Data Processing Addendum

Effective date: June 17, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between the customer (“Customer,” “Controller”) and Bookitt Technologies LLC, operator of CertReel (“CertReel,” “Processor”). It governs CertReel’s processing of personal data on Customer’s behalf. Where this DPA conflicts with the Terms regarding personal-data processing, this DPA controls.

1. Definitions

“Applicable Data Protection Law” means privacy and data-protection laws applicable to the processing, including the EU/UK GDPR and U.S. state privacy laws, as relevant. “Controller,” “Processor,” “Personal Data,” “Processing,” “Data Subject,” and “Subprocessor” have the meanings given under Applicable Data Protection Law. “Customer Personal Data” means Personal Data within Customer Content that CertReel processes on Customer’s behalf.

2. Roles & scope

For Customer Personal Data (such as the names and email addresses of Customer’s staff or learners, quiz results, and completion records), Customer is the Controller and CertReel is the Processor. CertReel will process Customer Personal Data only to provide the Service and as set out in Annex I.

3. Processor obligations

• Instructions. CertReel processes Customer Personal Data only on Customer’s documented instructions, including those in the Terms and this DPA, unless required by law (in which case CertReel will inform Customer unless legally prohibited).
• Confidentiality. CertReel ensures personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
• Security. CertReel implements appropriate technical and organizational measures as described in Annex II.
• Data-subject requests. Taking into account the nature of the processing, CertReel will reasonably assist Customer to respond to requests from Data Subjects to exercise their rights. If CertReel receives such a request directly, it will refer the Data Subject to Customer.
• Assistance. CertReel will reasonably assist Customer with security, breach notification, and data-protection impact assessments, taking into account the information available to CertReel.
• Personal-data breach. CertReel will notify Customer without undue delay after becoming aware of a breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its obligations.
• Deletion or return. On termination, CertReel will, at Customer’s choice, delete or return Customer Personal Data, except (a) certificate and completion records retained for the period described in the Privacy Policy (while the account is active and for at least 12 months after the subscription ends, and while CertReel operates) so verification links remain valid, and (b) data CertReel must retain by law. If CertReel discontinues the Service, it will give Customer at least 30 days’ notice and a means to export Customer Personal Data before deletion. Routine retention/deletion is described in the Privacy Policy.
• Records & audits. CertReel will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits, which may be satisfied by CertReel’s policies and third-party reports where available.

4. Subprocessors

Customer provides general authorization for CertReel to engage Subprocessors to process Customer Personal Data. CertReel’s current Subprocessors are listed at certreel.com/subprocessors. CertReel imposes data-protection obligations on its Subprocessors no less protective than those in this DPA and remains responsible for their performance. CertReel will provide a mechanism to be notified of new Subprocessors that process Customer Personal Data and a reasonable opportunity to object on reasonable data-protection grounds.

5. International transfers

CertReel and its Subprocessors may process Customer Personal Data in the United States and other countries. Where Applicable Data Protection Law requires a transfer mechanism (such as the EU Standard Contractual Clauses or the UK International Data Transfer Addendum), the parties agree such mechanism is incorporated by reference and applies to transfers of Customer Personal Data originating from those regions.

6. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms.

7. Term

This DPA takes effect when Customer accepts the Terms and remains in effect for as long as CertReel processes Customer Personal Data.

Annex I — Details of processing

• Subject matter: Provision of the CertReel training, enrollment, and certification Service.
• Duration: The term of the Customer’s subscription, plus retention periods described in the Privacy Policy.
• Nature & purpose: Hosting, generating, storing, transmitting, and displaying training content; enrolling learners by email; grading quizzes; issuing and verifying certificates; sending related emails.
• Types of Personal Data: Learner names and email addresses; quiz responses and scores; completion and certificate records; any personal data the Customer chooses to include in uploaded documents or prompts.
• Categories of Data Subjects: Customer’s staff, employees, contractors, or other learners that Customer enrolls; Customer’s account users.
• Special categories: Not intended. Customer should not submit sensitive/special-category data unless separately agreed.

Annex II — Security measures

• Encryption of data in transit (HTTPS/TLS).
• Access controls and authentication (passwordless magic-link sign-in; per-account scoping of trainings and dashboards).
• Signed, expiring links for video delivery and a server-enforced watch gate for certificate integrity.
• Rate limiting and abuse protections on key endpoints.
• Use of reputable infrastructure and storage providers; logical separation of customer data.
• Retention and deletion controls as described in the Privacy Policy.

Annex III — Subprocessors

The current list is maintained at certreel.com/subprocessors.

How to execute this DPA

This DPA is incorporated into the Terms and applies automatically when you use CertReel to process personal data. If your organization requires a countersigned copy, contact founder@bookittechnologies.com.