Privacy Policy

This Privacy Policy explains how Trusteddit, a service operated by Sanmarcsoft LLC (“we,” “us,” or “our”), collects, uses, stores, and protects personal data when you use our C2PA content credential signing services, PKI certificate services, Trust Receipt badge generation, and related offerings (collectively, the “Services”).

Data Controller: Sanmarcsoft LLC, a Texas limited liability company, is the data controller for personal data processed through the Services.

Registered Address

Sanmarcsoft LLC, Texas, United States

Contact (Privacy)

[email protected]

Data Protection Officer

[email protected]

This policy applies to all users of the Services, including certificate subscribers, relying parties, website visitors, and individuals whose data may be included in signed content metadata.

We collect and process the following categories of personal data in connection with the Services:

2.1 Certificate Subscriber Data

When you apply for a C2PA content signing certificate, we collect:

• Identity information: Full legal name (individual or organization), business registration details, government-issued identification documents (for identity verification purposes only)
• Contact information: Email address, mailing address, phone number
• Technical certificate data: Public key (submitted via CSR), X.509 certificate subject Distinguished Name, certificate serial number, validity dates
• Account credentials: Authentication credentials for accessing the certificate management portal (managed via Cloudflare Access Zero Trust)

2.2 Content Signing Data

When you use the Services to sign content with C2PA credentials:

• Media files: Files submitted for C2PA signing are processed in memory to embed content credentials. Media files are not permanently stored on our servers after processing is complete.
• Signing event metadata: Timestamp of signing operation, certificate serial number used, hash of the signed content, C2PA manifest identifiers
• RFC 3161 timestamps: Trusted timestamps issued by our Time-Stamp Authority (TSA) for each signing operation

2.3 Trust Receipt Badge Data

When generating Trust Receipt badges:

• Content hash and badge identifier
• Subscriber identity as it appears in the signing certificate
• Timestamp of badge generation

2.4 Website and Service Usage Data

• Server logs: IP address, user agent, request timestamps, pages visited (retained for security and operational purposes)
• Cloudflare analytics: Aggregated, privacy-preserving web analytics collected by Cloudflare (our CDN and DNS provider)

We do not use third-party advertising trackers, behavioral analytics platforms, or sell personal data to any third party.

We process personal data under the following lawful bases as defined by the General Data Protection Regulation (GDPR):

We use personal data exclusively for the following purposes:

• Certificate lifecycle management: Processing certificate applications, issuing X.509 certificates, managing renewals, and processing revocation requests
• C2PA content signing: Embedding content credentials into media files submitted for signing, generating C2PA manifests, and issuing RFC 3161 timestamps
• Trust Receipt badge generation: Creating verification badges linked to signed content
• PKI integrity: Publishing certificate revocation lists (CRLs), operating OCSP responders, and maintaining the trust chain
• Security and compliance: Maintaining audit logs as required by PKI standards (WebTrust, RFC 3647), detecting and preventing unauthorized access, and responding to security incidents
• Service communications: Sending certificate expiration notices, revocation notifications, service announcements, and responding to support inquiries

Trusteddit is committed to data sovereignty and operates its core infrastructure within the European Union.

5.1 Primary Infrastructure

Compute and Storage

Scaleway (Iliad Group), Paris, France (fr-par region). Scaleway is an EU-headquartered cloud provider subject to EU data protection law. All PKI operations, certificate storage, signing event logs, and database records are hosted within this EU-sovereign infrastructure.

Container Registry

Scaleway Container Registry (rg.fr-par.scw.cloud), Paris, France. All production application images are stored in the EU.

Database

SQLite databases for signing event logs and certificate metadata, hosted on Scaleway EU infrastructure. No personal data is stored in US-based databases for production services.

5.2 Supporting Services

DNS and CDN

Cloudflare, Inc. (US-headquartered). Cloudflare provides DNS resolution, CDN caching, DDoS protection, and Cloudflare Access (Zero Trust authentication). Cloudflare processes IP addresses and request metadata in transit. See Section 7 for international transfer safeguards.

Authentication

Cloudflare Access (Zero Trust). Authentication tokens and session data are managed by Cloudflare.

5.3 Media File Processing

Media files submitted for C2PA signing are processed in server memory and are not permanently stored. Files are held only for the duration of the signing operation (typically seconds) and are purged from memory upon completion. Signed output files are returned directly to the submitting user. We do not retain copies of your media files.

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law and PKI standards.

When retention periods expire, personal data is securely deleted or anonymized. Deletion of PKI records follows secure destruction procedures to ensure no recoverable copies remain.

Trusteddit's core PKI infrastructure is hosted within the European Union (Scaleway, Paris, France). However, certain supporting services involve the transfer of limited personal data outside the EU/EEA.

7.1 Transfers to the United States

Sanmarcsoft LLC is a Texas-based company. Administrative access to EU infrastructure is conducted from the United States. The following safeguards are in place:

• Cloudflare: Cloudflare participates in the EU-US Data Privacy Framework (DPF). Data processed by Cloudflare in transit (IP addresses, request metadata) is subject to Cloudflare's DPF certification and Standard Contractual Clauses (SCCs).
• Administrative access: Remote administration of EU infrastructure from the US is conducted over encrypted channels (SSH/TLS). No bulk transfer of personal data occurs; access is limited to operational management.

7.2 Safeguards

Where personal data is transferred outside the EU/EEA, we rely on one or more of the following transfer mechanisms as required by GDPR Chapter V:

• EU-US Data Privacy Framework (where applicable)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary technical measures (encryption in transit and at rest)

We use a limited number of third-party sub-processors to operate the Services. Each sub-processor is contractually bound to process personal data only as instructed and to maintain appropriate security measures.

We will update this list if additional sub-processors are engaged. Material changes to sub-processors will be communicated to affected users with at least 30 days' notice.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR with respect to your personal data:

• Right of Access (Art. 15): You may request a copy of the personal data we hold about you, along with information about how it is processed.
• Right to Rectification (Art. 16): You may request correction of inaccurate personal data. Note that certificate subject information cannot be modified after issuance; a new certificate must be issued.
• Right to Erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations. Certain PKI records (audit logs, certificate records, CRLs) must be retained for the periods specified in Section 6 and cannot be erased upon request.
• Right to Restriction of Processing (Art. 18): You may request that we restrict processing of your data in certain circumstances (e.g., while we verify accuracy of contested data).
• Right to Data Portability (Art. 20): You may request your personal data in a structured, commonly used, machine-readable format. This applies to data processed on the basis of consent or contract.
• Right to Object (Art. 21): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent (e.g., marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority. As our infrastructure is located in France, the relevant authority is the Commission Nationale de l'Informatique et des Libertés (CNIL). You may also contact the supervisory authority in your country of residence.

9.1 How to Exercise Your Rights

To exercise any of your data subject rights, contact us at:

Email

[email protected]

Response Time

We will respond to your request within 30 days. If additional time is required (up to 60 additional days for complex requests), we will notify you of the extension and the reasons within the initial 30-day period.

Verification

We may need to verify your identity before processing your request to protect your data from unauthorized disclosure.

9.2 Limitations on Erasure for PKI Data

Due to the nature of public key infrastructure, certain data cannot be erased upon request:

• Issued certificates are public records that must remain available for trust chain verification. Revocation is available but the certificate record itself must persist.
• CRL and OCSP entries must remain available to ensure relying parties can verify certificate status.
• Audit logs must be retained for 7 years per PKI compliance standards.
• RFC 3161 timestamps must be retained indefinitely to support long-term signature verification.

These limitations exist because PKI infrastructure serves a public trust function. The lawful basis for retaining this data is legal obligation (GDPR Art. 6(1)(c)) and legitimate interest in maintaining PKI ecosystem integrity (GDPR Art. 6(1)(f)).

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption in transit: All data transmitted to and from our Services is encrypted using TLS 1.2 or higher
• Encryption at rest: Database files and certificate stores are encrypted at the filesystem level
• Access control: Access to PKI infrastructure is restricted to authorized personnel using Cloudflare Zero Trust and SSH key authentication
• Network security: Firewall rules, network segmentation, and intrusion detection protect CA systems
• Audit logging: All access to CA systems and certificate operations is logged and monitored
• Containerized infrastructure: Services run in isolated containers with minimal attack surfaces

The Trusteddit website uses only strictly necessary cookies required for the operation of the site and Cloudflare Access authentication. We do not use:

• Advertising or behavioral tracking cookies
• Third-party analytics cookies
• Social media tracking pixels

Cloudflare may set functional cookies for security purposes (e.g., bot detection, DDoS protection). These are strictly necessary and do not require consent under GDPR.

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that personal data has been collected from a child under 16 without parental consent, we will take steps to delete that data promptly. If you believe a child has provided personal data to us, please contact us at [email protected].

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the “Last Updated” date at the top of this page
• For material changes affecting existing subscribers, we will provide at least 30 days' notice via the email address associated with your certificate
• The updated policy will be published at trusteddit.com/legal/privacy-policy

Your continued use of the Services after the updated policy takes effect constitutes acceptance of the changes.

If you have questions about this Privacy Policy, wish to exercise your data subject rights, or have concerns about how your personal data is handled, please contact us:

Privacy Inquiries

[email protected]

Data Protection Officer

[email protected]

General Inquiries

[email protected]

Supervisory Authority

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
www.cnil.fr