Signitri Back to Home

Data Processing Agreement

How we handle and protect your data in compliance with data protection regulations.

Last updated: January 9, 2025

Contents

Key Points

  • This DPA governs how Signitri processes personal data as your Data Processor
  • We use 256-bit SSL in transit and AES-256 at rest; breach notification within 72 hours
  • We assist you in fulfilling all GDPR data subject rights requests
  • Sub-processors must provide equivalent data protection guarantees
  • All personal data is deleted within 30 days of service termination
1

Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and Signitri ("Processor," "we," "us," or "our"). This DPA governs the processing of personal data by Signitri on behalf of the Customer in connection with our digital signature and identity verification services.

2

Definitions

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on personal data, including collection, storage, use, and deletion
  • "Data Subject" means the identified or identifiable natural person to whom personal data relates
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679
  • "Sub-processor" means any third party engaged by Signitri to process personal data
3

Data Processing Details

3.1 Subject Matter and Duration

Signitri processes personal data to provide digital signature and identity verification services as described in our Terms of Service. Processing continues for the duration of the service agreement and applicable retention periods.

3.2 Nature and Purpose of Processing

We process personal data for the following purposes:

  • Providing digital signature services
  • Identity verification and authentication
  • Document management and storage
  • Audit trail creation and maintenance
  • Customer support and service delivery
  • Legal compliance and regulatory requirements

3.3 Categories of Personal Data

We may process the following categories of personal data:

  • Identity Data: Name, email address, phone number
  • Verification Data: Government ID information, biometric data
  • Document Data: Signatures, document content, metadata
  • Technical Data: IP addresses, device information, usage logs
  • Communication Data: Support interactions, notifications

3.4 Categories of Data Subjects

Data subjects may include:

  • Customer employees and representatives
  • Document signatories and recipients
  • Third parties involved in signature processes
  • Customer contacts and stakeholders
4

Customer Obligations

As Data Controller, Customer warrants and undertakes that:

  • It has the legal right to transfer personal data to Signitri for processing
  • It has obtained all necessary consents and provided required notices to data subjects
  • The processing instructions are lawful and comply with applicable data protection laws
  • It will promptly notify Signitri of any changes to processing instructions
  • It will assist Signitri in responding to data subject requests when required
5

Signitri Obligations

As Data Processor, Signitri undertakes to:

  • Process personal data only in accordance with documented instructions from Customer
  • Ensure confidentiality of personal data and limit access to authorized personnel
  • Implement appropriate technical and organizational security measures
  • Assist Customer in responding to data subject requests
  • Notify Customer of personal data breaches without undue delay
  • Delete or return personal data upon termination of services
6

Security Measures

6.1 Technical Safeguards

We implement the following technical security measures:

  • 256-bit SSL/TLS encryption for data transmission
  • AES-256 encryption for data at rest
  • Multi-factor authentication for system access
  • Regular security monitoring and intrusion detection
  • Secure backup and disaster recovery procedures

6.2 Organizational Safeguards

We maintain the following organizational security measures:

  • Employee background checks and confidentiality agreements
  • Regular security training and awareness programs
  • Access controls and principle of least privilege
  • Incident response and breach notification procedures
  • Regular security audits and compliance assessments
7

Sub-processing

7.1 Authorized Sub-processors

Customer provides general authorization for Signitri to engage sub-processors, subject to the conditions in this DPA.

7.2 Sub-processor Requirements

We ensure that sub-processors:

  • Provide sufficient guarantees regarding data protection
  • Are bound by data protection obligations equivalent to this DPA
  • Implement appropriate technical and organizational measures
  • Allow for audits and inspections as required

7.3 Changes to Sub-processors

We will inform Customer of any intended changes to sub-processors, giving Customer the opportunity to object to such changes.

8

Data Subject Rights

We will assist Customer in fulfilling data subject rights requests, including:

  • Access: Providing access to personal data
  • Rectification: Correcting inaccurate personal data
  • Erasure: Deleting personal data when required
  • Restriction: Limiting processing when requested
  • Portability: Providing data in a portable format
  • Objection: Stopping processing when objected to
9

Data Breach Notification

9.1 Notification Timeline

We will notify Customer of any personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

9.2 Breach Information

Breach notifications will include:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
10

Data Transfers

10.1 International Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA).

10.2 Transfer Safeguards

For transfers to countries without an adequacy decision, we implement appropriate safeguards such as:

  • Standard Contractual Clauses approved by the European Commission
  • Binding Corporate Rules where applicable
  • Certification schemes and codes of conduct
11

Audits and Compliance

11.1 Audit Rights

Customer has the right to conduct audits of our data processing activities, subject to reasonable notice and confidentiality obligations.

11.2 Compliance Certifications

We maintain relevant compliance certifications, including:

  • ISO 27001 certification (where applicable)
  • Regular penetration testing and security assessments
12

Data Retention and Deletion

12.1 Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes outlined in this DPA and comply with legal obligations.

12.2 Data Deletion

Upon termination of services or Customer request, we will:

  • Delete all personal data within 30 days
  • Provide confirmation of deletion upon request
  • Retain data only where required by law
13

Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. Each party will indemnify the other against claims arising from its breach of this DPA.

14

Term and Termination

This DPA remains in effect for the duration of the Terms of Service and will automatically terminate upon termination of the service agreement.

15

Governing Law

This DPA is governed by the same law as specified in the Terms of Service, except where data protection laws require otherwise.

16

Contact Information

For questions about this DPA or data protection matters, please contact:

  • Email: dpo@signitri.com
  • Subject: Data Processing Agreement

Data Protection Questions?

Our Data Protection Officer is available to address your data processing concerns.

Contact DPO

Related Legal Documents

Privacy Policy Terms of Service Legal Disclaimer