Privacy Policy for Certaria

Effective Date: 3 April 2026 Last Updated: 3 April 2026 Version: 1.0 Policy URL: certaria.co.uk/privacy

About This Policy

This Privacy Policy explains how Orion Data Analytics Ltd (“Orion”, “we”, “us”, “our”) handles personal data processed through Certaria, our ISO 27001 Information Security Management System (ISMS) built on Microsoft Power Platform.

Certaria is designed for use by organisations implementing and maintaining ISO 27001 certification. When your organisation uses Certaria, you are the data controller and Orion is the data processor.

If you have questions about how your data is handled, contact us at privacy@oriondata.co.uk.

1. Identity of the Controller and Processor

Data Controller (your organisation):

• Your organisation is the data controller and determines how and why personal data is processed through Certaria.

Data Processor (Orion Data Analytics Ltd):

• Orion Data Analytics Ltd
• Registered in England and Wales
• Website: oriondata.co.uk
• Privacy contact: privacy@oriondata.co.uk
• Data Protection Officer: Orion has not appointed a Data Protection Officer. As a micro-enterprise whose core activity is not large-scale processing of personal data, Orion is not required to appoint a DPO under UK GDPR Article 37. For all privacy enquiries, contact privacy@oriondata.co.uk.

2. What is Certaria?

Certaria is a B2B SaaS product installed as a managed solution into your organisation’s Microsoft 365 tenant. It supports ISO 27001 ISMS implementation and maintenance by:

• Recording ISO 27001 control ownership and compliance status
• Managing security incident and anomaly reporting
• Tracking employee policy acknowledgements
• Providing a conversational bot interface via Microsoft Teams for ISMS-related queries
• Reading Microsoft security signals (via Graph API) to surface security posture data

Important: Certaria provides tools to support ISO 27001 ISMS implementation and maintenance. Certification decisions are made by independent accredited certification bodies. Orion Data Analytics does not guarantee certification outcomes.

3. Where Does Your Data Live?

All customer data is stored exclusively in your organisation’s own Microsoft Dataverse environment within your Microsoft 365 tenant. Orion does not operate any shared database, shared infrastructure, or central data store.

Key principles:

• Each customer deployment is completely isolated — no data crosses tenant boundaries
• Orion cannot access your data without explicit documented consent
• Your data never leaves your tenant unless you export it
• The geographic location of your data is determined by your Microsoft 365 subscription region

4. What Personal Data Does Certaria Process?

Certaria processes the following categories of personal data about your employees:

Data Your Organisation Creates in Certaria

1. Compliance task completion records — who completed compliance activities and when
2. Security incident reports — who reported incidents, descriptions, classifications, and resolutions
3. Control ownership assignments — which employee owns each ISO 27001 control
4. Policy acknowledgement records — who acknowledged which policies, when, and which version
5. User identity information — name, email address, job role within the ISMS
6. Agent conversation context — interactions with the Certaria bot in Microsoft Teams

Data Certaria Reads (But Does Not Store) via Microsoft Graph API

Certaria reads security signals from your Microsoft 365 environment using 7 permission scopes approved by your Global Admin. These include:

• Microsoft Secure Score and security recommendations
• Intune managed device inventory (device compliance, encryption status, device names)
• Microsoft Purview sensitivity labels and classification policies
• Microsoft 365 audit log summaries (specific evidence references, not raw log dumps)
• Conditional Access policies
• Entra ID directory data (user and group names, roles)

How this works: Your organisation’s Global Admin grants these permissions. The API connection uses an app registration created in your own Entra ID tenant. Orion holds no credentials to your tenant and cannot access your data without the app registration remaining active.

5. Why Do We Process This Data?

Lawful Basis

Under UK GDPR, Orion processes personal data on the following lawful bases:

Legitimate Interests (Article 6(1)(f))

• Maintaining ISO 27001 certification is a legitimate organisational interest
• Supporting your ISMS implementation supports your security and compliance objectives
• Orion’s legitimate interest in supporting product functionality and security

Legal Obligation (Article 6(1)(c))

• Where ISO 27001 certification is a contractual requirement for your organisation (e.g., demanded by your enterprise clients)

Your organisation (the data controller) determines which lawful basis applies to your employees’ data and communicates this to your team as appropriate.

Processing Purposes

1. ISMS Implementation and Maintenance — supporting your organisation’s ISO 27001 compliance programme
2. Incident Management — recording and categorising security incidents
3. Control and Risk Tracking — recording who owns and maintains each control
4. Compliance Evidence — generating records and audit trails for certification assessment
5. Product Improvement — aggregated, anonymised usage insights to improve Certaria (never customer-specific data)
6. Security and Troubleshooting — supporting product security and resolving technical issues on a per-incident basis with consent
7. Compliance with Legal Obligations — responding to lawful data subject rights requests and regulatory enquiries

6. Who Has Access to Your Data?

Orion’s Access

Orion’s access to your Certaria data is strictly limited:

• Managed solution deployment and updates — Orion can deploy new versions of Certaria as a managed solution
• Per-incident troubleshooting — Orion support can view your data only with explicit documented consent to resolve a specific technical issue
• No proactive monitoring — Orion does not routinely view your data
• No sharing — Orion does not share your data with third parties

Your Data Subject’s Access

Your employees can request access to their own records via your ISMS Administrator, who can export all personal data as structured Excel files.

Microsoft’s Access

Microsoft is a sub-processor. When you use Microsoft 365, Microsoft hosts your data in Dataverse and Power Platform infrastructure. Microsoft’s processing is covered by Microsoft’s standard Data Protection Addendum (DPA), which is incorporated into your Microsoft Customer Agreement.

7. Data Retention

ISMS Records

• Records are retained for the duration of your ISO 27001 certificate plus 3 years thereafter
• This aligns with UK contract law limitation periods (limitation of action under the Limitation Act 1980)
• Your ISMS Administrator can export all records at any time (Feature Request FR54)

Agent Conversation Context

• Conversations with the Certaria bot are retained for 90 days
• After 90 days, conversation context is automatically deleted
• The deletion process is automated and does not require manual intervention

Upon Contract Termination

• All your data remains in your own Dataverse environment
• You retain full ownership and control
• Orion’s managed solution can be uninstalled from your tenant
• Orion holds no copy of your data and has nothing to delete
• You can export all records before uninstalling if you wish

8. Data Transfers Outside the UK/EEA

Orion does not transfer your personal data outside the UK or EEA. Your data is stored exclusively in your Microsoft 365 tenant. The geographic region of your data is determined by your Microsoft 365 subscription (typically UK or EEA), not by Orion.

Microsoft’s sub-processing is covered by their Data Protection Addendum, which includes Standard Contractual Clauses where necessary.

9. Your Rights Under UK GDPR

You have rights over your personal data. Your organisation’s ISMS Administrator is the point of contact to exercise these rights on behalf of your employees.

Right of Access (Data Subject Access Request)

• Your ISMS Administrator can request a structured export of all your personal data held in Certaria
• Orion will provide a response within 30 days

Right to Rectification

• You can request correction of inaccurate data
• Your ISMS Administrator can update records directly in Certaria

Right to Erasure

• You can request deletion of your data, subject to ISO 27001 retention requirements
• Data required as evidence for certification or audit cannot be deleted until the retention period expires
• Your ISMS Administrator can delete individual records once they fall outside retention periods

Right to Restriction of Processing

• You can request that your data is not actively processed (though it may be retained)
• Orion will comply and restrict access to your data

Right to Data Portability

• You can request your data in a structured, machine-readable format (Excel export)
• Your ISMS Administrator can export all your records

Right to Object

• You can object to processing of your data for specific purposes
• Orion will cease processing except where we have a legal basis to continue

Rights Related to Automated Decision-Making

• Certaria does not use automated decision-making or profiling to make decisions about you
• Certaria uses classical topic orchestration to route conversations, not machine learning

10. Exercising Your Rights

To exercise any of these rights:

1. If you work for the customer organisation: Contact your ISMS Administrator or data controller
2. If you are a data subject with questions about Orion’s processing: Contact privacy@oriondata.co.uk
3. If you are an ISMS Administrator requesting data on behalf of data subjects: Contact privacy@oriondata.co.uk with a structured request listing names and the rights to be exercised

Orion will respond within 30 calendar days of receiving a clear, verifiable request.

11. Right to Lodge a Complaint

If you believe your personal data has been processed unlawfully or your rights have been breached, you can lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

You also have the right to pursue a legal remedy against Orion or your organisation if processing has caused you damage (UK GDPR Article 82).

12. Security and Protection of Your Data

Encryption

• All data in transit to and from Certaria is encrypted using TLS 1.2 or higher
• All data at rest in Dataverse is encrypted by Microsoft using AES-256

Access Controls

• Certaria uses role-based access control (RBAC):
  • ISMS Administrator — full access to all records, can export and manage data
  • ISMS User — can create and manage assigned records
  • ISMS Viewer — read-only access for reference
• Your organisation controls role assignments and can revoke access at any time

Tenant Isolation

• Each customer’s Certaria deployment is completely isolated in their own tenant
• No data crosses tenant boundaries
• No shared infrastructure

Support Access

• Orion support staff can only view your data with explicit documented consent for a specific technical issue
• Each support engagement requires fresh consent
• Consent is recorded and retained for audit purposes

13. Children’s Data

Certaria is intended for use by adult employees in organisations implementing ISO 27001. We do not knowingly process personal data of children under 13. If we become aware that we have processed a child’s data, we will delete it promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, practice, or Certaria’s functionality. We will notify you of material changes by:

• Posting the updated policy at certaria.co.uk/privacy
• Updating the “Last Updated” date at the top of this policy
• Where required by law, obtaining fresh consent

Your continued use of Certaria after changes constitutes acceptance of the updated policy. Your organisation’s data controller should review changes regularly.

15. Data Protection Impact Assessment (DPIA)

Processing via Certaria may require a DPIA under UK GDPR Article 35 if your organisation is processing sensitive personal data (e.g., special category data or data about vulnerable individuals). Your organisation is responsible for conducting a DPIA and sharing findings with Orion if processing presents a high risk.

Contact privacy@oriondata.co.uk if you need to discuss DPIA findings or if you have concerns about high-risk processing.

16. Data Processing Agreement

When you subscribe to Certaria, your organisation enters into a Data Processing Agreement (DPA) with Orion that specifies:

• Processor obligations under UK GDPR Articles 28—32
• Sub-processor arrangements (Microsoft)
• Data subject rights support
• Audit and inspection rights
• Liability and indemnification

The DPA is incorporated into your Certaria Terms of Service. Request a copy from privacy@oriondata.co.uk if needed.

17. References to Data (Use and Access) Act 2025

Under the Data (Use and Access) Act 2025, Orion may be required to provide anonymised data about processed datasets to the Department for Science, Innovation and Technology under certain circumstances. However:

• Certaria data is processed exclusively by your organisation (the controller)
• Certaria is a processor, not an independent controller
• Any DUAA request would go to your organisation as the controller
• Orion will comply with any DUAA requests directed to it, subject to UK GDPR protections

18. Contact Us

Privacy enquiries:

• Email: privacy@oriondata.co.uk

General enquiries about Certaria:

• Website: oriondata.co.uk
• Email: hello@oriondata.co.uk

Complaints or concerns:

• Contact Orion at privacy@oriondata.co.uk
• Lodge a complaint with the ICO at ico.org.uk

Orion Data Analytics Ltd is registered in England and Wales. Last updated: 3 April 2026 Version: 1.0