Data Processing Agreement

Effective Date: February 5, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Certivo, Inc. ("Certivo," "we," "us," or "our") and the Customer ("you" or "Customer"). This DPA governs the processing of personal data by Certivo on behalf of the Customer in connection with the provision of Certivo's electronic signature and document management services (the "Services").

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Certivo on behalf of Customer in connection with the Services.
• "Data Controller" means the Customer, who determines the purposes and means of processing Personal Data.
• "Data Processor" means Certivo, who processes Personal Data on behalf of the Customer.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Processing" means any operation or set of operations performed on Personal Data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or deletion.
• "Subprocessor" means any third party engaged by Certivo to process Personal Data on behalf of the Customer.
• "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to processors established in third countries adopted by the European Commission.

3. Scope and Purpose of Processing

Subject Matter

Processing of personal data in connection with Certivo's electronic signature and document management services.

Duration

For the term of the Service Agreement between Certivo and Customer.

Nature of Processing

Electronic signature capture, document management, audit trail maintenance, and user authentication.

Purpose

To enable Customer to obtain compliant electronic signatures for regulated industries, including clinical research and healthcare.

Types of Personal Data

• Names and email addresses
• Electronic signature data
• IP addresses and timestamps
• Device information
• Document metadata
• Authentication credentials (hashed)

Categories of Data Subjects

• Customer employees and authorized users
• Document signers
• Clinical research personnel
• Healthcare professionals

4. Certivo's Obligations as Processor

Certivo agrees to:

• Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by applicable law.
• Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organizational security measures to protect Personal Data, as described in Section 8 of this DPA.
• Not engage another processor (Subprocessor) without prior written authorization from the Customer in accordance with Section 6 of this DPA.
• Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law.
• Assist the Customer in ensuring compliance with the obligations relating to security of processing, breach notifications, and data protection impact assessments, taking into account the nature of processing and the information available to Certivo.
• At the Customer's election, delete or return all Personal Data to the Customer after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 11.

5. Customer's Obligations as Controller

Customer agrees to:

• Ensure that it has a lawful basis for processing Personal Data and that such processing complies with applicable data protection laws.
• Provide documented instructions to Certivo regarding the processing of Personal Data.
• Ensure that Data Subjects are appropriately informed about the processing of their Personal Data, including Certivo's role as a processor.
• Respond to Data Subject requests in accordance with applicable data protection laws.

6. Subprocessors

Customer grants Certivo general authorization to engage Subprocessors to process Personal Data on Customer's behalf. Certivo maintains a current list of Subprocessors at certivo.io/subprocessors.

Certivo will provide Customer with at least 30 days' advance notice before adding or replacing any Subprocessor. Customer may object to the engagement of a new Subprocessor within 30 days of such notice on reasonable grounds relating to data protection. If Customer objects and the parties cannot resolve the objection within a reasonable timeframe, Customer may terminate the affected Services.

Certivo ensures that all Subprocessors are bound by written agreements that require them to provide at least the same level of data protection as required by this DPA.

7. International Data Transfers

Personal Data processed under this DPA is stored and processed in the United States. Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to countries that do not provide an adequate level of data protection, such transfers will be governed by Standard Contractual Clauses or other appropriate transfer mechanisms as required by applicable data protection law.

Certivo will cooperate with Customer to implement appropriate transfer mechanisms and provide such information and assistance as Customer may reasonably require to ensure compliant international data transfers.

8. Security Measures

Certivo has implemented and will maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• AES-256 encryption for data at rest
• TLS 1.2 or higher encryption for data in transit
• Role-based access control and principle of least privilege
• Two-factor authentication for signature events
• SHA-256 hash-chain audit trails for document integrity
• Regular penetration testing and security audits
• Comprehensive incident response procedures
• Mandatory security training for all employees
• Regular security assessments and updates
• Secure software development lifecycle practices

Certivo will regularly review and update these security measures to maintain appropriate protection for Personal Data.

9. Data Breach Notification

In the event of a personal data breach affecting Customer's Personal Data, Certivo will notify Customer without unreasonable delay and in no event later than 72 hours after becoming aware of the breach.

The notification will include, to the extent available:

• The nature of the personal data breach
• The categories and approximate number of Data Subjects affected
• The categories and approximate number of Personal Data records affected
• The likely consequences of the breach
• The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects
• Contact information for further inquiries

Certivo will cooperate with Customer in investigating the breach and will provide reasonable assistance in Customer's breach response efforts, including any required notifications to supervisory authorities or Data Subjects.

10. Data Subject Rights

Certivo will assist Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

Customer may export Personal Data via the Service interface at any time. If Certivo receives a request directly from a Data Subject, Certivo will redirect the Data Subject to Customer and will not respond to the request without Customer's prior written authorization.

Customer is responsible for responding to Data Subject requests in accordance with applicable data protection law. Certivo will provide reasonable assistance to Customer in fulfilling such requests, and Customer will reimburse Certivo for any costs associated with providing such assistance beyond Certivo's standard obligations under this DPA.

11. Audit Rights

Customer may audit Certivo's compliance with this DPA once per year, upon providing at least 30 days' written notice to Certivo. Audits will be conducted during normal business hours and will be designed to minimize disruption to Certivo's operations.

Upon reasonable request, Certivo will provide Customer with copies of relevant SOC 2 Type II reports or completed security questionnaires to demonstrate compliance with this DPA. Such reports and questionnaires are confidential and subject to the confidentiality provisions of the Service Agreement.

Customer is responsible for all costs associated with any audit, including any fees charged by Certivo for time and materials required to support the audit. Certivo reserves the right to charge reasonable fees for audit support beyond providing standard compliance documentation.

12. Term and Termination

This DPA is effective as of the date Customer first accesses or uses the Services and will remain in effect for the duration of the Service Agreement between Certivo and Customer.

Upon termination or expiration of the Service Agreement, Certivo will, at Customer's election, delete or return all Personal Data to Customer within 60 days, except to the extent that Certivo is required by applicable law to retain certain Personal Data. Customer must notify Certivo of its election within 30 days of termination; otherwise, Certivo will delete all Personal Data.

Certivo will certify in writing to Customer that it has complied with its obligations under this section, subject to any legal retention requirements.

13. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Terms of Service between Certivo and Customer.

Nothing in this DPA limits or excludes either party's liability for matters that cannot be limited or excluded under applicable law.

14. Contact Information

For questions or concerns regarding this Data Processing Agreement, please contact us at:

Email: privacy@certivo.io

Mailing Address:
Certivo, Inc.
1519 E Chapman Ave. #278
Fullerton, CA 92831