Skip to Main Content
Main Menu
Assurance & Certifications

APEC CBPR and PRP Privacy Certifications

The Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) will soon become the Global CBPR Forum. Certification provides a robust international method for data transfer recognized with participating economies including USA, Canada, Japan, Korea, Singapore, Mexico, Philippines, Taipei, and Australia.

Vendor management
Part of CBPR verification overlaps with vendor management requirements across jurisdictions. CBPR implementation can help streamline the vendor onboarding process based on CBPR principles.

Cross border data transfer risk
CBPR verification includes understanding processing purposes of business records for data transfer risk and third party risk management.

Dispute resolution
Our Accountability Agent oversight helps provide best practices on privacy complaints.

Benefits of certification

A trusted trade partner that meets international standards for data protection

Certification demonstrates a commitment to data protection (reduce trade friction) and ensures protection across your entire supply chain (vendors). Demonstrating due diligence and reducing risk within your organization and your trade partners.


Organizational agility and business advantage

This certification meets the minimum requirements necessary to transfer data in participating economies, meaning you can save time and operational costs to enter any of the participating markets.


Streamline privacy and legal compliance efforts

CBPR certification requirements overlap with other key privacy regulations like GDPR and US State privacy laws.

Demonstrate data governance and risk mitigation

Show investors, board members, trade partners, vendors, regulators, suppliers, and customers with a certification that demonstrates good governance and risk mitigation around data privacy.


Long term value creation and sustainability for your business

Easily adapt to industry, regulatory, and market shifts with this internationally recognized standard.


See the CBPR Standard

See the PRP Standard

Assurance process

  • Conduct privacy review

    Together, we work with you to conduct a privacy analysis to understand your data policies and practices.

  • Demonstrate compliance

    Purpose-built software guides you through the requirements to ensure you’re complying with the framework principles.

  • Customized action plan

    TrustArc team provides an Action Plan for how to meet CBPR and PRP principles. Action Plan includes a gap analysis, written guidance on compliance posture, and remediation recommendations to achieve compliance.

  • Remediation & verification

    Collect, compile, or generate documents or processes to demonstrate compliance.

  • Approved privacy notice & seal issuance

    A TRUSTe-reviewed Privacy Notice, a Letter of Attestation, and seals for public posting.

  • Ongoing oversight

    All assessment work and supporting documentation for an audit trail is available along with ongoing compliance monitoring. As your Accountability Agent, TRUSTe provides continued oversight including privacy protocol recommendations, guidance on implementation, and third party assurance for privacy complaints.

  • Dispute resolution

    Certification and participation in the CBPR system includes dispute resolution.


Internationally recognized

The CBPR system is one of the few privacy frameworks and certification processes recognized internationally. The intergovernmental forum that oversees CBPR is one of the largest to date meant to help promote free trade internationally and has enforcement requirements across its participating jurisdictions, making it a powerful means of demonstrating dedication to protecting customers’ data.

Robust certification & accountability

CBPR compliance standards include security safeguards, data protection access, and ethics. Additionally, it is the only framework with independent accountability oversight elements – meaning it requires a third party Accountability Agent (AA) to certify/verify and requires AA oversight as part of maintaining certification.

Leading accountability agent

We are proud to have been the first Accountability Agent (AA) in the U.S., and in the world. TRUSTe remains one of the few AA’s who have performed over hundreds of CBPR certifications, working in coordination with the Federal Trade Commission (FTC) and other governments.

Frequently asked questions

  • What is an “Accountability Agent”?

    In the realm of data protection, an Accountability Agent, such as TRUSTe, plays a vital role within the APEC CBPR & PRP systems. Acting as a trustworthy certifier, TRUSTe ensures that companies align with the stringent program requirements of PRP and/or CBPR. This third-party certification not only bolsters credibility but also guarantees an unbiased evaluation, fostering consistency among participants globally.

  • Is APEC CBPR & PRP enforceable?

    Yes. Once your organization gets certified under the CBPR or PRP program by a trusted Accountability Agent like TRUSTe, it becomes legally binding. The Privacy Enforcement Authority (PEA) in the respective economy where you’re certified can enforce it. For countries to join, they need to align with APEC’s principles, have local privacy regulations, a participating enforcement agent, and an Accountability Agent. CBPR enforcement is ensured by APEC-based PEAs in the Cross-Border Privacy Enforcement Arrangement (CPEA), expanding globally with the upcoming Global CBPR.

  • How does APEC CBPR & PRP interact with domestic privacy laws?

    CBPR and PRP work alongside, not in place of, domestic privacy laws. Certified organizations, in addition to meeting CBPR and PRP Program Requirements, must adhere to their country’s privacy laws. CBPR and PRP compliance is reinforced under the domestic laws of participating economies.

  • Could there be interoperability between the CBPR and EU mechanisms like Binding Corporate Rules (BCR) and DPF?

    Organizations participating in either the EU-US DPF or the APEC CBPR and PRP systems can leverage the work they’ve already done to demonstrate compliance in one system with another. While there isn’t a one-to-one match of requirements many of the principles within each framework overlap. At TrustArc, our technology maps the requirements to save you time and effort across both schemes. Participating in both can cover a wide area of data transfer obligations in Europe, the APAC region, and internationally.

The easy button to robust global data transfers

Get certified
Back to Top