Skip to Content
Data Processing Agreement | CertFlow
Data Processing Agreement

Data Processing Agreement

This DPA forms part of the agreement between you (the Customer, acting as Controller) and CertFlow LTD (acting as Processor) and governs how CertFlow processes personal data on your behalf.

Version 1.0 · Last reviewed: May 2026

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meaning given in the UK GDPR or our main Terms & Conditions.

  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach" — as defined in the UK GDPR.
  • "Customer Data" — Personal Data that the Customer (Controller) submits to or instructs CertFlow to Process via the CertFlow platform.
  • "Sub-processor" — any third party engaged by CertFlow to Process Customer Data.
  • "UK GDPR" — the UK General Data Protection Regulation, as supplemented by the Data Protection Act 2018.

2. Subject matter and duration

The subject matter of the Processing is the provision of the CertFlow compliance and inspection management platform. The duration of Processing is the term of the main agreement plus any post-termination retention period set out in clause 11.

3. Nature and purpose of Processing

CertFlow Processes Customer Data solely for the purpose of providing, securing, supporting and improving the CertFlow service to the Customer in accordance with the Customer's documented instructions.

4. Types of Personal Data

The categories of Personal Data Processed under this DPA typically include:

  • Names, business contact details and roles of the Customer's employees, engineers, and clients
  • Asset, site, and inspection records that may include named individuals (e.g. responsible persons, dutyholders)
  • Photographs and attachments uploaded to inspection records, where these may incidentally contain personal data
  • Authentication and access logs

5. Categories of Data Subjects

  • The Customer's own employees, engineers and authorised users
  • The Customer's clients and their personnel (named contacts on sites and inspections)
  • Any individual whose personal data the Customer chooses to upload to CertFlow

6. Processor obligations

CertFlow shall:

  1. Process Customer Data only on the documented instructions of the Customer, including with regard to international transfers;
  2. Ensure that personnel authorised to Process Customer Data are bound by appropriate confidentiality obligations;
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in clause 9 and our Security page;
  4. Assist the Customer in fulfilling its obligations to respond to Data Subject requests;
  5. Assist the Customer with data protection impact assessments and prior consultations where reasonably required;
  6. At the choice of the Customer, delete or return all Customer Data after the end of the provision of services, in line with clause 11;
  7. Make available to the Customer all information necessary to demonstrate compliance with this DPA.

7. Sub-processors

The Customer provides a general authorisation for CertFlow to engage Sub-processors to Process Customer Data, subject to the conditions in this clause.

CertFlow shall:

  • Maintain a current list of Sub-processors, available on request to privacy@certflow.co.uk;
  • Notify the Customer of any intended changes concerning the addition or replacement of Sub-processors, giving the Customer the opportunity to object on reasonable grounds;
  • Impose contractual data protection obligations on each Sub-processor that are equivalent to those in this DPA;
  • Remain fully liable to the Customer for the performance of each Sub-processor's obligations.

8. International transfers

CertFlow shall not transfer Customer Data outside the United Kingdom or European Economic Area without ensuring an appropriate transfer mechanism is in place, including (where applicable) the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another mechanism recognised under the UK GDPR.

9. Security measures

CertFlow has implemented and shall maintain appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures include:

  • Encryption of Customer Data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls, strong authentication, and audit logging
  • Network and application monitoring with on-call incident response
  • Regular backups with tested restore procedures
  • Continuous dependency and vulnerability scanning, plus periodic penetration testing
  • Background checks and confidentiality undertakings for personnel with production access

Full details are published on our Security page and updated from time to time.

10. Personal Data Breaches

CertFlow shall notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Data. The notification will, to the extent then known, describe:

  • The nature of the breach, including categories and approximate numbers of Data Subjects and records affected;
  • Likely consequences;
  • Measures taken or proposed to address the breach and mitigate its possible adverse effects.

11. Return or deletion of Customer Data

Upon termination of the main agreement, the Customer may request the return or deletion of Customer Data in CertFlow. Standard self-service export tools are available throughout the term of the agreement. Following termination:

  • Customer Data will be retained for up to 30 days to allow for a final export;
  • After this period, Customer Data will be deleted from active systems;
  • Backup copies will be deleted in line with our standard backup retention cycle (typically within a further 30 days);
  • Deletion is subject to any longer retention required by applicable law.

12. Audits

CertFlow shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. Where the Customer reasonably requires further information or an audit, CertFlow will respond to written information requests in good time. On-site audits may be carried out at the Customer's expense, on reasonable notice, no more than once per calendar year, and subject to confidentiality.

13. Liability and order of precedence

The liability provisions of the main agreement between the Customer and CertFlow apply to this DPA. In the event of any conflict between this DPA and the main agreement on matters relating to the Processing of Personal Data, this DPA shall prevail.

14. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.

15. Contact

CertFlow LTD
DPA queries: privacy@certflow.co.uk
General queries: info@certflow.co.uk · 0114 392 2407
Registered office: 20 Wenlock Road, London, N1 7GU
Company number: 17056886