Data Security Measures

Annex to Data Processing Agreement

  1. Measures

    1. We will implement and maintain the following appropriate technical or organisational measures that for the Consent Event Data ensure ongoing:

      1. appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,

      2. confidentiality, integrity, availability and resilience of processing systems and services, and

      3. ability to restore the availability and access to Consent Event Data in a timely manner in the event of a physical or technical incident.

  2. Account Accessibility

    1. Our recording and storage of the Consent Event Data between you and your Data Subjects at your Signatu account can be accessed by us and you by way of a password that we and you select separately.

    2. Our Sub-processor, AWS, is by our encryption of Personal Data not able to render such data intelligible.

  3. API Accessibility

    1. We issue a unique API key to you.

    2. The API key is a Bearer Token (see RFC 6750 for details) bound to a particular scope (e.g., manage consents).

    3. Anyone who provides the API Key to the Signatu API will have authorized access to the particular scope for the account the API Key was generated for.

  4. Your Responsibility for Account and API Accessibility

    1. You agree that you is solely responsible for:

      1. making appropriate use of the Consent Service to ensure a level of security appropriate to the risk in respect of the Consent Event Data.

      2. keeping the API Key strictly confidential.

      3. making a secure password for your Signatu account.

      4. safeguarding your Signatu account information.

      5. unauthorised access to and/or use of your account information at Signatu, including the Personal Data and the API key that we issue to you.

      6. safeguarding the API key that we issue to you.

      7. unauthorised use of the API key that we issue to you.

      8. unauthorised use of the Consent Event Data when unauthorised access has been achieved by the use of your account access criteria or the API key that we issue to you.

      9. copying and transferring the Consent Event Data from Signatu to you for backup storage to fulfil your GDPR obligations pursuant to the Consent Event Data in the case of a physical or technical incident, or an outage of the Consent Service, or a loss, destruction, damage or alteration of the media that store the Consent Event Data, or a malware on the Consent Event Data or a malware on the operations of the processing of the Consent Event Data.

  5. Our Account Accessibility

    1. Signatu technically restricts its personnel from accessing and processing the Consent Event Data without authorization from Signatu.

    2. We will not access or use Personal Data, except:

      1. as necessary to maintain or provide Signatu Consent Service,

      2. as provided for in your instructions in the DPA, and

      3. as necessary to comply with the law or a binding order of a law enforcement agency.

  6. Data Traceability

    1. We record and timestamp your account activity.
  7. Data Alteration and Deletion

    1. Our recording and storage of the Consent Event Data between you and your Data Subjects is designed so that the record:

      1. can be deleted directly by you if you have created consent vaults in Signatu, and

      2. can be deleted by us, upon your request, if you use the consent default vault.

  8. Confidentiality

    1. Signatu’s personnel that has authorized access to Consent Event Data have committed themselves to confidentiality.
  9. Encryption

    1. Our recording and storage of Consent Event Data between you and your Data Subjects is:

      1. server side encrypted (at the application level and database level) when stored at Signatu at AWS, and

      2. link side encrypted when transmitted:

        1. between the servers of Signatu and you

        2. within Signatu.

  10. Data Security Testing

    1. We regularly test, assess and evaluate the effectiveness and adequacy of our technical and organisational measures for ensuring that the security of the processing of Consent Event Data is at the level of industry security standards, and will, based on this, determine whether additional or other security measures are required.
  11. Security of Sub-processor AWS

    1. Signatu stores Consent Event Data at AWS data centers in EU (currently Ireland).

    2. AWS is certified under ISO 27001 and agrees with Signatu to implement and maintain the technical and organisational measures for the AWS Network (Network Security, Physical Security, Continued Evaluation of Security) that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the AWS Security Standards.