How we handle your data
Certus is evidence-first, privacy-forward. We limit collection, honour residency, and give you tooling to purge, export, and attest.
Data minimisation
Certus stores only the artefacts required to prove a control. Repository contents remain in your SCM; we retain signed evidence, metadata, and hashes.
Regional residency
Enterprise tenants choose between US (us-east-2) and EU (eu-central-1). Evidence never leaves the region selected. Optional cold storage replication can be enabled to a customer-owned bucket.
Access controls
RBAC with SCIM provisioning. Every evidence download, export, or blueprint change logs to the immutable ledger.
Processing summary
Purpose
Audit evidence, compliance automation, and security telemetry.
Sub-processors
AWS, Cloudflare, Slack (optional), ServiceNow (optional).
Retention
Default retention is 7 years. Custom retention windows available per blueprint.
DPA
Standard DPA and SCCs available under NDA. HIPAA BAA available for regulated workloads.
Need to execute a data subject request or request our latest audit artefacts? Contact privacy@certus.ai. Turnaround SLA is 5 business days.