Security

Personal data (your account, check inputs and results, billing metadata) is stored in the United Kingdom, in Amazon Web Services’ London region (eu-west-2). Requests are served from Cloudflare’s global edge network for speed and resilience; the edge handles routing and static assets and does not hold your personal data at rest.

All traffic to and from certaby.com is encrypted in transit with TLS (HTTPS is enforced, with HSTS). Data at rest in our AWS storage is encrypted using AWS-managed encryption. We do not store payment card numbers at all: card details go directly to Stripe, a PCI-DSS Level 1 provider.

Access to production data follows the principle of least privilege. The application uses narrowly-scoped credentials: the public certificate verifier, for example, can only read the minimal projection it needs and can never reach party personal data. Sign-in is handled by Clerk; we do not store your password.

We collect only what we need to run and evidence a check, and we pass official-register data through rather than enriching or profiling it. Check inputs and outputs are retained for 7 years to match the UK AML record-keeping period, then pruned. The full detail is in our privacy policy.

We keep the list of sub-processors short and current in our privacy policy: Stripe (billing), Cloudflare (hosting and email routing), AWS in eu-west-2 (compute and storage), Clerk (authentication), and Resend (transactional email). Each has a UK GDPR-compliant data-processing agreement with us.

Every certificate we issue is bound to a SHA-256 hash and published at a public verification page for 7 years. Anyone you share a certificate with can confirm it is the evidence we issued without seeing the underlying personal data.

We are a small UK team and we will not overstate our posture. We are not currently certified to ISO 27001 or Cyber Essentials; if your procurement requires either, tell us and we will share our current roadmap. We do not run a bug-bounty programme yet, but we respond to good-faith security reports quickly.

If you believe you have found a vulnerability, please email hello@certaby.com with “Security” in the subject. Give us a reasonable chance to investigate and fix the issue before disclosing it publicly; we will acknowledge your report and keep you updated. We are grateful for responsible disclosure.