Definitions

Unless otherwise defined this Agreement, all capitalized terms used in this Agreement will have the meanings given to them below:

Account Access Credentials

  • Information Customer provides to Signatu, other than Content, about Customer or its users that Signatu needs to use to enable Customer’s use of Signatu Cloud Service or information concerning such use.

Adequacy Decision by the Commission

  • The European Commission has the power to determine, on the basis of GDPR Article 45, whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into.

  • The effect of such a decision is that personal data can flow from the EU and EEA (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.

  • The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations - PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.

Agreed Liability Cap

  • the upper limit for monetary liability as agreed by the parties.

Entire Agreement

  • the Terms of Service and its Annexes and additional applicable Attachments and additional applicable Transaction Documents and Data Processing Agreement (if applicable) and Joint Controller Agreement (if applicable) are the entire Agreement regarding transactions under this Terms of Service (together, the “Agreement”).

AWS

  • Amazon Web Services in Ireland.
  • AWS’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within AWS’s control and are used to provide the Services.
  • the AWS security standards.

Binding Corporate Rules

  • “Binding Corporate Rules” as defined in GDPR Article 4(20).
  • “Consent” as defined in GDPR Article 4(11).
  • the identity of the Customer
  • the identity of Customer’s Data Subject
  • Customer’s permission request to Data Subjects
  • the Data Subject’s permission that Customer processes the Data Subject’s Personal Data
  • the Data Subject’s refusal that Customer processes the Data Subject’s Personal Data
  • the Data Subject’s termination of permission that Customer processes the Data Subject’s Personal Data
  • the Data Subject’s passivity in relation to request for permission, permission refusal or termination of permission
  • the time of the start of the Data Subject’s permission that Customer processes the Data Subject’s Personal Data
  • the time of the Data Subject’s refusal to permit that Customer processes the Data Subject’s Personal Data
  • the time of the Data Subject’s termination of permission that Customer processes the Data Subject’s Personal Data
  • how Customer provided the permission request dialog to the Data Subject
  • how Customer provided the permission refusal dialog to the Data Subject
  • how Customer provided the permission termination dialog to the Data Subject
  • the permission request linked with the privacy policy, including version numbers and dates matching the date permission was given
  • details to authenticate the Data Subject
  • a token that represents a specific consent
  • a unique ID for each record of the Personal Data of the Data Subject
  • Consent Receipt
  • the Consent actions of the Data Subject
    • include Consent actions, by way of ticking of opt-in box or similar, in relation to a request statement
    • do not include Consent actions, by way of affirmative activity, in relation to a request statement
  • If Controller wants opt-out of Legitimate Interest, then these Consent Event Data are interpreted:
    • By Legitimate Interest, if no event consent is found, the interpretation is true, i.e., allow processing.
  • a receipt attribute of the returned consent object that contains a signed JSON Web Token (JWT). The contents can be verified independently of signatu, e.g., using JWT.io. To verify that the JWT token was signed by signatu, use the public key referenced in the publicKey field in the consent record.

Controller

  • “Controller” as defined in GDPR Article 4(7).

Customer

  • “controller” as defined in GDPR Article 4(7), and/or
  • “processor” as defined in GDPR Article 4(8).

Data Protection Impact Assessments

  • “data processing impact assessment” as provided for in GDPR Article 35.

Data Subject

  • “data subject” as defined in GDPR Article 4(1).

DPA

  • “data Processing agreement” as provided for in GDPR Article 28.

EEA

  • the European Economic Area.

Enterprise

  • “Enterprise” as defined in GDPR Article 4(18).

EU-U.S. Privacy Shield Framework

  • the Framework that was designed by the U.S. Department of Commerce, and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.

GDPR

  • Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Group of undertakings

  • “Group of undertakings” as defined in GDPR Article 4(19).

International Organisation

  • “international organisation” as defined in GDPR Article 4(26).

Joint Controller

  • “Joint Controller” as defined in GDPR Article 26.

Joint Controller Agreement

  • “Joint Controller Agreement” as defined in GDPR Article 26.

Notification Email Address

  • Customer’s sign up Email Address count as Customer’s Notification Email Address.
  • Signatu’s Notification Email Address is: hello@signatu.com

Personal Data

  • “personal data” as defined in GDPR Article 4(1).

Personal Data Breach

  • “personal data breach” as defined in GDPR Article 4(12).

Prior Consultation

  • “prior consultation” as provided for in GDPR Article 35.

Processing

  • processing as defined in GDPR Article 4(2).

Processing Purpose

  • the reason why you process personal data.

Processor

  • “Processor” as defined in GDPR Article 4(8).

Profiling

  • “Profiling” as defined in GDPR Article 4(4).

Pseudonymisation of Personal Data

  • “Pseudonymisation” as defined in GDPR Article 4(5).

Recipient

  • “Recipient” as defined in GDPR Article 4(9).

Regular personal data

  • personal data that in the GDPR are not special categories of personal data. There is no exhaustive list of such personal data.

Representative

  • “Representative” as defined in GDPR Article 4(17).

Restriction of processing

  • “Restriction of processing” as defined in GDPR Article 4(3).

Sensitive personal data

  • personal data that in the GDPR are named special categories of personal data.

  • Personal data are sensitive if processing of personal data reveal:

    • racial origin
    • ethnic origin
    • political opinions
    • religious beliefs
    • philosophical beliefs
    • trade union membership

  • Also, personal data are sensitive if:

    • genetic data is processed for the purpose of uniquely identifying a natural person
    • biometric data is processed for the purpose of uniquely identifying a natural person

  • Sensitive personal data are also:

    • data concerning health
    • data concerning a natural person’s sex life
    • data concerning a natural person’s sexual orientation

Signatu’s Third Party Auditor

  • a qualified and independent third party auditor appointed by Signatu.

Services

  • the services offered at Signatu website.

Supervisory Authority

  • “supervisory authority” as defined in GDPR Article 4(21).

Sub-processors

  • third parties authorized under the Data Processing Agreement process Customer Data.

Third Party

  • “Third Party” as defined in GDPR Article 4(10).

Term

  • the period from the date the Agreement is effective until the end of Signatus’s provision of the Services under the applicable Agreement.

Wholly automated decision-making

  • “Wholly automated decision-making” as provided for in GDPR Article 22. Such decisions are:
    • made by technological means without human involvement, and
    • based on any type of personal data:
      • provided directly by the individuals concerned (such as responses to a questionnaire), or
      • observed about the individuals (such as location data collected via an application), or
      • derived or inferred data such as a profile of the individual that has already been created (e.g. a credit score) can be made with or without profiling; profiling can take place without making automated decisions.