Data Processing Agreement

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Controller" means the Customer who determines the purposes and means of processing personal data through the Service.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Processor" means Zignt, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by Zignt to process Personal Data on behalf of the Controller.
• "Standard Contractual Clauses" or "SCCs" means the contractual clauses approved by the European Commission for international data transfers.

2. Scope and Purpose of Processing

2.1 Subject Matter

This DPA applies to the processing of Personal Data by Zignt in connection with the provision of the electronic signature Service as described in the Terms of Service.

2.2 Nature and Purpose of Processing

Zignt processes Personal Data for the following purposes:

• Enabling the creation and management of contract templates
• Facilitating the collection of electronic signatures from signers
• Storing and delivering signed documents
• Sending signing invitations, notifications, and reminders
• Generating audit trails for signed documents
• Providing customer support
• Operating and improving the Service

2.3 Types of Personal Data

The following categories of Personal Data may be processed:

• Identity Data: Names, job titles, company names
• Contact Data: Email addresses
• Technical Data: IP addresses, browser information, device identifiers
• Document Data: Content of uploaded documents and signatures
• Verification Data: ID documents (when ID verification is enabled)
• Audit Data: Timestamps, access logs, signing history

2.4 Categories of Data Subjects

Personal Data relates to the following categories of Data Subjects:

• Customer employees and authorized users
• Document signers and recipients
• Other individuals whose data is included in documents

2.5 Duration of Processing

Processing will continue for the duration of the Service agreement and for such additional period as required for legal compliance, backup, and audit purposes.

3. Processor Obligations

As the Processor, Zignt agrees to:

3.1 Process on Instructions

Process Personal Data only on documented instructions from the Controller, unless required by applicable law. The Terms of Service and this DPA constitute documented instructions for processing.

3.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit (256-bit SSL/TLS) and at rest
• Secure access controls and authentication mechanisms
• Regular testing and evaluation of security measures
• Incident response and disaster recovery procedures
• Secure password hashing and storage
• Two-factor authentication options

3.4 Sub-processors

Not engage another processor (Sub-processor) without prior written authorization from the Controller. The Controller hereby provides general authorization for Zignt to engage Sub-processors listed in Section 6, subject to notification of changes.

3.5 Data Subject Rights

Assist the Controller in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, taking into account the nature of processing.

3.6 Security Breach Notification

Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach, and provide reasonable assistance in investigating and mitigating the breach.

3.7 Deletion or Return of Data

At the Controller's choice, delete or return all Personal Data upon termination of the Service, unless retention is required by applicable law.

3.8 Audit Rights

Make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Controller or an auditor mandated by the Controller.

4. Controller Obligations

As the Controller, you agree to:

• Ensure that processing of Personal Data through the Service has a valid legal basis under applicable law
• Provide any required notices to Data Subjects about the processing of their Personal Data
• Obtain any required consents from Data Subjects for processing
• Ensure that your instructions to Zignt are lawful and comply with applicable data protection laws
• Be responsible for the accuracy, quality, and legality of Personal Data provided to Zignt for processing
• Comply with all applicable data protection laws in your use of the Service

5. International Data Transfers

5.1 Transfer Mechanisms

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), United Kingdom, or Switzerland. Where such transfers occur, Zignt ensures appropriate safeguards are in place:

• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate protection
• Standard Contractual Clauses: EU-approved SCCs (Commission Decision 2021/914) for transfers to other countries
• Supplementary Measures: Additional technical and organizational measures where required

5.2 Standard Contractual Clauses

For transfers of Personal Data from the EEA to countries without an adequacy decision, the parties agree that the Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference and form part of this DPA.

5.3 UK Transfers

For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses applies.

6. Sub-processors

6.1 Authorized Sub-processors

The Controller authorizes Zignt to engage the following Sub-processors:

6.2 Changes to Sub-processors

Zignt will notify the Controller at least 14 days before adding or replacing a Sub-processor by updating this page and, where the Controller has subscribed to notifications, by email. The Controller may object to such changes within 14 days of notification.

6.3 Sub-processor Obligations

Zignt ensures that each Sub-processor is bound by data protection obligations at least as protective as those set out in this DPA.

7. Technical and Organizational Measures

Zignt implements the following technical and organizational security measures:

7.1 Encryption

• 256-bit SSL/TLS encryption for all data in transit
• Encryption at rest for stored documents and data
• Secure hashing of passwords (bcrypt)

7.2 Access Control

• Role-based access controls
• Unique user authentication credentials
• Two-factor authentication available
• Account lockout after failed login attempts
• Session management and timeout controls

7.3 Data Protection

• Regular backups with secure storage
• Data isolation between customers
• Secure deletion procedures
• Audit logging of data access

7.4 Infrastructure Security

• Hosting on secure cloud infrastructure (Vercel, Neon)
• DDoS protection
• Regular security assessments
• Vulnerability management

8. Personal Data Breach

8.1 Notification

In the event of a Personal Data breach affecting the Controller's data, Zignt will:

• Notify the Controller without undue delay and within 72 hours of becoming aware of the breach
• Provide information about the nature of the breach, categories of data affected, and approximate number of Data Subjects affected
• Describe the likely consequences of the breach
• Describe measures taken or proposed to address the breach

8.2 Assistance

Zignt will provide reasonable assistance to the Controller in complying with its breach notification obligations under applicable law.

9. Data Subject Requests

Zignt will assist the Controller in responding to Data Subject requests to exercise their rights under applicable law, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

If Zignt receives a Data Subject request directly, Zignt will promptly notify the Controller unless prohibited by law.

10. Audit and Compliance

10.1 Information and Audits

Upon reasonable request, Zignt will make available to the Controller information necessary to demonstrate compliance with this DPA. The Controller may conduct an audit (or appoint a third-party auditor) with reasonable advance notice, during normal business hours, and subject to confidentiality obligations.

10.2 Certifications

Where available, Zignt may provide third-party certifications or audit reports (such as SOC 2 reports) as evidence of compliance in lieu of a direct audit.

11. Term and Termination

11.1 Duration

This DPA remains in effect for as long as Zignt processes Personal Data on behalf of the Controller.

11.2 Data Return or Deletion

Upon termination of the Service, the Controller may request the return or deletion of Personal Data. Zignt will comply with such request within 30 days, except where retention is required by applicable law.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that such limitations do not apply to data protection fines or penalties imposed by a supervisory authority as a result of a party's breach of applicable data protection laws.

13. Contact Information

For questions about this DPA or data protection matters, please contact: