For Candidates For Partners For Businesses

Data Security & Privacy

Version: 1.0
Owner: Sarder Inc. (DBA AI CERTs®)

1. Organization & Legal Entity

AI CERTs® is operated by Sarder Inc., a United States–registered company, doing business as AI CERTs®.

Unless contractually agreed otherwise, Sarder Inc. acts as the Data Controller for personal data collected through the AI CERTs® certification ecosystem and acts as a Data Processor where data is processed on behalf of partners or enterprise customers under an applicable agreement.

2. Platform Architecture & Hosting

AI CERTs® operates a cloud-hosted certification, candidate, and partner management platform.

  • Hosting provider: Microsoft Azure
  • Primary data residency: United States–based Azure datacenters
  • Infrastructure model: Cloud-hosted, multi-tenant SaaS
  • On-premise hosting: Not used
  • Unmanaged third-party hosting: Not used

AI CERTs® relies on Azure’s security, availability, and compliance controls at the infrastructure and platform layers, together with application-level and organizational controls implemented by AI CERTs®.

3. Multi-Tenant Partner Model

AI CERTs® operates a multi-tenant partner and candidate environment.

  • Partners are not provided with dedicated or isolated platform instances unless explicitly agreed in writing
  • Logical segregation controls ensure partners can access only their own data
  • Centralized governance ensures consistent security and compliance controls across the platform

4. Candidate Registration & Data Collected

AI CERTs® follows data minimization and purpose limitation principles.

4.1 Data Typically Collected

  • First name and last name
  • Email address
  • Enrollment and certification metadata
  • Certification progress and examination results
  • Support-related information when a user requests assistance

4.2 Data Not Collected by Default

AI CERTs® does not require or store the following as part of standard certification operations:

  • Government-issued identification numbers
  • Payment card or banking information
  • Biometric data
  • Special category or sensitive personal data (as defined under applicable privacy laws)

5. Data Access & Role-Based Controls

Access to data is restricted using Role-Based Access Control (RBAC) and the principle of least privilege.

5.1 Partner Access

  • Partners may access only their own candidates and related records
  • Cross-partner data visibility is not permitted

5.2 Internal Access

Internal access is limited to authorized personnel on a need-to-know basis, including:

  • Certification operations and candidate support
  • Platform administration
  • Compliance, audit, and accreditation support
  • Technical support (when required)

Access activities are logged and monitored.

6. Data Security Controls

AI CERTs® maintains administrative, technical, and organizational controls designed to protect data against unauthorized access, disclosure, alteration, or loss.

6.1 Core Security Measures

  • Encryption of data in transit
  • Encryption of data at rest (where supported by platform design)
  • Secure authentication and authorization mechanisms
  • Role-based access enforcement
  • Logging, monitoring, and alerting
  • Secure configuration, patching, and vulnerability management practices

6.2 Cloud Security

AI CERTs® leverages security capabilities provided by Microsoft Azure, including continuous monitoring and security posture management.

7. Data Usage & Purpose Limitation

Personal data is used exclusively for legitimate operational purposes, including:

  • Account creation and authentication
  • Certification delivery and examination administration
  • Candidate and partner support
  • Quality assurance, compliance, audit, and accreditation requirements

Personal data is not sold and is not shared with third parties for marketing purposes unless required by law or explicitly consented to by the individual.

8. Data Retention & Deletion

Data is retained only for as long as necessary to:

  • Deliver certification services
  • Meet contractual, legal, regulatory, and accreditation obligations

Upon verified request and subject to applicable legal requirements, data is securely deleted or anonymized in accordance with internal data retention policies.

9. Incident Response & Breach Management

AI CERTs® maintains documented procedures for managing information security incidents, including:

  • Incident identification and investigation
  • Containment and remediation
  • Root-cause analysis and corrective actions
  • Notification to affected parties where required by law or contract

10. Backup, Availability & Disaster Recovery

AI CERTs® maintains backup and availability practices appropriate to a cloud-hosted platform, including:

  • Regular backups at the infrastructure and platform level
  • High-availability design
  • Disaster recovery and business continuity measures

High-level recovery objectives (RPO/RTO) are defined and managed operationally.

11. Sub-Processors

AI CERTs® uses sub-processors only where necessary to deliver platform services.

  • Primary infrastructure sub-processor:
    Microsoft Azure – Cloud hosting and infrastructure services (United States)
  • Conditional / program-specific sub-processors:
    Third-party providers may be used for specific program components (such as hands-on lab environments) where applicable. In such cases, data sharing is limited to what is necessary for service delivery and governed by contractual controls.

A list of key sub-processors may be provided upon request or disclosed through applicable agreements.

12. Privacy & Regulatory Alignment

AI CERTs® applies privacy principles aligned with applicable data protection laws, including:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Integrity and confidentiality
  • Accountability

13. Assurance & Compliance Positioning

AI CERTs® maintains security practices aligned with generally accepted industry standards. Where infrastructure providers maintain certifications or attestations (such as ISO or SOC reports), those certifications apply to the provider’s environment and do not constitute certification of AI CERTs® unless explicitly stated.

14. Contact

For data protection or security inquiries:
Email: privacy@ai-certs.org

15. Disclaimer

This document is provided for informational purposes only and does not create binding obligations. Binding commitments relating to data protection, confidentiality, and security are governed solely by the applicable executed agreements, including any Data Processing Agreement (DPA), between the parties.