Trust

Data Processing Addendum Summary

This page summarizes the controller-processor terms Certyn offers to customers who need GDPR, UK GDPR, or similar processor commitments.

Last updated: March 26, 2026

Status of This Document

Summary Only

This page is a public summary of Certyn's DPA position. It does not replace a signed DPA, order form, or other written agreement. To request a signable DPA template, contact legal@certyn.io.

Roles

Customer acts as controller or business, depending on applicable law, for customer data submitted to Certyn.
Certyn acts as processor or service provider for customer data processed on the customer’s behalf in connection with the service.

Subject Matter, Nature, and Duration

Certyn processes customer data to provide AI-powered QA automation, browser execution, evidence collection, reporting, support, billing administration, and related service operations. Processing continues for the term of the customer's use of the service, plus any agreed retention, legal hold, backup, or deletion window.

Categories of Data and Data Subjects

Data subjects may include customer users, employees, contractors, test-account holders, website visitors, and end users whose information appears in tested applications.
Data categories may include account identity data, environment settings, prompts, tickets, wiki content, screenshots, browser logs, network events, conversation archives, optional session video, and support or billing records.

Subprocessors and Transfers

Certyn uses subprocessors listed on the Subprocessors page. Cross-border transfers may occur where subprocessors operate outside the customer's home jurisdiction.

Where required, Certyn expects its DPA to incorporate standard contractual clauses or similar lawful transfer mechanisms and to address onward transfers to subprocessors.

Security Measures

isolated browser sessions running in containerized environments
workspace access controls and authentication
logging, monitoring, and operational security review
restricted access to customer data for support and security functions
documented retention targets for execution artifacts and related records

Assistance, Deletion, and Return

Certyn's DPA is intended to address assistance with data subject requests, regulator inquiries, and security incident handling to the extent required by law and proportionate to the service.

Upon termination, Certyn expects to delete or return customer data according to the applicable agreement, documented retention rules, and legal obligations.

Security Incident Notifications

Certyn's DPA is intended to include notice obligations for confirmed security incidents affecting customer data, subject to investigation needs, legal restrictions, and the information reasonably available at the time.