This notice describes how Certisyn, Inc. collects, processes, retains, and secures data submitted to, or generated by, the Certisyn Verification Infrastructure.
Certisyn processes (a) identity and authentication data for authorised users; (b) verification input data submitted by tenants (claims, evidence artefacts, policy artifacts); (c) derived outputs (certificates, lineage ledger entries, forensics reports, Bastion scans); (d) telemetry required to operate the platform.
Tenant data is isolated by row-level security bound to the JWT-derived tenant identifier. Grants are the only mechanism by which data may cross a tenant boundary, and every grant is recorded in the append-only lineage ledger.
Ledger entries are append-only and retained for the life of the platform. Verification artefacts are retained per tenant’s configured policy. On account closure, tenants may request export of the full audit package and deletion of non-ledger artefacts.
Data is processed in the United States. Certain sub-processors (Stripe, Supabase, Vercel) may process limited operational data; a current list is available on request.
Authenticated users may access their data through the LP Network surface, download their Access Certificate, and request a signed audit package. Subject-rights requests: privacy@certisyn.com.
Any suspected compromise: security@certisyn.com. All incidents are logged to the append-only ledger.