Data Protection & GDPR

Data Processing Overview

This document provides a high-level, non-contractual overview of how Certif-Scope processes data. It is intended for transparency, institutional review and compliance assessment, and complements the Privacy Policy.

1. Purpose and Scope

This Data Processing Overview describes the practical data handling logic of Certif-Scope. It does not replace the Privacy Policy and does not constitute a Data Processing Agreement (DPA). Its sole purpose is to explain how data flows through the service at a high level.

2. High-Level Data Flow

Certif-Scope operates a stateless and deterministic processing model. Data flows are intentionally limited to what is strictly necessary to generate and verify a CO₂e Attestation.

Typical processing sequence:
User input → In-memory computation → PDF generation → User download
Verification elements are embedded directly in the generated document and do not rely on database lookups.

3. Categories of Data Processed

  • Contact data (email address)
  • Optional organization identification data
  • Declared annual spending (€) used for CO₂e calculation
  • Technical metadata (hash, timestamp, dataset version)
  • Minimal technical logs for security and abuse prevention

No behavioral profiling, user tracking, enrichment or secondary use of data is performed.

4. Processing Characteristics

  • Deterministic and reproducible calculations
  • Stateless processing with no persistent input storage
  • User-initiated actions only
  • Single-purpose processing (attestation issuance and verification)
  • Time-limited in-memory handling

5. Storage and Retention

Financial input data used for CO₂e calculation is processed in memory only and is never stored in persistent databases.

Generated PDF attestations are delivered directly to the user and are not retained by Certif-Scope. Email communications may be stored for up to twelve (12) months for support and operational purposes.

6. Processors and Infrastructure

Certif-Scope relies on a limited number of technical processors:

  • Hosting and deployment infrastructure (e.g. Vercel)
  • Email delivery services
  • Payment processing providers (where applicable)

All processors operate under GDPR-aligned contractual safeguards.

7. Roles and Responsibilities

Certif-Scope acts as data controller for the processing operations required to deliver the service. Users remain responsible for the accuracy, relevance and lawfulness of the information they submit. No joint controllership is implied.

8. Non-Contractual Nature

This document is provided for informational purposes only. It does not constitute a Data Processing Agreement (DPA) and does not modify any contractual or legal obligations defined elsewhere.

9. Updates and Contact

This overview may be updated to reflect technical, operational or regulatory changes. For questions related to data processing, contact:
contact@certif-scope.com