General Data Protection Regulation and Sertifi

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s new privacy law, providing a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. The GDPR sets out the principles for data management and the rights of the individual. The General Data Protection Regulation covers all companies that deal with data of EU citizens. It came into effect on May 25, 2018.

How does Sertifi comply with GDPR?

Sertifi in its role as the Data Processor of your customer and end user information has implemented the necessary security, privacy, processes, and controls to meet its obligations as a processor under Article 28 of GDPR. Sertifi’s customers as Data Controllers will have responsibilities to implement any available enhancements as well as any necessary policy, procedures or notices. For more information, please read our European User Disclosure.

To this end:

  • We continue to process your customer and end user data per your instructions.
  • We have implemented appropriate technical and organizational measures to protect the data with which you entrust us.
  • We have provided a list of our sub-processors and will give you the opportunity to object if we engage a new one. You can access this list on our website.
  • We have instituted a policy informing and obligating our employees to maintain the confidentiality of your information.
  • We have instituted procedures to assist you in complying with requests to access, amendment or deletion that you may get from your customers or end users.
  • We implemented procedures to inform you without delay in the event of a data breach.
  • We will delete your customer/end user signature documents at the end of our agreement with you, if requested.

We have also updated our privacy policy to provide greater transparency about our practices and help you pass that forward to your customers and end users.

Cross-Border Data Transfers

Like the Data Protection Directive that is presently in effect, GDPR includes provisions on international data transfer mechanisms. In order to comply with these provisions we have certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, a mechanism that had been approved for cross border transfer of personal data under the Directive and expected to apply under GDPR as well and also offer a Data Processing Addendum to all customers who additionally require it.

We have also worked with legal counsel to create a standard Data Processing Addendum (DPA), which meets with GDPR requirements for agreements between Data Controllers (you) and Data Processors (us). This outlines in detail our current security practices. To receive and sign a copy of our DPA, please contact us at [email protected].

Data Service Requests (DSR)

  • Obtain copies
  • Request corrections
  • Restrict processing
  • Delete it
  • Export it so it can be moved to another controller

If you have an account with us, you may access, correct, or request that we delete your personal data by contacting us at [email protected]. This request can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to these requests within the GDPR requirement of 30 days.