The reference page for procurement and security teams evaluating certificates.dev. What we collect, how we handle it, and how to run a security review. If something you need isn't answered here, ask us and we'll answer plainly.
An honest snapshot for a first pass. Each line links to the detail procurement forwards; the reference sections below carry the substance.
GDPR
Operates as a GDPR-compliant platform.
Encryption in transit
Traffic is encrypted in transit with TLS. At-rest is answered per data store on request.
Independent proctoring
Exams are proctored by an independent service, timed and sandboxed.
Data processing agreement
A DPA is available to review and execute as part of an enterprise agreement.
SSO and SAML
Not generally available today. Raise it in the security review and we'll give you a straight answer on timeline.
SOC 2 / ISO 27001
We do not hold SOC 2 or ISO 27001 certification today, and this page will not imply otherwise.
What we collect
Account data such as name and email address, exam session data from proctored exam sessions, and team assignment data for seat management on the team dashboard. Ask us for the full data inventory and we'll provide it as part of a security review.
Where it is processed
Hosting regions and the current sub-processor list are provided on request as part of a security review.
Retention and deletion
Data is deleted on request. Write to team@certificates.dev and we'll action it. The full retention schedule is provided as part of a security review.
GDPR
certificates.dev operates as a GDPR-compliant platform. Lawful-basis detail per processing activity is provided on request. The published terms are in the privacy policy.
Sign-in
Users sign in with GitHub or with email.
Team roles and seats
The team dashboard gives team admins seat and license management. Allocate, reassign, and revoke seats as people join or leave.
SSO and SAML
SSO and SAML are not generally available today. If your agreement needs them, raise it in the security review and we'll give you a straight answer on timeline.
Exam integrity is the product. A certificate is only worth what the exam behind it can defend, so this is the part of the platform we hold to the highest standard.
Proctored exams
Certification exams are proctored by an independent proctoring service integrated into the exam flow.
Timed and sandboxed
Exams are timed and run in a sandboxed environment, so every candidate faces the same conditions.
Verifiable credentials
Every certificate has a public verification page. Anyone can confirm a credential is genuine without contacting us. See how verification works.
Retakes
Team bundles include one free retake per bundle.
Data processing agreement
A DPA is available to review and execute as part of an enterprise agreement. Request it at team@certificates.dev.
Billing
Centralized invoicing and PO-friendly billing for team purchases.
Agreements
Multi-year agreements are available.
Legal entity
The platform is operated by BitterBrains Inc.
Certifications held
We do not hold SOC 2 or ISO 27001 certification today, and this page will not imply otherwise.
What we do instead
Our posture and controls are documented in the security overview, and we answer vendor questionnaires directly. If a certification is on our roadmap by the time you read this, the security review will say so plainly.
Encryption
Traffic is encrypted in transit with TLS. Ask about encryption at rest in the security review and we'll answer specifically for each data store.
Vulnerabilities and incidents
Report a suspected vulnerability or incident to team@certificates.dev. We'll share the handling and incident response process as part of a security review.
How a review runs
Send your questionnaire or request a call. We'll confirm the expected turnaround when we receive it.
Contact
What to request
Request the DPA, a completed security questionnaire, or a review call.
Send the questionnaire, request the DPA, or book a call. You get plain answers either way.