Data processing agreement

Effective: 2026-04-26 · Last updated: 2026-04-26

Scope and parties

This DPA applies where Certbond, operated by Lagerbolag 1, processes personal data on behalf of a partner company or consultant ("Controller") under our Terms of Service. Where Certbond determines the purposes and means of processing about its own members and visitors (described in our Privacy Policy), Certbond acts as an independent Controller, and that processing falls outside this DPA.

Our commitments under GDPR Art. 28

• Documented instructions. Certbond processes Controller’s personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by EU or Member State law to which Certbond is subject.
• Confidentiality. Persons authorised to process Controller’s data — Certbond personnel and sub-processors — are bound by confidentiality and access on a need-to-know basis.
• Security. We apply technical and organisational measures appropriate to the risk under GDPR Art. 32. Industry-standard controls including encryption in transit and at rest, multi-factor authentication on administrative access, EU-resident infrastructure for primary processing, audit logging, and tested backup procedures. Detailed TOM provided to authenticated Controllers on request.
• Sub-processors. We use a small set of sub-processors (categories: hosting and database, authentication, transactional email, payment processing, KYB/KYC and AML screening, credential-verification lookups, and an opt-in AI-text provider). The named register is provided to Controllers on signature of the DPA. Additions or replacements are notified to Controllers at least 30 days in advance with the right to object.
• Data subject rights. Self-service tools at app.certbond.com/profile let data subjects exercise GDPR Art. 15–22 rights directly. Where the Controller needs assistance, Certbond will cooperate within 14 days of receiving a written request at [email protected].
• Breach notification. We notify the Controller of any personal-data breach affecting Controller’s data without undue delay, and in any event within 72 hours of becoming aware, with sufficient information to enable the Controller to meet its own GDPR notification obligations.
• DPIA support. On reasonable written request, Certbond provides information necessary for the Controller to conduct a Data Protection Impact Assessment (Art. 35) or to consult with a supervisory authority (Art. 36).
• International transfers. Where Certbond transfers Controller’s data outside the EU/EEA, the transfer is covered by Standard Contractual Clauses (Commission Implementing Decision 2021/914) and applicable adequacy decisions. Transfer Impact Assessments are performed before onboarding any non-EU sub-processor.
• Audit. On reasonable notice and not more than once per calendar year (or where required by a supervisory authority), we make available information necessary to demonstrate compliance with this DPA — through certifications, audit reports, written questionnaire response, or an on-site / remote audit subject to confidentiality.
• Deletion or return. On termination, Certbond will delete or return all Controller personal data and delete existing copies, unless EU or Member State law requires storage. Records retained by legal obligation are minimised and contain no profile content.

Executable DPA

This page is a summary. The signed DPA — with named sub-processor register, full TOM, SCCs, and any Controller-specific addenda — is provided on Service activation. Controllers may request the executable DPA at any time via [email protected]; the typical turnaround is 5 business days.

Governing law

This DPA is governed by the laws of Sweden. The exclusive jurisdiction is Stockholm District Court (Stockholms tingsrätt).

← Back to certbond.com  ·  Privacy policy  ·  Terms of service  ·  Compliance  ·  Accessibility  ·  Security