Data Processing Agreement

How we process customer data

This Data Processing Agreement (“DPA”) forms part of the SaaS Terms and Conditions between the Customer (“Controller”) and AxiomaSoft B.V. (“Processor”) for the use of the Certikeeper platform. It sets out how AxiomaSoft processes and protects customer data in Certikeeper and is designed to meet the requirements of Article 28 GDPR and applies to business customers only.

1. Subject matter and duration

  • The Processor processes personal data on behalf of the Controller to provide the Certikeeper platform.
  • Processing continues for the duration of the Customer’s subscription, and until all data is deleted or returned in accordance with this DPA.

2. Nature and purpose of processing

  • Within Certikeeper, processing includes the collection, storage, organisation, and display of data for certificate and document management, supplier assessments, evaluations, notifications, onboarding support, and related compliance workflows.
  • Processing is limited to what is necessary to provide the platform and related services in line with the SaaS Terms and Conditions.

3. Categories of data subjects

The categories of data subjects – meaning any identified or identifiable natural person whose personal data is processed – relevant to Certikeeper typically include:

  • Employees and representatives of the Customer (for example, quality assurance staff, administrators, management).
  • Employees and representatives of the Customer’s suppliers (for example, quality or sales contacts appearing in certificates, correspondence, or compliance records).
  • Other business contacts uploaded by the Customer into the platform.

4. Types of personal data

For the purposes of this DPA, “personal data” has the meaning set out in Article 4(1) GDPR: any information relating to an identified or identifiable natural person. Within the context of Certikeeper, personal data processed is limited to business-related contact and communication details provided by the Customer or its suppliers. Certikeeper does not require or intend to process special categories of personal data under Article 9 GDPR (such as data relating to racial or ethnic origin, political opinions, religion, trade union membership, genetic or biometric data, health data, or sexual orientation).

The types of personal data processed typically include:

  • Contact details of Customer representatives (for example, name, business email address, business telephone number, job title, department).
  • Contact details of supplier representatives (for example, name, business email address, business telephone number, job title, department).
  • Business-related correspondence uploaded by the Customer (for example, certificates, assessments, evaluations, non-conformity records) that may contain the names and contact information of individuals.
  • System usage and audit data (for example, login credentials, IP addresses, time and date of access, account activity logs).

5. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller. For the purposes of this DPA, documented instructions include this DPA, the SaaS Terms and Conditions, and any written or electronic requests submitted by the Customer to AxiomaSoft in the context of using Certikeeper (such as configuration requests, or support tickets).
  • Ensure confidentiality of staff authorised to process data.
  • Implement appropriate technical and organisational security measures.
  • Assist the Controller with data subject rights requests (access, rectification, erasure, portability).
  • Notify the Controller without undue delay in case of a personal data breach.
  • Up-to-date contact details for data protection enquiries are published on the Certikeeper contact page.
  • Provide reasonable evidence of compliance with this DPA (via documentation) upon written request by the Controller.

6. Sub-processors

The Controller authorises use of sub-processors necessary to deliver the service, including:

  • Hosting provider: Hostinger International Ltd. (EU);
  • Other service providers as listed on Certikeeper’s Sub-processor page.

The current list of sub-processors is maintained on the Certikeeper Sub-processor page. AxiomaSoft will notify the Customer of material changes to this list (by email), and will update the Sub-processor page to reflect such changes. All sub-processors are bound by written agreements consistent with this DPA.

7. International transfers

If personal data is transferred outside the EU/EEA, the Processor ensures adequate safeguards, such as EU Standard Contractual Clauses (SCCs)or other recognised mechanisms under GDPR and UK GDPR. Remote access to Certikeeper from outside the EU/EEA does not in itself constitute an international transfer, provided that the data remains stored and hosted within the EU/EEA.

8. Data retention and deletion

  • Upon termination, Customer data will be returned or deleted within sixty (60) days, unless a longer period is required by law.
  • Backups are created daily.
  • Backup data is retained for a maximum of thirty (30) days and then deleted in the regular backup cycle.

9. Liability

Liability is governed by the SaaS Terms and Conditions and follows the limitations set out therein.

10. Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands. Dispute resolution and jurisdiction follow the provisions set out in the SaaS Terms and Conditions.

 

Last updated: 1 September, 2025

We use cookies to enhance your experience, personalize content and ads, and analyze traffic. By selecting “Accept All,” you agree to our Cookie Policy.