informed about how we protect your data.

13. Contact Us

If you have any questions, concerns, or requests regarding data protection, please contact us:

CertifiaWeb Operating Company, LLC
Privacy & Data Protection Team
455 Market Street, Suite 1250
San Francisco, CA 94105
United States
Phone: +1 (415) 555-0198
Email: privacy@certifiaweb.com
Data Protection Officer: dpo@certifiaweb.com

For more information about our privacy practices, please also review our Privacy Policy and Terms of Use.

14. Acknowledgment

By using CertifiaWeb's services, you acknowledge that you have read and understood this Data Protection page and agree to our data protection practices as described herein.