Privacy Policy

Last updated: June 2026

1. Who we are

Certvik is a compliance automation platform operated by Certvik AS (the "Company", "we", "us"). If you have questions about this policy, contact us at contact@certvik.com.

2. What data we collect

When you sign in with Microsoft 365, we collect:

  • Your name and email address (from your Microsoft account)
  • Your Microsoft Entra tenant ID (to identify your organisation)
  • Your organisation name (from Microsoft Graph)
  • Security configuration metadata from your Microsoft 365 environment — such as MFA status, Conditional Access policies, device compliance records and audit logs

We do not access your email content, Teams messages, SharePoint files or any personal data belonging to your employees.

3. How we use your data

  • To provide and improve the Certvik service
  • To generate compliance assessments, reports and evidence packs
  • To send service emails (trial expiry reminders, billing notifications, product updates)
  • To comply with legal obligations

We do not sell your data or share it with third parties for marketing purposes.

4. Data storage and security

Your data is stored in the European Union. We use industry-standard encryption in transit (TLS) and at rest. Access to production data is restricted to authorised personnel only.

5. Data retention

We retain your data for as long as your account is active. If you cancel your subscription, your data is retained for 90 days before deletion. You may request earlier deletion by contacting contact@certvik.com.

6. Your rights

Under GDPR and applicable data protection law, you have the right to access, correct, export or delete your personal data. To exercise any of these rights, contact contact@certvik.com.

7. Cookies

Certvik uses session cookies required for authentication. We do not use advertising or tracking cookies. We use basic analytics to understand how the platform is used (page views, feature usage) — this data is aggregated and not linked to individuals.

8. Third-party processors

We use the following sub-processors:

  • Supabase — database and authentication (EU hosting)
  • Stripe — payment processing
  • Resend — transactional email
  • Microsoft Azure — Microsoft 365 integration

9. Changes to this policy

We may update this policy from time to time. We will notify you by email of any material changes. Continued use of Certvik after changes take effect constitutes acceptance of the updated policy.