Skip to main content
SignMeHere: secure signatures

Data Processing Agreement

Article 28 terms for customers acting as controllers.

Forms part of the Master Agreement when SignMeHere processes personal data on the Customer's behalf. Annexes describe sub-processors, technical and organisational measures, and transfer mechanisms.

Draft pending legal review. This document describes our intended position and is published for transparency. It does not yet constitute a binding legal commitment. Sections marked [LEGAL] require counsel review before this document is treated as effective. The effective version will be dated and linked from the Trust centre at that point.

Privacy PolicyTerms of ServiceData Processing AgreementTrust centre

1. Parties and scope

This DPA is entered into between the Customer ("Controller") and [LEGAL: registered entity] ("Processor") and forms part of the Terms of Service or master agreement between them. It governs the Processor's processing of personal data on the Controller's behalf in the course of providing SignMeHere.

Where the Processor processes personal data as a controller in its own right (for example, account, billing and operational data), the Privacy Policy applies, not this DPA.

2. Definitions

Capitalised terms not defined here have the meaning given in the GDPR, the UK GDPR, or the Australian Privacy Act 1988 as applicable to the Controller's establishment.

3. Subject matter, duration, nature and purpose

  • Subject matter: processing of personal data as needed to deliver the SignMeHere service.
  • Duration: for the term of the master agreement plus any post-termination retention period.
  • Nature and purpose: hosting, encryption, transmission, sealing and audit logging of envelopes and signer data.
  • Categories of data subjects: Controller's personnel, Controller's end-users, signers and recipients of envelopes.
  • Categories of personal data: name, email, organisation, signing actions, IP and user-agent metadata, document content as supplied by Controller, identity-verification evidence where enabled.

4. Processor's obligations

The Processor will:

  • Process personal data only on documented instructions from the Controller (the master agreement and the Controller's product configuration constitute documented instructions).
  • Ensure that personnel authorised to access personal data are bound by confidentiality.
  • Implement the technical and organisational measures described in Annex II.
  • Assist the Controller in responding to data-subject requests, where the Controller cannot reasonably do so itself through the product.
  • Assist the Controller with DPIAs and prior consultations to the extent the Processor holds the relevant information.
  • Notify the Controller without undue delay (and in any event within 72 hours of confirmation) of a personal data breach.
  • At the Controller's choice, delete or return personal data at the end of services, subject to legal hold and retention requirements.
  • Make available information necessary to demonstrate compliance, and allow audits as described in section 8.

5. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed in Annex III. The Processor will notify the Controller of any intended changes (additions or replacements) at least 30 days in advance via the sub-processor change notifications channel. The Controller may object on reasonable grounds before the change takes effect; if the parties cannot agree, either party may terminate the affected service.

The Processor remains responsible for sub-processor performance and will impose materially equivalent data protection obligations on each sub-processor.

6. International transfers

Where personal data is transferred outside the EEA, UK or other jurisdiction with restrictions, the parties rely on the EU Standard Contractual Clauses (Module 2 controller-to-processor or Module 3 processor-to- processor as relevant), the UK International Data Transfer Addendum, and any equivalent mechanism required by the originating jurisdiction. Annex I incorporates the relevant transfer details.

[LEGAL] Counsel to confirm SCC module selection, UK Addendum incorporation, and any additional supplementary measures required after Schrems II.

7. Security and breach

The Processor implements the technical and organisational measures listed in Annex II, including encryption at rest and in transit, MFA for administrative access, scoped API keys, hash-chained audit logs, IP allowlisting, rate limiting, and a documented incident response runbook.

On confirming a personal data breach affecting Controller data, the Processor will provide: a description of the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.

8. Audits and reviews

The Controller may, on reasonable notice and at its own expense, audit the Processor's compliance with this DPA up to once per year, or more frequently following a material breach or at the request of a supervisory authority. The Processor will provide the most recent SOC 2 Type II report (when available), ISO 27001 statement of applicability, and penetration test summary letter under NDA in lieu of on-site audits where they reasonably address the Controller's queries.

9. Liability

The liability provisions of the Terms of Service apply to claims under this DPA.

10. Termination and return of data

On expiry or termination of the master agreement, the Processor will, at the Controller's choice and subject to mandatory retention obligations, delete or return all personal data and existing copies, within a reasonable period not exceeding 90 days.

Annex I: Description of processing and transfer

Categories of data subjects:Controller's personnel, Controller's end-users, signers, recipients.

Categories of personal data: identifying information (name, email, organisation), envelope content as supplied by Controller, signing actions, IP and user-agent metadata, identity-verification evidence where enabled.

Sensitive data: only where the Controller chooses to upload such data; the Processor does not require it.

Frequency of transfer: continuous, for the duration of services.

Nature of processing: hosting, encryption, transmission, rendering, sealing, audit logging.

Purpose of transfer: delivery of the SignMeHere service per the master agreement.

Retention period:per the Controller's configured retention policy and applicable legal hold.

[LEGAL] Annex I needs counsel review to map cleanly to SCC Annex 1.A / 1.B / 1.C structure.

Annex II: Technical and organisational measures

  • Encryption in transit (TLS 1.2+ at the load balancer, HSTS recommended for production).
  • Encryption at rest (AES-256-GCM via envelope encryption; optional customer-managed keys via AWS / GCP / Azure KMS).
  • Field-level encryption for MFA secrets, OIDC client secrets and identity evidence.
  • Argon2id password hashing.
  • MFA enforcement, scoped API keys with optional IP allowlisting, lockout thresholds and rate limiting.
  • Hash-chained audit logs, recomputable on demand from the compliance centre.
  • Pluggable storage with selectable region per tenant; cross-region replication is opt-in.
  • Backups with point-in-time recovery for at least 35 days; quarterly DR drills with documented RTO and RPO.
  • SOC 2 Type II, ISO 27001 and ISO 27701 alignment, with formal certification on the roadmap. Status updates published on the Trust centre as engagements progress.
  • Incident response runbook with 24x7 on-call, notification within 72 hours of confirmation, and post-mortem within 14 days.

Annex III: Authorised sub-processors

The current sub-processor list is published on the Trust centre and updated there as changes occur. Subscribed Controllers receive change notifications at the email address on file.

Contact

DPA enquiries: dpo@signmehere.com.