Data Processing Agreement

In this DPA:

• "Controller" means the Employer organisation that determines the purposes and means of processing Worker personal data accessed through the Platform.
• "Processor" means CertVault, which processes personal data on behalf of the Controller.
• "Data Subject" means a Worker whose personal data is processed.
• "Personal Data" has the meaning given under the GDPR (EU) 2016/679, UK GDPR, and applicable local laws.
• "Platform" means the CertVault software-as-a-service accessible at certvaultapp.com.
• "Sub-processor" means any third party engaged by CertVault to assist in processing personal data.

CertVault processes Worker personal data on behalf of Employers for the following purposes:

• Displaying Worker profiles (name, skills, availability, work rights) in employer search results.
• Providing access to Worker-uploaded documents (certificates, licences, medicals, etc.) that the Worker has made visible.
• Enabling contact requests and communication between Employers and Workers.
• Enabling workforce management features: onboarding, compliance tracking, document status, workforce rosters.
• Storing and displaying workforce data (hired workers, document exclusions, notes, work sites).

Processing is carried out electronically via the CertVault Platform on a continuous basis for the duration of the Controller's subscription.

As the Controller, the Employer agrees to:

• Have a lawful basis for processing Worker personal data accessed via the Platform (typically: legitimate interests in workforce compliance verification, or contractual necessity).
• Provide Workers with appropriate privacy notices explaining how their data may be accessed and used by employers.
• Only use Worker data accessed through the Platform for legitimate workforce management and compliance purposes.
• Not attempt to export, scrape, or aggregate Worker data for purposes beyond workforce management.
• Promptly notify CertVault if you become aware of any data breach or security incident involving Worker data.
• Comply with all applicable data protection laws, including the GDPR and UK GDPR where applicable.

CertVault, as the Processor, agrees to:

• Process personal data only on documented instructions from the Controller (i.e., the features and actions initiated through the Platform).
• Ensure that personnel authorised to process the personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures (see Section 6).
• Not engage new sub-processors without providing notice and the ability to object.
• Assist the Controller in responding to Data Subject rights requests to the extent CertVault holds relevant data.
• Notify the Controller without undue delay (and no later than 72 hours) after becoming aware of a personal data breach affecting Worker data.
• Delete or return all personal data to the Controller upon termination of services, at the Controller's option.
• Make available all information necessary to demonstrate compliance with GDPR Article 28.

The Controller authorises CertVault to engage the following sub-processors. CertVault will ensure each sub-processor is bound by a written agreement containing equivalent data protection obligations:

CertVault will notify the Controller of any intended changes to the sub-processor list by updating this page AND sending email notification to the Controller at least 30 days in advance of the change taking effect.

Objection process. Controllers who object to a new sub-processor on reasonable GDPR grounds should contact legal@certvaultapp.com within the 30-day notice window, setting out the specific grounds for the objection. CertVault will engage in good faith to address the objection. If CertVault cannot reasonably accommodate the objection (for example, the new sub-processor is essential to providing the Platform), the Controller may terminate this DPA and the underlying CertVault subscription on written notice, with a pro-rata refund of any prepaid subscription fees for the unused remainder of the then-current billing period.

CertVault implements the following technical and organisational measures (TOMs) appropriate to the risk:

• HTTPS/TLS encryption for all data in transit.
• Encryption at rest for database storage (AES-256 via Supabase/AWS).
• Row-level security (RLS) policies ensuring each user can only access their own data.
• Role-based access controls separating Worker, Employer, and Admin access.
• Automated malware scanning of all uploaded files before storage.
• Session-based authentication with secure cookie handling.
• Internal audit logs for administrative access, retained for 12 months consistent with the authentication and platform-activity log retention disclosed in our Data Retention Policy § 2.
• Regular security reviews of infrastructure configuration.

6.1 Service Availability

CertVault does not offer a formal contractual uptime service-level agreement (SLA). The platform is operated as a best-effort service, targeting calendar-month availability of 99.5% or higher, measured against the upstream availability of our infrastructure providers (Vercel for application hosting and Supabase for database, authentication, and storage). Planned maintenance is performed during low-traffic windows where reasonably practicable, and the Controller will be notified by email of any scheduled maintenance expected to cause material service disruption.

Where a Controller requires a contractual uptime SLA with stated remedies, this can be discussed and incorporated into a separate service agreement. Contact legal@certvaultapp.com.

Where personal data is transferred outside the EEA or UK (e.g., to sub-processors located in the USA), CertVault relies on:

• EU-US Data Privacy Framework (DPF) — where the receiving sub-processor is DPF-certified, this is the primary adequacy mechanism for transfers from the EU to the US (effective 10 July 2023).
• EU Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) and Module 3 (Processor to Processor), used as a fallback where DPF certification does not apply.
• UK International Data Transfer Agreements (IDTAs) and the UK Extension to the EU-US DPF — for transfers under UK GDPR.

Copies of applicable SCCs/IDTAs with sub-processors are available on request at legal@certvaultapp.com.

Where a Worker exercises a data subject right (access, erasure, rectification, portability, objection) and that right requires action by the Employer as Controller (e.g., deletion of notes or workforce records maintained by the Employer), CertVault will:

• Notify the Controller of the request where the Controller action is needed.
• Provide the Controller with the technical means to delete or retrieve the relevant data from within the Platform.
• Action requests that fall solely within CertVault's remit as Processor (e.g., deletion of the Worker's account and all stored documents).

In the event of a personal data breach affecting Worker data accessed by the Controller:

• CertVault will notify the Controller without undue delay, and no later than 72 hours of becoming aware of the breach.
• The notification will include (to the extent known): the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
• The Controller is responsible for notifying its own supervisory authority and affected Data Subjects as required under applicable law.

The Controller may request an audit of CertVault's data processing activities relevant to this DPA. In practice, CertVault will satisfy audit requests by providing:

• This DPA and supporting documentation.
• Summary of security measures and sub-processor agreements (on request).
• Where required by applicable law and upon reasonable written notice, access for the Controller or their auditor to conduct an inspection.

Any audit must be conducted in a manner that minimises disruption to CertVault's business and is subject to reasonable confidentiality requirements.

This DPA applies for the duration of the Controller's CertVault subscription. Upon termination of the Controller's account:

• CertVault will immediately delete all Worker personal data processed on the Controller's behalf, including hire records, saved-worker lists, contact requests, and pending invites tied to the Controller. The Controller's own profile and any active Stripe subscription are also removed at the same time.
• Consent records associated with the Controller's account are deleted with the account — once the underlying data is gone, the consent record loses its purpose.
• Stripe retains billing records (invoices, payment history) independently for the period required by tax law (typically 7 years). CertVault does not store payment card data and keeps no local copy of billing history beyond the active subscription state.
• Where a Worker exercises GDPR Art 17 right to erasure (rather than the Controller terminating), CertVault wipes the Worker's personal data and any two-sided relationship rows symmetrically. This may remove Workers from the Controller's in-platform workforce list. Records the Controller is independently required to keep under employment, tax, or labour law (e.g., payroll registers under the Australian Fair Work Act) should be maintained in the Controller's own primary HR / payroll / bookkeeping system, which is independent of CertVault and not affected by erasure on this Platform.
• Anonymised, aggregated data (with no ability to identify individuals) may be retained for platform analytics.

This DPA is governed by the laws of the jurisdiction most relevant to the Controller's location:

• EU-based Controllers: laws of Ireland (GDPR).
• UK-based Controllers: laws of England and Wales (UK GDPR).
• Australian Controllers: laws of Queensland, Australia.
• Other Controllers: the laws of Queensland, Australia, without prejudice to mandatory protections in your local jurisdiction.

Neither party will be liable for any failure or delay in performance under this DPA (other than the obligation to pay amounts already due) to the extent caused by events beyond its reasonable control, including: acts of God, natural disasters, pandemic, war, terrorism, civil unrest, government action, fire, flood, network or telecommunications outages, or extended unavailability of upstream infrastructure providers (including the hosting, database, authentication, or storage services on which the Platform depends). The affected party will notify the other as soon as reasonably practicable, take reasonable steps to mitigate the effect, and resume performance as soon as practicable after the cause is removed. Force majeure does not relieve CertVault of its obligation to notify the Controller of a personal data breach under Section 9.

For questions about this DPA, to request a signed copy, or to exercise audit rights:

CertVault (Australian sole trader) — Data Protection
ABN: 51 371 573 935
2 Tandang Sora Street
Labason, Zamboanga Del Norte
Philippines 7117
Email: legal@certvaultapp.com