GDPR Compliance

Sanmarcsoft LLC (“Sanmarcsoft,” “we,” “us,” or “our”) is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) in its operation of the Trusteddit platform.

Trusteddit provides C2PA content credential signing, PKI certificate services, Trust Receipt badge generation, and timestamp authority (TSA) services. This document describes how we implement GDPR requirements across our operations, infrastructure, and relationships with sub-processors.

This GDPR Compliance statement should be read in conjunction with our Privacy Policy and Terms of Service, which contain additional detail on data processing activities, lawful bases, retention periods, and user rights.

Data Controller

Sanmarcsoft LLC, Texas, United States

Data Protection Contact

[email protected]

Lead Supervisory Authority

Commission Nationale de l'Informatique et des Libertés (CNIL), France (as our core infrastructure is located in France)

All personal data processing through the Trusteddit platform adheres to the seven principles set out in GDPR Article 5. Below we describe how each principle is implemented in practice.

We rely on the following lawful bases under GDPR Article 6 for our data processing activities:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to perform our contractual obligations when issuing certificates, signing content with C2PA credentials, generating Trust Receipt badges, and issuing RFC 3161 timestamps.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with PKI standards and regulations, including certificate audit logging, identity verification for certificate issuance, CRL/OCSP publication, and record retention as mandated by WebTrust and RFC 3647.
• Legitimate Interest (Art. 6(1)(f)): Processing for security monitoring, fraud prevention, and maintaining the integrity of the PKI trust chain. We conduct balancing tests to ensure our legitimate interests do not override data subject rights.
• Consent (Art. 6(1)(a)): Where applicable, such as for marketing communications. Consent is freely given, specific, informed, and unambiguous. You may withdraw consent at any time without affecting the lawfulness of prior processing.

A detailed mapping of processing activities to lawful bases is available in our Privacy Policy, Section 3.

We engage a limited number of sub-processors to deliver the Services. Each sub-processor is contractually bound to process personal data only as instructed, to implement appropriate technical and organizational security measures, and to comply with GDPR requirements.

4.1 Sub-processor Change Notification

We will provide at least 30 days' advance notice before engaging a new sub-processor or making material changes to existing sub-processor arrangements. Notification will be sent to the email address associated with your account. If you object to a new sub-processor, you may terminate your use of the Services.

4.2 Sub-processor Due Diligence

Before engaging any sub-processor, we assess their data protection practices, security measures, and GDPR compliance posture. We select sub-processors that can provide sufficient guarantees to implement appropriate technical and organizational measures, as required by GDPR Article 28(1).

4.3 Infrastructure Design Choice

Trusteddit intentionally selected Scaleway, an EU-headquartered cloud provider, as its primary infrastructure provider to ensure that all core personal data processing occurs within the European Union. This “EU-first” infrastructure design minimizes the need for international data transfers and provides data sovereignty by default.

Our core PKI infrastructure and all persistent personal data storage are located within the EU (Scaleway, Paris, France). However, limited data processing occurs outside the EU through Cloudflare's global network and administrative access from the United States.

5.1 Transfer Mechanisms

Where personal data is transferred outside the EU/EEA, we rely on the following GDPR-compliant transfer mechanisms:

• EU-US Data Privacy Framework (DPF): Cloudflare is certified under the EU-US Data Privacy Framework, providing an adequacy-based transfer mechanism as recognized by the European Commission.
• Standard Contractual Clauses (SCCs): We maintain SCCs approved by the European Commission as a supplementary transfer mechanism with sub-processors that process data outside the EU.
• Supplementary Technical Measures: All data transfers are protected by encryption in transit (TLS 1.2 or higher). Administrative access from the US to EU infrastructure uses encrypted SSH tunnels. No bulk transfers of personal data occur.

5.2 Transfer Impact Assessment

In accordance with the guidance of the European Data Protection Board (EDPB), we have assessed the legal framework of destination countries and implemented supplementary measures where necessary to ensure that transferred data receives an essentially equivalent level of protection as under EU law.

Under the GDPR, individuals located in the European Economic Area, the United Kingdom, or Switzerland have the following rights with respect to their personal data. We are committed to facilitating the exercise of these rights promptly and transparently.

6.1 Limitations on Erasure for PKI Data

Due to the nature of public key infrastructure, certain data is exempt from erasure requests under GDPR Article 17(3)(b) (legal obligation) and Article 17(3)(e) (legal claims):

• Issued certificates: Public records required for trust chain verification. Revocation is available but the certificate record must persist.
• CRL and OCSP entries: Must remain available for relying parties to verify certificate status.
• Audit logs: Retained for 7 years per PKI compliance standards (WebTrust, RFC 3647).
• RFC 3161 timestamps: Retained indefinitely to support long-term signature verification and non-repudiation.

6.2 How to Exercise Your Rights

Contact

Email [email protected] with the subject line “GDPR Data Subject Request”

Response Time

We will acknowledge your request within 72 hours and provide a substantive response within 30 days. For complex requests, the response period may be extended by up to 60 additional days, with notification and justification provided within the initial 30-day period.

Identity Verification

To protect your data from unauthorized disclosure, we may verify your identity before processing your request. We will not request more information than necessary for verification.

Cost

Data subject requests are processed free of charge. For manifestly unfounded or excessive requests (particularly where repetitive), we may charge a reasonable fee or refuse to act, as permitted by GDPR Article 12(5).

In accordance with GDPR Article 35, we conduct Data Protection Impact Assessments (DPIAs) before undertaking processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. This includes:

• Processing of identity verification documents for certificate issuance
• Systematic monitoring through audit logging of PKI operations
• New processing activities involving personal data, or material changes to existing processing

DPIAs evaluate the necessity and proportionality of the processing, assess risks to data subjects, and identify measures to mitigate those risks. Where a DPIA indicates that processing would result in high risk that cannot be mitigated, we consult with the relevant supervisory authority (CNIL) before proceeding.

We maintain documented procedures for detecting, reporting, and investigating personal data breaches in accordance with GDPR Articles 33 and 34.

8.1 Notification to Supervisory Authority (Art. 33)

In the event of a personal data breach, we will notify the relevant supervisory authority (CNIL) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include:

• The nature of the breach, including the categories and approximate number of data subjects and records affected
• The name and contact details of our data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its effects

If notification cannot be achieved within 72 hours, we will provide the reasons for the delay alongside the notification.

8.2 Notification to Data Subjects (Art. 34)

Where a personal data breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will communicate the breach to the affected data subjects without undue delay. The communication will:

• Describe the nature of the breach in clear and plain language
• Provide the name and contact details of our data protection contact
• Describe the likely consequences of the breach
• Describe the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects

8.3 PKI-Specific Breach Response

For breaches affecting the PKI trust chain (e.g., compromise of CA private keys), we will additionally:

• Immediately revoke affected certificates and update CRLs
• Notify all affected certificate subscribers directly
• Publish security advisories as appropriate
• Coordinate with relevant C2PA ecosystem participants

8.4 Breach Record Keeping

We maintain a register of all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken, regardless of whether the breach was required to be reported to the supervisory authority. This register is available for inspection by the supervisory authority upon request.

We implement data protection by design and by default throughout the development and operation of the Trusteddit platform:

9.1 By Design

• EU-sovereign infrastructure: Core data processing infrastructure is deliberately located within the EU (Scaleway, Paris) to provide data sovereignty by default
• In-memory processing: Media files are processed in server memory and never written to persistent storage, minimizing data exposure
• Minimal sub-processors: We engage only two sub-processors (Scaleway and Cloudflare), reducing the data processing chain
• Encryption by default: All data is encrypted in transit (TLS 1.2+) and at rest, with no option to disable encryption
• Zero-trust authentication: Access to the platform is managed through Cloudflare Access, implementing zero-trust principles

9.2 By Default

• No advertising trackers, behavioral analytics, or third-party tracking pixels are deployed
• Only strictly necessary cookies are used (Cloudflare security cookies)
• Data collection is limited to what is strictly necessary for each processing purpose
• Personal data is not shared with third parties beyond the sub-processors listed in Section 4
• Server access logs are automatically purged after 90 days

We maintain Records of Processing Activities (ROPA) as required by GDPR Article 30. Our ROPA documents the following for each processing activity:

• The purposes of the processing
• Categories of data subjects and personal data
• Categories of recipients of the personal data
• Transfers to third countries and the transfer safeguards applied
• Envisaged retention periods for each category of data
• A general description of technical and organizational security measures

Our ROPA is available for inspection by the supervisory authority upon request.

For organizations that require a Data Processing Agreement (DPA) to comply with their own GDPR obligations when using Trusteddit services, we offer a DPA that covers:

• Subject matter, duration, nature, and purpose of the processing
• Types of personal data and categories of data subjects
• Obligations and rights of the data controller
• Instructions for processing, including restrictions on sub-processing
• Security measures and audit rights
• Breach notification obligations
• Data return and deletion upon termination
• Standard Contractual Clauses (where applicable for international transfers)

11.1 Requesting a DPA

To request a DPA or discuss data processing arrangements, contact us at [email protected] with the subject line “DPA Request.” We will provide a DPA within 10 business days of your request.

We implement the following technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32:

12.1 Technical Measures

• Encryption in transit: TLS 1.2 or higher for all client-server communications
• Encryption at rest: Filesystem-level encryption for databases and certificate stores
• Network security: Firewall rules, network segmentation, and DDoS protection via Cloudflare
• Containerization: All services run in isolated containers with minimal attack surfaces and read-only filesystems where possible
• Access control: Zero-trust authentication via Cloudflare Access, SSH key-based server access, role-based access control
• Audit logging: Comprehensive logging of all access to CA systems and certificate operations
• Vulnerability management: Regular security updates, dependency scanning, and reproducible builds via Nix

12.2 Organizational Measures

• Data protection policies and procedures documentation
• Principle of least privilege for all system access
• Incident response procedures with defined escalation paths
• Regular review of security measures and access controls
• Sub-processor due diligence and contractual safeguards

As our core infrastructure is located in France, our lead supervisory authority is:

Lead Supervisory Authority

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
www.cnil.fr

You have the right to lodge a complaint with the CNIL or with the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement (GDPR Article 77).

Before lodging a complaint with a supervisory authority, we encourage you to contact us at [email protected] so that we can attempt to resolve your concern directly.

We will update this GDPR Compliance statement as necessary to reflect changes in our data processing practices, sub-processor arrangements, regulatory requirements, or supervisory authority guidance.

• We will update the “Last Updated” date at the top of this page
• Material changes will be communicated to affected users with at least 30 days' notice
• The current version will always be available at trusteddit.com/legal/gdpr

For questions about this GDPR Compliance statement, to exercise your data subject rights, or to request a Data Processing Agreement, please contact us:

Data Protection Contact

[email protected]

General Inquiries

[email protected]

Data Subject Rights Requests

Email [email protected] with subject “GDPR Data Subject Request”

DPA Requests

Email [email protected] with subject “DPA Request”