Legal
Data Processing Addendum
Last updated: April 27, 2026 · Effective: May 1, 2026
1. Definitions
Customer Data means personal data submitted to SignIQ by you or signers using your account. Subprocessor means a third party engaged by SignIQ to process Customer Data. Data Protection Laws means GDPR, UK GDPR, CCPA/CPRA, and other applicable U.S. state privacy laws.
2. Roles
You are the data controller for Customer Data. SignIQ is the data processor and acts on your documented instructions, including these Terms and your configuration of the service.
3. Subject matter, duration, nature
SignIQ processes Customer Data to deliver the e-signature service for the duration of your subscription, plus a reasonable period afterward to support legal enforceability of signed records.
4. Categories of data subjects and data
Data subjects include account users (your team) and signers (parties to whom you send documents). Data categories include identity (name, email, phone), authentication metadata (IP, device), document content, and signature event metadata.
5. Subprocessors
Current subprocessors include the providers listed below. We’ll provide at least 30 days’ notice of new subprocessors and you may object on legitimate grounds.
| Subprocessor | Purpose | Location |
|---|---|---|
| [Cloud infrastructure provider] | Hosting, storage, encryption | United States |
| [Email delivery provider] | Transactional email delivery | United States |
| [SMS delivery provider] | SMS notifications & OTP verification | United States |
| [Payment processor] | Subscription billing | United States |
Specific vendor names finalized before launch.
6. Security measures
Detailed in our Security & Compliance page: TLS 1.2+ in transit, AES-256 at rest, role-based access, multi-AZ backups, and tamper-evident audit trails. SOC 2 Type II in progress.
7. Data subject requests
We’ll assist you in responding to data subject requests (access, deletion, correction, portability, restriction). Most requests can be fulfilled by you directly via the dashboard or API. For complex cases, contact privacy@signiq.com.
8. Breach notification
We’ll notify you without undue delay (and within 72 hours of confirmation) of any personal data breach affecting your Customer Data, with the information required under applicable Data Protection Laws.
9. International transfers
Customer Data is processed in the United States. Where required, transfers from the EEA, UK, or Switzerland are made under the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or other valid mechanisms.
10. Audit rights
You may audit our compliance with this DPA once per year on reasonable notice, conducted at your expense and subject to confidentiality. Where available, we’ll provide third-party audit reports (e.g., SOC 2) in lieu of on-site audits.
11. Return and deletion
Within 30 days of termination we will return or delete Customer Data at your option, except where retention is required by law or to support the legal enforceability of signed records.
12. Contact
DPA questions: privacy@signiq.com.