Data Processing Agreement

In this DPA:

• "Controller" means the Employer organisation that determines the purposes and means of processing Worker personal data accessed through the Platform.
• "Processor" means CertVault, which processes personal data on behalf of the Controller.
• "Data Subject" means a Worker whose personal data is processed.
• "Personal Data" has the meaning given under the GDPR (EU) 2016/679, UK GDPR, and applicable local laws.
• "Platform" means the CertVault software-as-a-service accessible at certvaultapp.com.
• "Sub-processor" means any third party engaged by CertVault to assist in processing personal data.

CertVault processes Worker personal data on behalf of Employers for the following purposes:

• Displaying Worker profiles (name, skills, availability, work rights) in employer search results.
• Providing access to Worker-uploaded documents (certificates, licences, medicals, etc.) that the Worker has made visible.
• Enabling contact requests and communication between Employers and Workers.
• Enabling workforce management features: onboarding, compliance tracking, document status, workforce rosters.
• Storing and displaying workforce data (hired workers, document exclusions, notes, work sites).

Processing is carried out electronically via the CertVault Platform on a continuous basis for the duration of the Controller's subscription.

As the Controller, the Employer agrees to:

• Have a lawful basis for processing Worker personal data accessed via the Platform (typically: legitimate interests in workforce compliance verification, or contractual necessity).
• Provide Workers with appropriate privacy notices explaining how their data may be accessed and used by employers.
• Only use Worker data accessed through the Platform for legitimate workforce management and compliance purposes.
• Not attempt to export, scrape, or aggregate Worker data for purposes beyond workforce management.
• Promptly notify CertVault if you become aware of any data breach or security incident involving Worker data.
• Comply with all applicable data protection laws, including the GDPR and UK GDPR where applicable.

CertVault, as the Processor, agrees to:

• Process personal data only on documented instructions from the Controller (i.e., the features and actions initiated through the Platform).
• Ensure that personnel authorised to process the personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures (see Section 6).
• Not engage new sub-processors without providing notice and the ability to object.
• Assist the Controller in responding to Data Subject rights requests to the extent CertVault holds relevant data.
• Notify the Controller without undue delay (and no later than 72 hours) after becoming aware of a personal data breach affecting Worker data.
• Delete or return all personal data to the Controller upon termination of services, at the Controller's option.
• Make available all information necessary to demonstrate compliance with GDPR Article 28.

The Controller authorises CertVault to engage the following sub-processors. CertVault will ensure each sub-processor is bound by a written agreement containing equivalent data protection obligations:

CertVault will notify the Controller of any intended changes to the sub-processor list by updating this page. Controllers who object to a new sub-processor on reasonable GDPR grounds should contact legal@certvaultapp.com.

CertVault implements the following technical and organisational measures (TOMs) appropriate to the risk:

• HTTPS/TLS encryption for all data in transit.
• Encryption at rest for database storage (AES-256 via Supabase/AWS).
• Row-level security (RLS) policies ensuring each user can only access their own data.
• Role-based access controls separating Worker, Employer, and Admin access.
• Automated malware scanning of all uploaded files before storage.
• Session-based authentication with secure cookie handling.
• Internal audit logs for administrative access.
• Regular security reviews of infrastructure configuration.

Where personal data is transferred outside the EEA or UK (e.g., to sub-processors located in the USA), CertVault relies on:

• EU Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) and Module 3 (Processor to Processor), as applicable.
• UK International Data Transfer Agreements (IDTAs) — for transfers under UK GDPR.

Copies of applicable SCCs/IDTAs with sub-processors are available on request at legal@certvaultapp.com.

Where a Worker exercises a data subject right (access, erasure, rectification, portability, objection) and that right requires action by the Employer as Controller (e.g., deletion of notes or workforce records maintained by the Employer), CertVault will:

• Notify the Controller of the request where the Controller action is needed.
• Provide the Controller with the technical means to delete or retrieve the relevant data from within the Platform.
• Action requests that fall solely within CertVault's remit as Processor (e.g., deletion of the Worker's account and all stored documents).

In the event of a personal data breach affecting Worker data accessed by the Controller:

• CertVault will notify the Controller without undue delay, and no later than 72 hours of becoming aware of the breach.
• The notification will include (to the extent known): the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
• The Controller is responsible for notifying its own supervisory authority and affected Data Subjects as required under applicable law.

The Controller may request an audit of CertVault's data processing activities relevant to this DPA. In practice, CertVault will satisfy audit requests by providing:

• This DPA and supporting documentation.
• Summary of security measures and sub-processor agreements (on request).
• Where required by applicable law and upon reasonable written notice, access for the Controller or their auditor to conduct an inspection.

Any audit must be conducted in a manner that minimises disruption to CertVault's business and is subject to reasonable confidentiality requirements.

This DPA applies for the duration of the Controller's CertVault subscription. Upon termination:

• CertVault will delete all Worker personal data processed on the Controller's behalf within 90 days of account termination, unless a longer retention period is required by law.
• Anonymised, aggregated data (with no ability to identify individuals) may be retained for platform analytics.

This DPA is governed by the laws of the jurisdiction most relevant to the Controller's location:

• EU-based Controllers: laws of Ireland (GDPR).
• UK-based Controllers: laws of England and Wales (UK GDPR).
• Australian Controllers: laws of Queensland, Australia.
• Other Controllers: the laws of Queensland, Australia, without prejudice to mandatory protections in your local jurisdiction.

For questions about this DPA, to request a signed copy, or to exercise audit rights:

CertVault — Data Protection
Email: legal@certvaultapp.com