GDPR Compliance

Lawful basis: We only process personal data with explicit consent or to fulfil a contractual obligation.

Data minimisation: We collect only the personal data strictly necessary to issue and verify a credential.

EU-based data residency available — all credential data can be stored exclusively within the European Economic Area.

Right to access: Data subjects can request a complete export of their data at any time.

Right to erasure: Recipients can request deletion of their personal data; we honour requests within 30 days.

Right to portability: Credentials can be exported in JSON, PDF, and Open Badges 3.0 formats.

Sub-processor transparency: A current list of all sub-processors is published and updated quarterly.

Data Processing Agreement (DPA): Available for all paid plans on request.

Breach notification: Customers are informed within 72 hours of any confirmed personal data breach.

Regular audits: Annual penetration testing and ISO 27001 audits validate our security posture.