Built for the questions enterprise security teams actually ask.
GDPR, SOC 2 alignment, EU data residency, signed DPAs, and a 99.9% uptime SLA. Everything procurement, security, and legal need to approve Certainly, in one place.
Standard security questionnaires returned in 5 business days. Custom RFPs supported on enterprise plans.
GDPR
EU regulation 2016/679
SOC 2 aligned
Type II controls
ISO 27001 aligned
ISMS framework
EU data residency
Frankfurt / Ireland
DPA available
Standard & custom
SCCs ready
EU Standard Contractual Clauses
"Certainly's agents resolve almost everything our students throw at them, in any language, at any hour. We finally have support that scales with the business."
Certainly Trust Center
Security signals forevery stakeholder
GDPR compliant
Full Data Processing Agreement available. EU data residency by default.
EU data residency
Customer data stored in EU regions. Conversations are never used to train AI models.
99.9% uptime SLA
Production-grade availability with active monitoring and incident response.
SOC 2 & ISO 27001 aligned
Security practices aligned to SOC 2 Type II and ISO 27001 control frameworks.
Dedicated implementation
Named implementation lead, security questionnaire support, and onboarding playbooks.
Audit logs & access control
Granular role-based access, full audit trails, and SSO/SAML on enterprise plans.
Data practices
How we handlecustomer data
Data minimisation
We collect only what is needed to deliver the service. PII is masked in logs and analytics views.
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest. Secrets isolated in managed key stores.
No model training on your data
Customer conversations and content are never used to train foundation models.
Sub-processors disclosed
Full list of sub-processors and their roles is available in the DPA, with notice on changes.
Right to access & erasure
Built-in workflows to honour GDPR data-subject requests within statutory timelines.
Backups & recovery
Automated daily backups, point-in-time recovery, and tested disaster recovery procedures.
Documentation
Policies andlegal documents
Privacy Policy
What we collect, why, how long we retain it, and your rights as a data subject.
Read policyData Processing Agreement
Standard GDPR Article 28 DPA with EU SCCs. Signable before procurement on request.
Read DPATerms of Service
Commercial terms, SLAs, acceptable use, and notice periods.
Read termsSub-processors
Full sub-processor list (model providers, hosting, analytics) is included in the DPA. We provide notice before adding new sub-processors.
Sub-processor changes
Customers receive 30-day notice on material sub-processor changes, with the right to object before the change takes effect.
Security questionnaires
We respond to standard security questionnaires (CAIQ, SIG-Lite) within five business days. Custom RFPs supported.
Frequently asked
Security &compliance FAQ
Where is customer data stored?
+
Customer data is stored in EU regions by default (Frankfurt and Ireland). Enterprise customers can request specific residency arrangements as part of the DPA.
Are conversations used to train AI models?
+
No. Customer conversations, prompts, and content are never used to train foundation models. We use providers (Anthropic, Google, OpenAI) under zero-retention or limited-retention agreements.
Is Certainly GDPR compliant?
+
Yes. Certainly is fully GDPR compliant. A standard Data Processing Agreement is available and can be signed before procurement. EU Standard Contractual Clauses are included for any cross-border transfers.
Is Certainly SOC 2 or ISO 27001 certified?
+
Our security practices are aligned to SOC 2 Type II and ISO 27001 control frameworks. Detailed control mappings and current attestation status are available under NDA on request.
How does Certainly handle data-subject requests?
+
We provide built-in workflows for access, rectification, and erasure requests. Requests are honoured within the statutory 30-day window.
Does Certainly support SSO and audit logging?
+
Yes. SAML SSO, role-based access control, and full audit logs are available on enterprise plans.