This DPA is automatically incorporated into the Terms of Service. If you require negotiated terms, contact legal@signatur.app.
1. Definitions
Terms defined in GDPR have the same meaning here. "Customer" = the controller. "Signatur" = the processor. "Personal Data" = personal data processed under the Service.
2. Subject matter, duration, nature, purpose
Subject matter: provision of the Signatur Service. Duration: while the agreement is in force, plus any post-termination obligations below. Nature/purpose: hosting, processing, transmission of Customer documents and recipient interaction telemetry for the purpose of electronic signature collection and evidence retention.
3. Categories of data and subjects
- Data subjects: Customer's authorised users; Customer's recipients (signatories or other invited parties); other parties whose data Customer includes in documents.
- Categories of data: identifying data (name, email), business contact data, signature image/text, IP/device/UA/geo estimate, document body and metadata, audit-trail metadata, OTP attempt records.
4. Obligations of the controller (Customer)
Customer warrants it has a lawful basis for processing all Personal Data uploaded to or routed through the Service, including for any special category data, and that recipients have been informed as required by applicable law.
5. Obligations of the processor (Signatur)
5.1 Processing instructions
Signatur shall process Personal Data only on documented Customer instructions (including this DPA, the Terms, and configurations made in the Service), unless required otherwise by EU or Member State law. Where so required, Signatur will inform Customer before processing, unless that law prohibits the notification on important grounds of public interest.
5.2 Confidentiality
Personnel with access are bound by confidentiality.
5.3 Security (Art. 32)
Signatur implements technical and organisational measures per Annex II.
5.4 Sub-processors
Customer authorises the sub-processors at trust center. Signatur will give at least 30 days' notice of additions or replacements; Customer may object on reasonable grounds and, if not resolved, terminate the affected portion of the Service.
5.5 Data subject requests
Signatur will assist Customer to respond to data subject requests (Art. 12–22). Self-service tooling in the Service covers most cases; bespoke assistance may incur fees per the Terms.
5.6 Security assistance & DPIA
Signatur will assist Customer with Art. 32–36 obligations to the extent of the information available to Signatur, taking into account the nature of processing.
5.7 Breach notification
Signatur will notify Customer without undue delay and within 24 hours of becoming aware of a personal data breach affecting Customer's data, with the information then known. Updates will follow as the investigation progresses.
5.8 Audit
Annual third-party security report (e.g. SOC 2 / ISO 27001 when held; meanwhile, a Signatur-prepared security summary). Customer may request a remote audit annually with reasonable notice and at Customer expense.
5.9 Deletion or return
On termination, Signatur will, at Customer's choice, return or delete Personal Data per our retention policy and applicable law, except where retention is required (e.g. Bokføringsloven for billing).
6. International transfers
Default: EU only. Where any transfer outside the EEA is necessary, the Standard Contractual Clauses (Module 3 processor-to-processor) shall apply, supplemented by appropriate technical and organisational measures per EDPB Recommendations 01/2020.
7. Liability
Back-to-back with the Terms. Nothing in this DPA limits a data subject's rights under GDPR.
8. Term and termination
Co-terminus with the Terms.
9. Governing law
Norwegian law, subject to mandatory EU privacy law.
Annex I — Description of processing
I-A — Parties
Controller: Customer (per signup form). Processor: Signatur Labs AS, Oslo, Norway.
I-B — Transfer description
See § 3 above. Frequency: continuous. Duration: term of agreement plus retention period.
I-C — Competent supervisory authority
Datatilsynet (Norway).
Annex II — Technical and organisational measures
- Encryption: TLS 1.3 in transit; AES-256 at rest with envelope encryption (KMS) for PII columns; SSE-KMS for object storage with per-tenant KEK; Object Lock Compliance mode for sealed PDFs.
- Access control: RBAC with owner / admin / member / viewer roles; Postgres Row-Level Security with tenant scoping; mandatory MFA (TOTP/WebAuthn) for owner and admin; just-in-time production access with recording.
- Audit: append-only, hash-chained audit trail (SHA-256), exportable JSON+PDF evidence package; daily chain integrity verification; access logs for audit-log reads.
- Network: private subnets; edge WAF; rate limiting on auth and signing.
- Backups: daily, encrypted, 35 days hot + 1 year cold; quarterly restore drill.
- Vulnerability management: dependency scanning (Renovate, npm audit); SAST in CI; annual third-party pen-test; SBOM published per release.
- Personnel: background checks for production roles; annual security training.
- Logging: structured PII-scrubbed application logs; SIEM ingest; anomaly detection.
- Incident response: 24/7 on-call; documented runbooks; 24-hour customer notification SLA for breaches.
- Cryptographic key management: AWS KMS / Vault; quarterly KEK rotation.
Annex III — Sub-processors
Current list at trust center. Includes name, purpose, region, transfer mechanism.
Annex IV — Processing instructions
Customer instructs Signatur to process Personal Data to: (a) host customer documents and recipient data; (b) deliver signing flows; (c) maintain audit and evidence; (d) deliver transactional email; (e) provide support; (f) perform billing; (g) detect and respond to abuse and security incidents. Additional instructions may be set in tenant configuration (retention, identity level, AI on/off, branding).