Legal

Security Policy

Last updated: May 24, 2026

Domain: cpdregistry.app

This Security Policy describes the technical and organizational security measures implemented by CPD Registry ("CPD Registry", "we", "us" or "our") to protect your personal data, training logs, and uploaded certificates (collectively, "Customer Data") and ensure the ongoing confidentiality, integrity, and availability of our Services.

This policy applies when you interact with our website, use our platform, or access our cloud services at cpdregistry.app.

1. Infrastructure, Audits, and Certifications

CPD Registry is built on top of world-class, enterprise-grade cloud infrastructure. While we manage application-level security, our underlying physical hosting and database environments are managed by industry-leading providers:

  • Database & Application Layer (Convex / AWS): Hosted in Amazon Web Services (AWS) Frankfurt (eu-central-1) data centers.
  • Object Storage: Certificate files are hosted in Cloudflare R2 Western Europe (WEUR) data centers.
  • Infrastructure Audits: Our physical infrastructure providers undergo independent, third-party security audits on at least an annual basis. They maintain active SOC 2 Type II reports and ISO/IEC 27001 certifications, covering comprehensive physical, environmental, and administrative security controls.

2. 100% European Data Residency

  • EU Hosting Only: All active database records, transaction logs, and uploaded certificates are stored and processed strictly within data centers located in the European Union (EU).
  • Sub-processors: Any third-party vendors utilized by CPD Registry are strictly limited to processing data within the EU/EEA, ensuring full compliance with GDPR data localization standards.

3. Data Encryption & Storage Security

We protect your Customer Data from interception, alteration, and unauthorized extraction:

  • Data in Transit: All connections over untrusted networks use Transport Layer Security (TLS) 1.2 or higher (HTTPS) with strong cipher suites.
  • Data at Rest: All database entries, user profiles, and logs are encrypted at rest using AES 256-bit encryption.
  • Secure Certificate Storage (Cloudflare R2): Uploaded completion certificates are stored in private, non-publicly accessible Cloudflare R2 storage buckets. Files are never exposed via public or static URLs. To view a certificate or export an audit report, our platform generates a temporary, cryptographically signed URL with a strict one-hour expiration window. Once expired, the link is completely invalid.
  • File Upload Validation: Our backend validates the MIME type (file signature) of every uploaded certificate file, ensuring that malicious executable scripts or unauthorized formats are blocked from entering our storage.

4. System, Network, and Application Security

  • Passwordless Authentication (OTP): We do not store raw or hashed user passwords, eliminating the risk of database credential leaks. Users authenticate strictly via cryptographically secure, time-limited, six-digit One-Time Passwords (OTPs) sent directly to their verified email addresses.
  • Multi-Tenant Data Isolation: CPD Registry enforces strict logical multi-tenancy. Every database query is cryptographically verified against your authenticated session ID, ensuring no user can ever access another account's records.
  • Principle of Least Privilege: CPD Registry personnel have no default access to production databases. Access is restricted strictly to senior engineering staff and only when required to resolve specific, documented subscriber support requests.

5. Zero AI Training Covenant

We formally guarantee that your training logs, course metadata, notes, and uploaded completion certificates are never used to train, fine-tune, or test artificial intelligence (AI), machine learning, or large language models (LLMs). Your data is processed strictly to calculate your compliance status and generate your annual reports.

6. Incident Detection, Response, and Breach Notification

Monitoring & Logging: System activities and security events are monitored continuously. Critical application logs are centrally stored, indexed, and retained for at least twelve (12) months.

Incident Response: In the event of a confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a "Security Incident"), CPD Registry shall:

  • Notify you without undue delay, and in any case, within 72 hours after becoming aware of the incident.
  • Promptly take all reasonable, necessary steps to contain, investigate, and mitigate the incident.
  • Provide you with timely updates regarding the nature of the incident, the categories of data impacted, and the mitigation measures taken.

7. Customer Responsibility (Shared Security Model)

Information security is a shared responsibility. While we secure the platform infrastructure, you are responsible for:

  • Credential Security: Managing and protecting access to your registered email inbox. Your OTP credentials must be kept strictly confidential and never shared with unauthorized parties.
  • Client Data Protection: CPD Registry is strictly designed for logging professional education credits. You must never upload client files, litigation case documents, or legally privileged attorney-client communications to our platform.
  • System Patching: Keeping your local devices and web browsers up-to-date with the latest security patches to ensure safe transit encryption.

8. Contact

If you have any questions, vulnerability disclosures, or security-related inquiries, please contact us at: security@cpdregistry.app