General Data Protection Regulation (GDPR) Policy

For Enterprise Customers

Document Version: 3.0 (Enterprise Edition)  |  Effective Date: July 1, 2026  |  Replaces: Version 2.1 (April 16, 2026)
Issued by: Tech99 Innovations Private Limited (operating as CertifyMe)  |  Classification: Enterprise Customer Distribution
Document Purpose
This policy governs how CertifyMe processes personal data in connection with Enterprise customer relationships and the data subjects whose records those customers manage through the CertifyMe platform. It sets out CertifyMe's obligations under Regulation (EU) 2016/679 (GDPR), applicable national implementation legislation, and the UK GDPR where relevant. This document is intended for distribution to Enterprise customers, their procurement, legal, and compliance teams, and any auditors acting on their behalf.

1. Introduction

Tech99 Innovations Private Limited, operating as CertifyMe ("CertifyMe", "we", "our", "us"), is committed to the lawful, fair, and transparent processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR") and all applicable national implementing legislation.

CertifyMe provides digital credentialing, identity verification, credential management, transcript management, digital wallet, and related Software-as-a-Service ("SaaS") solutions to Enterprise customers globally. Personal data processed through these services is handled with the protections described in this policy, and in accordance with any applicable Data Processing Agreement ("DPA") executed between CertifyMe and the Enterprise customer.

This document constitutes CertifyMe's formal GDPR Policy for Enterprise Customers. Where an Enterprise customer has executed a DPA with CertifyMe, the DPA governs in the event of any conflict with this policy on matters of contractual obligation.

2. Company Information

FieldDetail
Legal Entity NameTech99 Innovations Private Limited
Trade NameCertifyMe
Corporate Identification NumberU72900KA2021PTC152542
Registered Office3rd Floor, Akshay Tech Park, Plot No. 72–73, EPIP Zone, Whitefield, Bengaluru, Karnataka 560066, India
General Privacy Contactprivacy@certifyme.online
GDPR-Specific Requestsgdpr@certifyme.online
Enterprise DPA Requestsenterprise@certifyme.online
Security Incidentssecurity@certifyme.online

3. Scope and Application

This policy applies exclusively to CertifyMe's Enterprise customer tier and to all personal data processed by CertifyMe on behalf of, or in connection with, such customers. It covers:

  • Enterprise customer organizations, their authorized administrators, platform users, and integration systems;
  • Credential recipients — individuals whose records are issued, stored, managed, or verified by an Enterprise customer through the CertifyMe platform;
  • Verifiers — third parties accessing credentials shared by an Enterprise customer or its recipients;
  • Personnel of Enterprise customers whose contact information is processed in connection with account management, support, or billing.

This policy does not extend to non-Enterprise service tiers, standalone end-user accounts, or public-facing services not governed by an Enterprise customer agreement. Those arrangements are addressed in CertifyMe's general Privacy Policy.

Where CertifyMe's Enterprise services are used to process data of EU/EEA or UK data subjects, the GDPR (and UK GDPR, as applicable) applies regardless of the Enterprise customer's geographic location.

4. Roles Under GDPR

GDPR assigns distinct obligations depending on whether an entity determines the purposes and means of processing (Data Controller) or processes data solely on behalf of another (Data Processor). CertifyMe operates in both capacities in connection with Enterprise customers, as summarized below.

Role Context CertifyMe's Obligations
Data Processor Primary Processing credential, recipient, and related data submitted to the platform by the Enterprise customer Process only on documented instructions of the Enterprise customer; implement appropriate TOMs; maintain confidentiality; assist with data subject requests; notify of breaches; engage subprocessors only with customer authorization; delete or return data upon contract termination
Data Controller Account registration, billing, contract management, support communications, platform security logs, and marketing where consent has been obtained Establish and document lawful basis; implement data subject rights mechanisms; maintain records under Article 30; ensure transparency; appoint a privacy contact; notify supervisory authority of qualifying breaches

Where the Enterprise customer acts as Data Controller and CertifyMe acts as Data Processor, CertifyMe will not determine the purposes of processing, will not use recipient data for any purpose other than performing the contracted service, and will not sell, license, or otherwise transfer personal data to any third party for that third party's independent purposes.

5. Categories of Personal Data

Depending on the Enterprise customer's configuration and the services deployed, CertifyMe may process the following categories of personal data:

CategoryData Elements
Account and Administrator Data Full name; work email address; organization name; job title; telephone number; account login credentials (hashed); activity logs
Credential Recipient Data Full name; email address; credential type, title, and description; issue date; expiry date; achievement criteria; competencies or skills metadata; transcript records; academic history; institutional identifiers; profile image (if submitted by the issuing institution)
Technical and Platform Data IP address; browser type and version; device type and operating system; session identifiers; authentication tokens; audit log entries; API access records; login timestamps
Support and Communications Data Support ticket content; email correspondence; attachments voluntarily submitted; chat transcripts
Billing and Commercial Data Billing contact name and email; invoice address; payment transaction references (no full card data is stored by CertifyMe)
Special Categories of Data: CertifyMe's platform is not designed or intended for processing special categories of personal data as defined in GDPR Article 9 (including health data, biometric data for identification purposes, racial or ethnic origin, or political opinions). Enterprise customers must not submit special category data unless a specific written arrangement with CertifyMe has been established in advance.

6. Lawful Basis for Processing

Lawful BasisApplication
Performance of a Contract (Article 6(1)(b)) Processing necessary to deliver credential issuance, verification, account management, and related services under the Enterprise customer agreement
Legal Obligation (Article 6(1)(c)) Processing required to comply with applicable laws, including tax, audit, regulatory, and court-ordered disclosure requirements
Legitimate Interests (Article 6(1)(f)) Platform security, fraud and abuse prevention, infrastructure monitoring, service improvement, and business continuity — where these interests are not overridden by data subjects' rights
Consent (Article 6(1)(a)) Marketing communications to platform contacts who have opted in; non-essential cookies on the website. Consent may be withdrawn at any time without affecting prior processing.

Where CertifyMe acts as Data Processor, it processes data solely under the instructions of the Enterprise customer (who, as Controller, is responsible for establishing and documenting the lawful basis applicable to recipient and end-user data).

7. Purpose of Processing

CertifyMe processes personal data to support the following purposes in connection with Enterprise customer services:

  • Issuing, delivering, and revoking digital credentials on behalf of Enterprise customers
  • Enabling credential verification by authorized recipients, employers, and institutions
  • Authenticating platform users and administrators
  • Managing Enterprise customer accounts and subscriptions
  • Providing technical support and incident resolution
  • Preventing and investigating fraud, unauthorized access, and misuse of the platform
  • Maintaining platform security, audit logs, and availability
  • Generating anonymized or aggregated analytics for platform performance improvement
  • Complying with applicable legal and regulatory obligations
  • Communicating with Enterprise customer contacts regarding service updates, security advisories, and contractual matters

CertifyMe does not sell, license, or otherwise transfer personal data to third parties for advertising, profiling, or any commercial purpose unrelated to the provision of services to the Enterprise customer.

8. Privacy by Design and Default

CertifyMe implements Privacy by Design and Privacy by Default principles in accordance with GDPR Article 25.

Privacy by Design

Data protection considerations are embedded in the design of new features, platform components, and processing operations from the outset — not applied retrospectively. This includes:

  • Architecture reviews incorporating data minimization, purpose limitation, and access control requirements before development commences
  • Privacy impact review as a standard checkpoint in the software development lifecycle
  • Pseudonymization and encryption as default controls where technically and operationally appropriate
  • Separation of duties between engineering, operations, and data access functions

Privacy by Default

CertifyMe's default platform configuration processes only the personal data necessary for each specific service function. This means:

  • Only data fields required for credential issuance and verification are collected by default; additional fields require explicit Enterprise customer configuration
  • Credential recipient data is not used for any purpose beyond service delivery without explicit instruction from the Enterprise customer
  • Data sharing with third parties is disabled by default; any integrations require explicit activation by the Enterprise customer administrator
  • Retention periods are set conservatively by default and may be shortened at the Enterprise customer's instruction

9. Data Protection Impact Assessments (DPIA)

Where a new processing activity or significant change to an existing activity is likely to result in a high risk to the rights and freedoms of natural persons — including processing at scale, systematic monitoring, or processing of special categories of data — CertifyMe conducts a Data Protection Impact Assessment in accordance with GDPR Article 35.

CertifyMe's DPIA process covers:

  • Systematic description of the proposed processing operations and their purposes
  • Assessment of necessity and proportionality of the processing
  • Assessment of risks to the rights and freedoms of data subjects
  • Identification of measures to address those risks, including safeguards, security measures, and mechanisms to demonstrate GDPR compliance

Enterprise customers may be required to conduct their own DPIAs when using CertifyMe to process data in ways that may present high risk to data subjects. CertifyMe will provide reasonable cooperation and documentation to support an Enterprise customer's DPIA where requested, subject to confidentiality obligations.

DPIAs are reviewed when material changes are made to the processing scope, technology stack, or applicable regulatory environment. DPIA documentation is retained internally and made available to supervisory authorities upon request.

10. Records of Processing Activities (ROPA)

CertifyMe maintains records of its processing activities in accordance with GDPR Article 30. These records are maintained separately for CertifyMe's activities as Controller and as Processor.

Records maintained as Controller include: the name and contact details of CertifyMe and its privacy contact; the purposes of processing; categories of data subjects and data; categories of recipients; details of international transfers and safeguards; retention periods; and a description of technical and organizational security measures.

Records maintained as Processor include: the name and contact details of CertifyMe and of each Enterprise customer on whose behalf processing is performed; categories of processing carried out on behalf of each customer; details of international transfers; and a description of security measures.

Enterprise customers may request a summary of CertifyMe's ROPA entries relevant to their processing relationship by contacting gdpr@certifyme.online. Full ROPA documentation is made available to competent supervisory authorities upon request.

11. Data Security and Technical and Organizational Measures

CertifyMe maintains a comprehensive set of Technical and Organizational Measures (TOMs) designed to protect personal data processed on behalf of Enterprise customers against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access — in accordance with GDPR Article 32.

Security measures implemented include, where applicable:

Control AreaMeasures Implemented
Encryption Encryption of data in transit using TLS 1.2 or higher; encryption of stored data at rest using AES-256 or equivalent; credential payloads cryptographically signed using asymmetric key pairs
Access Control Role-Based Access Control (RBAC); least-privilege access principles; Multi-Factor Authentication (MFA) required for all privileged and administrative accounts; periodic access reviews
Audit and Logging Comprehensive audit logging of platform access, data operations, and administrative actions; log integrity protection; log retention in accordance with contractual and legal requirements
Software Security Secure Software Development Lifecycle (SSDLC); static and dynamic application security testing; third-party dependency scanning; code review requirements prior to production deployment
Infrastructure Infrastructure hosted with enterprise-grade cloud providers maintaining SOC 2 Type II and ISO 27001 certifications; network segmentation; intrusion detection; DDoS mitigation
Vulnerability Management Regular vulnerability assessments; penetration testing by qualified third parties; vulnerability disclosure program; timely patching in accordance with risk severity
Business Continuity Backup and disaster recovery procedures; recovery time and recovery point objectives defined and tested; incident response plan maintained and exercised
Physical Security Data processed in facilities with physical access controls, CCTV, and environmental controls; CertifyMe does not operate its own data centres — infrastructure providers maintain physical security controls

Enterprise customers may request a copy of CertifyMe's current TOM documentation by contacting security@certifyme.online. CertifyMe's security posture is subject to third-party audit; current audit reports are available under NDA to Enterprise customers upon request.

CertifyMe holds SOC 2 Type II audit documentation and ISO 27001 certification. Enterprise customers requiring copies of these documents for procurement or regulatory purposes should contact their CertifyMe account manager.

12. International Data Transfers

CertifyMe is headquartered in India and processes Enterprise customer data using cloud infrastructure that may be located in the European Economic Area (EEA), United States, or other jurisdictions. Where personal data of EEA or UK data subjects is transferred outside the EEA or UK, CertifyMe implements appropriate transfer safeguards in accordance with GDPR Chapter V.

Transfer MechanismApplication
Standard Contractual Clauses (SCCs) EU Commission Implementing Decision 2021/914 of 4 June 2021 (Module 2: Controller-to-Processor; Module 3: Processor-to-Processor as applicable). SCCs are incorporated by reference into CertifyMe's standard Enterprise DPA and available for review upon request.
UK International Data Transfer Agreement (IDTA) Applied for transfers from the UK to CertifyMe's processing locations where required under UK GDPR, incorporating the ICO's standard IDTA template.
Adequacy Decisions Where the European Commission has adopted an adequacy decision in respect of the destination country, CertifyMe relies on that decision as the transfer mechanism.
Customer-Approved Mechanisms Where an Enterprise customer requires a specific transfer mechanism not listed above, CertifyMe will work in good faith to accommodate that requirement subject to legal and operational feasibility.

Enterprise customers with data residency requirements — including requirements to restrict processing to EEA data centres — should raise this with their CertifyMe account manager at the time of contract negotiation. CertifyMe can accommodate data residency configurations for qualifying Enterprise arrangements subject to commercial agreement.

CertifyMe conducts Transfer Impact Assessments (TIAs) where required by applicable guidance to support the use of SCCs for transfers to third countries.

13. Data Retention

Personal data processed by CertifyMe as Data Processor on behalf of Enterprise customers is retained only for as long as necessary to fulfil the purposes described in this policy, in accordance with the applicable Enterprise customer agreement, and as required by law.

Data CategoryStandard Retention PeriodNotes
Credential recipient data Duration of Enterprise customer's active subscription, plus 90 days post-termination Extended retention available by agreement; Customer may configure shorter periods or request earlier deletion
Account and administrator data Duration of active subscription, plus 12 months post-termination Required for billing reconciliation, audit, and dispute resolution
Audit logs and security logs Minimum 12 months; up to 7 years where required by applicable legal or regulatory obligations May be subject to longer retention for forensic investigation or regulatory compliance
Support and communication records 36 months from closure of ticket or last communication Retained for dispute resolution and service quality purposes
Billing and financial records 7 years from transaction date Required by financial record-keeping obligations

Upon termination or expiry of an Enterprise customer's agreement, CertifyMe will, at the customer's election and subject to applicable law, either securely delete or return to the customer all personal data processed on its behalf within the timeframe specified in the DPA. A written confirmation of deletion will be provided upon request.

Enterprise customers may request early deletion of specific data categories at any time by submitting a written request to gdpr@certifyme.online, subject to CertifyMe's legal retention obligations.

14. Subprocessors and Third-Party Risk Management

CertifyMe engages a limited number of trusted subprocessors to support the delivery of Enterprise services, including infrastructure hosting, content delivery, email delivery, customer support tooling, security monitoring, and analytics infrastructure. All subprocessors are subject to the following requirements:

  • Written data processing agreements incorporating obligations equivalent to those in CertifyMe's own DPA, in compliance with GDPR Article 28(4)
  • Due diligence assessment prior to onboarding, covering data protection, information security, and applicable certifications
  • Ongoing compliance monitoring and periodic review
  • Contractual requirements to notify CertifyMe of any personal data breach affecting Enterprise customer data
  • Obligations to process data only on CertifyMe's instructions and only for the purposes of providing the contracted subprocessor service

Notification of Subprocessor Changes

CertifyMe maintains a current list of approved subprocessors. Enterprise customers are entitled to receive this list upon request by contacting privacy@certifyme.online.

Where CertifyMe proposes to add a new subprocessor that will have access to personal data processed on behalf of Enterprise customers, CertifyMe will provide reasonable advance notice (typically 30 days) where required under the applicable DPA. Enterprise customers with objections to a new subprocessor may raise those objections in accordance with the procedure set out in the DPA. If the parties cannot reach agreement and the new subprocessor is operationally necessary, either party may terminate the affected services in accordance with the contractual termination provisions without penalty.

Third-Party Risk Management

CertifyMe's third-party risk management program applies to all vendors with access to or that process Enterprise customer personal data. This program includes:

  • Pre-engagement security and data protection assessment
  • Contractual data protection requirements as a condition of engagement
  • Annual review of critical subprocessors' compliance posture
  • Right to audit provisions in subprocessor contracts

15. Data Subject Rights

Where GDPR applies, individuals whose personal data is processed in connection with an Enterprise customer relationship may exercise the following rights under Chapter III of the GDPR.

RightDescriptionResponse Timeline
Right of Access (Article 15) Request confirmation of whether personal data is being processed and receive a copy of that data Within 30 days; extendable by 60 days for complex or numerous requests
Right to Rectification (Article 16) Request correction of inaccurate or incomplete personal data Within 30 days
Right to Erasure (Article 17) Request deletion of personal data where there is no overriding legal basis to retain it Within 30 days; subject to legal retention obligations
Right to Restriction (Article 18) Request that processing be limited in specified circumstances Within 30 days
Right to Data Portability (Article 20) Receive personal data in a structured, commonly used, machine-readable format; right to transmit to another controller Within 30 days
Right to Object (Article 21) Object to processing based on legitimate interests or for direct marketing purposes Within 30 days; direct marketing objections actioned immediately
Right to Withdraw Consent (Article 7(3)) Withdraw consent at any time where processing is consent-based; withdrawal does not affect prior lawful processing Actioned promptly; within 10 business days
Rights re: Automated Decision-Making (Article 22) CertifyMe does not make solely automated decisions producing legal or similarly significant effects in connection with Enterprise services N/A

How to Submit a Data Subject Request

Data subjects may submit GDPR requests by emailing gdpr@certifyme.online with the subject line "Data Subject Request – [Right Being Exercised]". CertifyMe will acknowledge receipt within 3 business days.

Where CertifyMe acts as Data Processor in connection with an Enterprise customer, requests received directly from data subjects will be forwarded to the relevant Enterprise customer acting as Data Controller, unless legally prohibited. The Enterprise customer, as Data Controller, is responsible for responding to the data subject.

CertifyMe will provide reasonable technical assistance to Enterprise customers in facilitating data subject request responses, including data extraction, anonymization, and deletion capabilities accessible via the platform dashboard or API.

Data subjects also have the right to lodge a complaint with their competent national supervisory authority — see Section 23 for supervisory authority contact information.

16. Security Incidents and Breach Notification

CertifyMe maintains documented incident response procedures aligned with GDPR Articles 33 and 34 and ISO 27001 incident management requirements.

Incident Response Process

  1. Detection and Triage: Security monitoring systems and personnel detect potential incidents. Triage determines severity, scope, and whether a personal data breach may have occurred.
  2. Containment: Immediate containment measures are implemented to prevent further unauthorized access or data loss.
  3. Investigation: Root cause analysis is performed; data categories, volume, and affected individuals are determined.
  4. Notification: Notification obligations are assessed and executed in accordance with the timelines below.
  5. Remediation and Post-Incident Review: Systemic fixes are implemented; lessons learned are documented; process improvements actioned.

Notification Timelines

Notification RecipientTimelineContent
Enterprise Customer Without undue delay; target within 48 hours of breach confirmation Nature of breach; categories and approximate number of data subjects and records affected; contact details for follow-up; likely consequences; measures taken or proposed to address the breach
Supervisory Authority (where CertifyMe is Controller) Without undue delay; within 72 hours of becoming aware of a qualifying breach (GDPR Article 33) Information required under Article 33(3); phased notification permitted where full information not immediately available
Affected Data Subjects (where breach likely results in high risk) Without undue delay (GDPR Article 34) Clear description of nature of breach; contact details; likely consequences; measures taken or proposed; guidance on protective steps
Enterprise Customer Breach Notification: Enterprise customers who become aware of a potential security incident involving CertifyMe's platform should notify CertifyMe immediately at security@certifyme.online. Where CertifyMe acts as Data Processor, CertifyMe will provide the Enterprise customer with information necessary for the customer to fulfil its own supervisory authority notification obligations within the 72-hour GDPR deadline.

17. Data Processing Agreement

CertifyMe offers a Data Processing Agreement (DPA) to all Enterprise customers, incorporating the requirements of GDPR Article 28. Execution of a DPA is included as a standard component of the Enterprise customer agreement.

CertifyMe's Enterprise DPA includes:

  • Processing instructions specifying the subject matter, nature, purpose, and duration of processing
  • Confidentiality obligations on CertifyMe personnel with access to personal data
  • Security measures (TOMs) forming part of the contractual commitment
  • Approved subprocessors list and notification procedure for changes
  • Standard Contractual Clauses (EU Commission Decision 2021/914, applicable modules)
  • UK International Data Transfer Agreement (where applicable)
  • Data subject request assistance obligations
  • Breach notification obligations and timelines
  • Data return and deletion obligations upon contract termination
  • Audit rights provisions

Enterprise customers wishing to execute or review a DPA prior to contract signature should contact enterprise@certifyme.online. CertifyMe's standard DPA is available for review upon request and is presented for signature as part of the Enterprise onboarding process.

Enterprise customers may propose amendments to the standard DPA for legal or compliance reasons. All proposed amendments are reviewed by CertifyMe's legal team and responded to within 10 business days.

18. Audit Rights

In accordance with GDPR Article 28(3)(h) and CertifyMe's standard DPA provisions, Enterprise customers have the right to conduct, or commission qualified third parties to conduct, audits of CertifyMe's data processing activities and compliance with GDPR obligations.

Audit Procedure

  1. Advance Notice: Enterprise customers must provide CertifyMe with at least 30 calendar days' written notice of an intended audit, except in the case of a confirmed security incident where shorter notice may be required.
  2. Scope Agreement: Prior to the audit, the parties agree on the scope, format, timing, and duration of the audit to minimize disruption to CertifyMe's operations and protect the confidentiality of data belonging to other customers.
  3. Frequency: Enterprise customers are entitled to conduct one audit per 12-month period in the absence of a confirmed security incident. Additional audits may be agreed at CertifyMe's discretion.
  4. Third-Party Auditors: Enterprise customers may engage qualified third-party auditors subject to execution of a confidentiality agreement acceptable to CertifyMe prior to access being granted.
  5. Documentation-Based Audits: In many cases, audit obligations may be satisfied through provision of CertifyMe's most recent SOC 2 Type II audit report, ISO 27001 certification, penetration test executive summary, and responses to a standardized security questionnaire — without requiring on-site inspection. CertifyMe will make these documents available under NDA to qualifying Enterprise customers.
  6. Cost: Costs of on-site or personnel-intensive audits are borne by the Enterprise customer. Documentation-based audit requests are handled at no additional charge.

To initiate an audit or request available audit documentation, contact security@certifyme.online with the subject line "Enterprise Audit Request".

19. Employee Training and Confidentiality

CertifyMe ensures that all personnel with access to personal data processed on behalf of Enterprise customers are subject to appropriate confidentiality and data protection obligations.

  • Confidentiality commitments: All CertifyMe employees, contractors, and subcontractors with access to personal data are bound by confidentiality obligations that survive the termination of their engagement.
  • Data protection training: All employees with access to personal data complete mandatory data protection awareness training upon onboarding and at least annually thereafter. Personnel with elevated access or specific data-handling responsibilities receive role-specific training.
  • Access controls: Access to personal data is restricted to personnel who require it for their specific job function, in accordance with the least-privilege principle. Access is reviewed and adjusted upon role changes and revoked promptly upon termination of employment or contract.
  • Background screening: CertifyMe conducts appropriate background screening for personnel in roles with access to sensitive systems or personal data, in accordance with applicable law.
  • Incident reporting: Personnel are trained to recognize and report potential security incidents and data protection concerns promptly through internal reporting channels.

20. Cookies and Tracking Technologies

CertifyMe's website and platform use cookies and similar technologies for the following purposes:

  • Strictly necessary: Authentication, session management, security controls, and load balancing. These are essential for the platform to function and do not require consent.
  • Functional: User preferences, language settings, and accessibility configurations. These improve the user experience but are not essential to core functionality.
  • Analytics: Aggregated, anonymized analysis of platform usage to improve features and performance. Where cookies are used for analytics, consent is obtained in jurisdictions requiring it.
  • Marketing: CertifyMe does not place third-party advertising or retargeting cookies on its platform. Marketing communications are consent-based only.

Enterprise customers accessing the platform through a white-labeled or custom-branded configuration may have different cookie configurations. Enterprise customers are responsible for their own cookie compliance obligations in connection with their end users' use of the platform.

21. Children's Privacy

CertifyMe's Enterprise platform and services are designed for use by organizations and their authorized professional users. The platform is not directed at children, and CertifyMe does not knowingly collect personal information directly from individuals under the applicable age of digital consent in their jurisdiction (typically 13–16 years, depending on applicable law).

Where an Enterprise customer uses CertifyMe's platform to issue credentials or manage records relating to minors — for example, a school or educational institution issuing credentials to students below the applicable age of digital consent — the Enterprise customer, as Data Controller, is solely responsible for:

  • Obtaining all legally required parental or guardian consents;
  • Ensuring that processing of minors' data complies with all applicable laws, including GDPR Article 8 and national implementing legislation;
  • Notifying CertifyMe of the nature of such processing so that appropriate safeguards can be confirmed.

22. Enterprise Customer Responsibilities

Enterprise customers acting as Data Controllers in connection with their use of CertifyMe are responsible for the following obligations. CertifyMe's compliance with its Processor obligations does not reduce or transfer these Controller responsibilities.

  • Lawful basis: Establishing and documenting a valid lawful basis under GDPR Article 6 (and Article 9 where applicable) for each processing activity performed through the platform.
  • Transparency: Providing data subjects — including credential recipients — with appropriate privacy notices explaining how their data will be processed, including processing by CertifyMe as a subprocessor.
  • Consent management: Obtaining, recording, and managing consents where consent is the lawful basis; providing a mechanism for consent withdrawal.
  • Data subject requests: Receiving, assessing, and responding to data subject requests within applicable timelines; CertifyMe will provide technical assistance but the Controller response obligation rests with the Enterprise customer.
  • Retention configuration: Configuring appropriate data retention periods within the platform and instructing CertifyMe regarding deletion of data no longer required for the purposes for which it was collected.
  • Data quality: Ensuring that personal data uploaded to CertifyMe is accurate, adequate, relevant, and limited to what is necessary for the stated purpose.
  • Lawfulness of uploads: Ensuring that all personal data submitted to CertifyMe was collected lawfully and that its submission to CertifyMe for processing is consistent with the original collection purpose.
  • DPIA obligations: Conducting DPIAs where required by GDPR Article 35 in connection with the Enterprise customer's use of the platform.

Enterprise customers agree, as a condition of their Enterprise agreement, to indemnify CertifyMe for any claims, losses, or regulatory sanctions arising from the Enterprise customer's failure to fulfil its Controller obligations, except to the extent caused by CertifyMe's breach of its Processor obligations.

23. Governing Law and Supervisory Authority

This policy is governed by and construed in accordance with Regulation (EU) 2016/679 (GDPR) and, where applicable, the UK GDPR as incorporated into UK law by the Data Protection Act 2018.

Data subjects located in the EU/EEA have the right to lodge a complaint with their competent national supervisory authority. Key supervisory authority contacts include:

JurisdictionSupervisory AuthorityContact
European Union (lead authority)Irish Data Protection Commission (DPC) — where CertifyMe's EU establishment is in Irelandwww.dataprotection.ie
GermanyRelevant Landesbeauftragter (state DPA) or Bundesbeauftragte für den Datenschutz (BfDI)www.bfdi.bund.de
FranceCommission Nationale de l'Informatique et des Libertés (CNIL)www.cnil.fr
NetherlandsAutoriteit Persoonsgegevens (AP)autoriteitpersoonsgegevens.nl
United KingdomInformation Commissioner's Office (ICO)ico.org.uk
Other EU/EEA Member StatesCompetent national supervisory authority in the data subject's country of residenceFull list: edpb.europa.eu

Data subjects are encouraged to contact CertifyMe directly in the first instance to resolve concerns before escalating to a supervisory authority. CertifyMe commits to engaging in good faith with any supervisory authority inquiry.

24. Policy Updates and Versioning

CertifyMe reviews this policy at least annually and following any material change to applicable law, regulatory guidance, CertifyMe's processing operations, or the Enterprise customer agreement structure.

When material updates are made to this policy:

  • The version number and effective date on the cover of this document will be updated;
  • Enterprise customers with active agreements will be notified by email to their designated data protection or privacy contact at least 30 days before the revised policy takes effect, where changes materially affect their rights or obligations;
  • The current version of this policy will always be available at certifyme.online/gdpr-enterprise.

Continued use of CertifyMe's Enterprise services after the effective date of an updated policy constitutes acknowledgment of the updated terms. Enterprise customers who object to material changes may terminate affected services in accordance with the termination provisions of their Enterprise agreement.

VersionEffective DateSummary of Changes
1.0January 2023Initial enterprise policy
2.0September 2024Updated SCCs to EU Commission Decision 2021/914; added UK GDPR provisions; expanded TOM schedule
2.1April 16, 2026Updated subprocessor notification procedure; added blockchain credential signing to TOM schedule; updated contact details
3.0July 1, 2026Added DPIA, ROPA, Privacy by Design, audit rights, employee training, third-party risk, governing law, and supervisory authority sections; expanded data subject rights response timelines; added breach notification timeline table; added children's privacy Enterprise customer responsibility provision; document restructured for enterprise distribution

25. Contact Information

CertifyMe Enterprise Privacy and Data Protection Contacts

Contact TypeContact Details
General Privacy Inquiries privacy@certifyme.online
GDPR Requests (Data Subject Rights, Complaints) gdpr@certifyme.online
Enterprise DPA and Contract Queries enterprise@certifyme.online
Security Incidents and Breach Reporting security@certifyme.online
Postal Address Tech99 Innovations Private Limited, 3rd Floor, Akshay Tech Park, Plot No. 72–73, EPIP Zone, Whitefield, Bengaluru, Karnataka 560066, India

CertifyMe aims to acknowledge all GDPR requests within 3 business days and to respond substantively within the timelines required under applicable law. Where requests require additional time (complex or multiple requests), CertifyMe will notify the requester within 30 days of receipt and provide an updated timeline.

This document is published by Tech99 Innovations Private Limited operating as CertifyMe. Questions regarding the application of this policy to a specific Enterprise customer relationship should be directed to the Enterprise customer's designated CertifyMe account manager or to enterprise@certifyme.online.

© 2026 Tech99 Innovations Private Limited (CertifyMe). All rights reserved. This document is issued for distribution to CertifyMe Enterprise customers and their authorized legal and compliance representatives. Unauthorized reproduction or distribution is prohibited.