Trust and security

The reference page for procurement and security teams evaluating certificates.dev. What we collect, how we handle it, and how to run a security review. If something you need isn't answered here, ask us and we'll answer plainly.

Compliance at a glance

An honest snapshot for a first pass. Each line links to the detail procurement forwards; the reference sections below carry the substance.

Compliant

GDPR

Operates as a GDPR-compliant platform.

Yes, TLS

Encryption in transit

Traffic is encrypted in transit with TLS. At-rest is answered per data store on request.

In the exam flow

Independent proctoring

Exams are proctored by an independent service, timed and sandboxed.

On request

Data processing agreement

A DPA is available to review and execute as part of an enterprise agreement.

Not GA today

SSO and SAML

Not generally available today. Raise it in the security review and we'll give you a straight answer on timeline.

Not held

SOC 2 / ISO 27001

We do not hold SOC 2 or ISO 27001 certification today, and this page will not imply otherwise.

Data handling and privacy

What we collect

Account data such as name and email address, exam session data from proctored exam sessions, and team assignment data for seat management on the team dashboard. Ask us for the full data inventory and we'll provide it as part of a security review.

Where it is processed

Hosting regions and the current sub-processor list are provided on request as part of a security review.

Retention and deletion

Data is deleted on request. Write to team@certificates.dev and we'll action it. The full retention schedule is provided as part of a security review.

GDPR

certificates.dev operates as a GDPR-compliant platform. Lawful-basis detail per processing activity is provided on request. The published terms are in the privacy policy.

Authentication and access

Sign-in

Users sign in with GitHub or with email.

Team roles and seats

The team dashboard gives team admins seat and license management. Allocate, reassign, and revoke seats as people join or leave.

SSO and SAML

SSO and SAML are not generally available today. If your agreement needs them, raise it in the security review and we'll give you a straight answer on timeline.

Exam integrity

Exam integrity is the product. A certificate is only worth what the exam behind it can defend, so this is the part of the platform we hold to the highest standard.

Proctored exams

Certification exams are proctored by an independent proctoring service integrated into the exam flow.

Timed and sandboxed

Exams are timed and run in a sandboxed environment, so every candidate faces the same conditions.

Verifiable credentials

Every certificate has a public verification page. Anyone can confirm a credential is genuine without contacting us. See how verification works.

Retakes

Team bundles include one free retake per bundle.

Compliance posture and roadmap

Certifications held

We do not hold SOC 2 or ISO 27001 certification today, and this page will not imply otherwise.

What we do instead

Our posture and controls are documented in the security overview, and we answer vendor questionnaires directly. If a certification is on our roadmap by the time you read this, the security review will say so plainly.

Security practices

Encryption

Traffic is encrypted in transit with TLS. Ask about encryption at rest in the security review and we'll answer specifically for each data store.

Vulnerabilities and incidents

Report a suspected vulnerability or incident to team@certificates.dev. We'll share the handling and incident response process as part of a security review.

How a review runs

Send your questionnaire or request a call. We'll confirm the expected turnaround when we receive it.

Security and procurement contact

What to request

Request the DPA, a completed security questionnaire, or a review call.

Answers first, paperwork fast

Send the questionnaire, request the DPA, or book a call. You get plain answers either way.