Measures
We will implement and maintain the following appropriate technical or organisational measures that for the Consent Event Data ensure ongoing:
appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,
confidentiality, integrity, availability and resilience of processing systems and services, and
ability to restore the availability and access to Consent Event Data in a timely manner in the event of a physical or technical incident.
Account Accessibility
Our recording and storage of the Consent Event Data between you and your Data Subjects at your Signatu account can be accessed by us and you by way of a password that we and you select separately.
Our Sub-processor, AWS, is by our encryption of Personal Data not able to render such data intelligible.
API Accessibility
We issue a unique API key to you.
The API key is a Bearer Token (see RFC 6750 for details) bound to a particular scope (e.g., manage consents).
Anyone who provides the API Key to the Signatu API will have authorized access to the particular scope for the account the API Key was generated for.
Your Responsibility for Account and API Accessibility
You agree that you is solely responsible for:
making appropriate use of the Consent Service to ensure a level of security appropriate to the risk in respect of the Consent Event Data.
keeping the API Key strictly confidential.
making a secure password for your Signatu account.
safeguarding your Signatu account information.
unauthorised access to and/or use of your account information at Signatu, including the Personal Data and the API key that we issue to you.
safeguarding the API key that we issue to you.
unauthorised use of the API key that we issue to you.
unauthorised use of the Consent Event Data when unauthorised access has been achieved by the use of your account access criteria or the API key that we issue to you.
copying and transferring the Consent Event Data from Signatu to you for backup storage to fulfil your GDPR obligations pursuant to the Consent Event Data in the case of a physical or technical incident, or an outage of the Consent Service, or a loss, destruction, damage or alteration of the media that store the Consent Event Data, or a malware on the Consent Event Data or a malware on the operations of the processing of the Consent Event Data.
Our Account Accessibility
Signatu technically restricts its personnel from accessing and processing the Consent Event Data without authorization from Signatu.
We will not access or use Personal Data, except:
as necessary to maintain or provide Signatu Consent Service,
as provided for in your instructions in the DPA, and
as necessary to comply with the law or a binding order of a law enforcement agency.
Data Traceability
Data Alteration and Deletion
Our recording and storage of the Consent Event Data between you and your Data Subjects is designed so that the record:
can be deleted directly by you if you have created consent vaults in Signatu, and
can be deleted by us, upon your request, if you use the consent default vault.
Confidentiality
Encryption
Our recording and storage of Consent Event Data between you and your Data Subjects is:
server side encrypted (at the application level and database level) when stored at Signatu at AWS, and
link side encrypted when transmitted:
between the servers of Signatu and you
within Signatu.
Data Security Testing
Security of Sub-processor AWS
Signatu stores Consent Event Data at AWS data centers in EU (currently Ireland).
AWS is certified under ISO 27001 and agrees with Signatu to implement and maintain the technical and organisational measures for the AWS Network (Network Security, Physical Security, Continued Evaluation of Security) that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the AWS Security Standards.