Skip to main content
    Trust Center

    Built for the questions enterprise security teams actually ask.

    GDPR, SOC 2 alignment, EU data residency, signed DPAs, and a 99.9% uptime SLA. Everything procurement, security, and legal need to approve Certainly, in one place.

    Standard security questionnaires returned in 5 business days. Custom RFPs supported on enterprise plans.

    GDPR

    EU regulation 2016/679

    SOC 2 aligned

    Type II controls

    ISO 27001 aligned

    ISMS framework

    EU data residency

    Frankfurt / Ireland

    DPA available

    Standard & custom

    SCCs ready

    EU Standard Contractual Clauses

    "Certainly's agents resolve almost everything our students throw at them, in any language, at any hour. We finally have support that scales with the business."

    Fintiba, regulated fintech serving 500,000+ international students. DPA signed, security questionnaire completed pre-procurement.

    Certainly Trust Center

    Security signals forevery stakeholder

    GDPR compliant

    Full Data Processing Agreement available. EU data residency by default.

    EU data residency

    Customer data stored in EU regions. Conversations are never used to train AI models.

    99.9% uptime SLA

    Production-grade availability with active monitoring and incident response.

    SOC 2 & ISO 27001 aligned

    Security practices aligned to SOC 2 Type II and ISO 27001 control frameworks.

    Dedicated implementation

    Named implementation lead, security questionnaire support, and onboarding playbooks.

    Audit logs & access control

    Granular role-based access, full audit trails, and SSO/SAML on enterprise plans.

    Data practices

    How we handlecustomer data

    Data minimisation

    We collect only what is needed to deliver the service. PII is masked in logs and analytics views.

    Encryption everywhere

    TLS 1.2+ in transit. AES-256 at rest. Secrets isolated in managed key stores.

    No model training on your data

    Customer conversations and content are never used to train foundation models.

    Sub-processors disclosed

    Full list of sub-processors and their roles is available in the DPA, with notice on changes.

    Right to access & erasure

    Built-in workflows to honour GDPR data-subject requests within statutory timelines.

    Backups & recovery

    Automated daily backups, point-in-time recovery, and tested disaster recovery procedures.

    Documentation

    Policies andlegal documents

    Sub-processors

    Full sub-processor list (model providers, hosting, analytics) is included in the DPA. We provide notice before adding new sub-processors.

    Sub-processor changes

    Customers receive 30-day notice on material sub-processor changes, with the right to object before the change takes effect.

    Security questionnaires

    We respond to standard security questionnaires (CAIQ, SIG-Lite) within five business days. Custom RFPs supported.

    Frequently asked

    Security &compliance FAQ

    Where is customer data stored?

    +

    Customer data is stored in EU regions by default (Frankfurt and Ireland). Enterprise customers can request specific residency arrangements as part of the DPA.

    Are conversations used to train AI models?

    +

    No. Customer conversations, prompts, and content are never used to train foundation models. We use providers (Anthropic, Google, OpenAI) under zero-retention or limited-retention agreements.

    Is Certainly GDPR compliant?

    +

    Yes. Certainly is fully GDPR compliant. A standard Data Processing Agreement is available and can be signed before procurement. EU Standard Contractual Clauses are included for any cross-border transfers.

    Is Certainly SOC 2 or ISO 27001 certified?

    +

    Our security practices are aligned to SOC 2 Type II and ISO 27001 control frameworks. Detailed control mappings and current attestation status are available under NDA on request.

    How does Certainly handle data-subject requests?

    +

    We provide built-in workflows for access, rectification, and erasure requests. Requests are honoured within the statutory 30-day window.

    Does Certainly support SSO and audit logging?

    +

    Yes. SAML SSO, role-based access control, and full audit logs are available on enterprise plans.

    Need a signed DPA, security questionnaire, or RFP response?

    Our team turns around standard security questionnaires in five business days. Custom RFPs supported on enterprise plans.

    SOC 2 aligned 路 ISO 27001 aligned 路 EU data residency 路 99.9% uptime SLA