SertiqLegal Center

Data Processing Agreement

Effective: 12 May 2026 | v1.0

Parties

  • Data Controller: The Customer that has entered into the Sertiq Terms & Conditions.
  • Data Processor: Sertiq, a trading name of Mariusz Laszewski, trading as Zatto Dev, 210 Redwood Grove, Bedford, MK42 9JE, United Kingdom.

1. Purpose & Background

The Controller has engaged the Processor to provide the Sertiq supplier quality management platform (“the Services”). In providing the Services, the Processor will process personal data on behalf of the Controller. This DPA complies with Article 28 of UK GDPR and EU GDPR.

2. Subject Matter, Duration & Nature of Processing

  • Subject matter: Cloud-based supplier quality management software.
  • Duration: Active Subscription plus retention period per Privacy Policy.
  • Nature: Collection, storage, retrieval, organisation, disclosure by transmission, and deletion of personal data.
  • Purpose: Enabling the Controller to manage supplier relationships, quality documentation, audits, NCRs, and CAPAs.

3. Categories of Data Subjects

Controller’s employees and authorised users; personnel of the Controller’s suppliers and sub-contractors; any other individuals whose data the Controller uploads.

4. Categories of Personal Data

  • Identification data: names, job titles, email addresses, phone numbers.
  • Business contact data: company names, addresses, registration numbers.
  • Quality and compliance data: audit reports, NCR records, CAPA records, ISO certificates.
  • Account data: login credentials (hashed), activity logs.

5. Processor Obligations

The Processor shall:

  1. Process personal data only on documented instructions from the Controller;
  2. Ensure persons authorised to process data are bound by confidentiality;
  3. Implement appropriate technical and organisational measures including pseudonymisation, encryption, resilience, and regular security testing;
  4. Assist the Controller in ensuring compliance with GDPR Articles 32–36;
  5. At the Controller’s choice, delete or return all personal data after the end of Services;
  6. Make available all information necessary to demonstrate compliance with Article 28;
  7. Notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach.

6. Sub-Processors

The Controller provides general authorisation to engage sub-processors. Current categories include: cloud infrastructure and hosting (e.g., AWS, Vercel, Supabase); email delivery (e.g., SendGrid, Resend); payment processing (e.g., Stripe); analytics (e.g., Plausible, PostHog); customer support tooling (e.g., Intercom, Crisp). A full list of named sub-processors is available at legal@sertiq.app. The Processor shall notify the Controller of any changes to sub-processors, giving the opportunity to object. Equivalent data protection obligations will be imposed on all sub-processors.

7. International Transfers

Where personal data is transferred outside the UK or EEA, the Processor shall ensure appropriate safeguards including Standard Contractual Clauses (SCCs) and/or UK International Data Transfer Agreements (IDTAs).

8. Data Subject Rights

The Processor shall assist the Controller in responding to data subject rights requests under UK/EU GDPR and shall forward any requests received directly from data subjects to the Controller within 5 business days.

9. Audit Rights

The Controller may, upon 30 days’ written notice and no more than once per calendar year, audit the Processor’s compliance with this DPA. The Controller shall bear all audit costs.

10. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting DPIAs where required under Article 35 of UK/EU GDPR.

11. Liability

Each party shall be liable for damage caused to data subjects as a result of its breach of UK/EU GDPR. The Processor’s total aggregate liability under this DPA shall not exceed the liability cap set out in the Terms & Conditions.

12. Governing Law

This DPA shall be governed by the laws of England and Wales.

13. How This DPA Applies

This DPA is incorporated into and forms part of the Sertiq Terms & Conditions. By accepting the Terms & Conditions at registration, the Customer agrees to the terms of this DPA. No separate signature is required. Customers requiring a countersigned DPA may request one at legal@sertiq.app.