Home

Signatu AS Data Processing Agreement

Version 1.0, applicable as from 01.01.2018


Summary

  1. Agree: You may order our Consent Service Under the Terms of Service (“TOS”). We process Personal Data on your behalf under Signatu AS Data Processing Agreement (“DPA”).
  2. Personal data: We process Consent Event Data on your behalf.
  3. Lawful processing: You are responsible for why and how we process Consent Event Data on your behalf.
  4. Data deletion You decide when we shall delete the Consent Event Data. We delete or return the Consent Event Data shortly after your term expiry.
  5. Data Security: We secure the Consent Event Data with appropriate technical or organisational measures.
  6. Confidentiality: We do not disclose the Consent Event Data to third parties.
  7. Audits: We allow you to audit us.
  8. Processing Records: We maintain a record of processing activities that we carry out on your behalf.
  9. Assistance: We assist you to respond to end users’ request to exercise their Data Subject Rights with regard Consent Event Data.
  10. Data Breach: In case of a data breach we will notify you without undue delay, mitigate effects and minimize any damage.
  11. DPIA and Consultation: We will assist you with Data Protection Impact Assessment and Prior Consultation with Data Protection Authorities.
  12. Cloud host: We use AWS in Ireland to host our Consent Service.
  13. Limited liability: We have limited liability in relation to you and third parties.
  14. Friendly problem solving: If we ever end up in a dispute, we will try to solve issues in a friendly way.
  15. Disputes in Norway: Any dispute will be resolved in Norway only, and under Norwegian law only.
  16. Communication with you: To communicate with you, we will use your sign up Email Address.
  17. Communication with us: To communicate with us, you will use our Email Address: hello@signatu.com
  18. English communication: Together, we and you communicate in English only.

1 Parties and Scope

This Data Processing Agreement (“DPA”):

  • is entered into by and between Signatu AS (“Signatu”, “we”, “our”, “us”) and the Customer or the entity Customer represents (“Customer”, “you”, “your”).

  • supplements the Terms of Service or other agreement(s) that govern the contractual relationship between you and us with regard to your use of our Consent Service.

  • reflects the parties’ agreement with respect to the terms governing the processing and security of Personal Data under the applicable Terms of Service or other agreements.

  • is formed to comply with the requirements of GDPR Article 28.3.

  • prevails, in case of conflicting terms between agreements, over:

    • the Terms of Service,

    • Attachments, and

    • Transaction Documents.

  • is supplemented by Annexes that form an integral part of this DPA:

    • “Annex 1: Personal Data Processing”, and

    • “Annex 2: Data Security Measures”.

  • does not apply to the processing of personal data in connection with our provision of any Additional Products installed or used by you, including personal data transmitted to or from such Additional Products.

  • is delivered at our website: 🔗 https://www.signatu.com/

2 Meaning of terms in DPA

Unless otherwise defined in this DPA, all capitalized terms used in this DPA will have the meanings given to them on this page: 🔗

3 Customer instructions and responsibilities with regard to Processing

3.1 Role of Customer

You may act either as “Controller” or “Processor” of the Personal Data.

You inform us of your role of the Personal Data.

  • If you are “Controller” of the Personal Data, then the legal responsibility belongs to you.

  • If you are “Processor” of the Personal Data, then you inform us who is “Controller”.

📧 This information shall be sent via the Notification Email Address.

3.2 Role of Signatu

We act as a “Processor” that process the Personal Data on behalf of you.

3.3 Scope of Permission

You permit that we, on behalf of you, act as a Processor that process Personal Data of Data Subjects, as described in Annex 1 (on Personal Data Processing).

3.4 Customer’s acknowledgment

You acknowledge and agree that we and you are not involved in the same processing so that GDPR Article 82.4 does not apply.

You agree that we will process Personal Data as required by Union or Member State law to which we are subject in which case we shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, in accordance with GDPR Article 28.3(a).

📧 This information shall be sent via the Notification Email Address.

4 Lawful processing

4.1 Customer’s Warranties for Lawful Processing

You warrant that:

  • if you are a “Processor”, then you warrant to us that your instructions and actions with respect to the Personal Data, including its appointment of us as another processor, have been authorized by the relevant Controller,

  • you hold the legal power and have the legal basis to permit and instruct that we process the Personal Data,

  • the use of the legal ground in GDPR Article 6.1(c) of legal obligation in GDPR Article 7.1 and/or GDPR Article 24.1, first sentence, and/or another legal obligation, or another legal basis for the recording of Personal Data, is appropriate and valid,

  • your instructions, permissions and granting of rights to us in this DPA comply with all laws, rules and regulations applicable in relation to the Personal Data.

  • you will comply with all laws, rules and regulations applicable to this DPA, including the GDPR.

4.2 Customer’s Responsibility for Lawful Processing

You are solely responsible:

  • for your instructions and permissions with regard to our processing of the Personal Data do not cause us to be in breach of the GDPR or other laws and regulations.

  • for our processing of the Personal Data when our processing is in accordance with your instructions and permissions to us.

4.3 Customer’s Responsibility for Customer’s Instruction

You agree that we shall immediately inform you if, in our opinion, your instruction to us infringes the GDPR or other Union or Member State data protection provisions.

📧 This information shall be sent via the Notification Email Address.

You agree that you are solely responsible for your instruction to us and for our performance of your instruction to us.

4.4 Processing in conflict with DPA

If a law in the Union or a Member State of the EU obliges that we process the Personal Data in conflict with this DPA, then our processing of the Personal Data in compliance with such laws do not count as breach of this DPA.

5 Data Deletion or Return

5.1 Power to delete

Our recording and storage of the Personal Data between you and your Data Subjects is designed so that the record:

  • cannot be altered or deleted directly by you, and

  • can only be deleted by us.

5.2 Deletion during Term

During the applicable Term, you alone are responsible for determining how long we shall store the Personal Data that we record and store on behalf of you.

⏳ Upon your instruction to us that we delete the Personal Data, we shall delete your Personal Data as instructed by you without undue delay and at the latest within thirty (30) days of receipt of the instruction.

📧 This information shall be sent via the Notification Email Address.

5.3 Deletion in accordance with GDPR Art 17.1 and 19

If you are obliged to delete the Personal Data in accordance with GDPR Art 17, and you communicate an instruction to us that we delete that Personal Data, then we shall delete your Personal Data without undue delay.

📧 This information shall be sent via the Notification Email Address.

5.4 Deletion on Term Expiry

⏳ At the end of Term, and upon your instruction to us that we delete or return the Personal Data to you, we shall return or delete you Personal Data as instructed by you thirty (30) days after having received the deletion instruction, except:

  • for the data referred to in Annex 1 of this DPA, and

  • if Union or Member State law requires continued storage.

📧 This information shall be sent via the Notification Email Address.

If you choose to have the Personal Data returned to you, then you alone are responsible for transferring the Personal Data from us to you before the applicable Term expires.

5.5 Omitted Deletion Instruction

⏳ If you do not continue Term within 30 days after Term Expiry and if you do not instruct us to delete or return the Personal Data, then you agree that we have the right to keep or delete your Personal Data.

6 Data Security

6.1 Signatu’s Security Measures

We take all data security measures required pursuant to GDPR Article 32. See Annex 2 below.

6.2 Customer’s Security Responsibility

You agree that:

  • we have no obligation to protect Personal Data that you elect to store or transfer outside of our and our Sub-processors’ systems (for example, offline or on-premise storage).

  • we have no obligation to protect Personal Data by implementing or maintaining Additional Security Controls.

  • you are solely responsible for its use of the Consent Service.

7 Confidentiality

7.1 Signatu’s Confidentiality Obligation

We will not disclose Personal Data between you and your Data Subjects to any third party except where the law or a binding order of a law enforcement agency require to do so.

7.2 Signatu’s redirection of Authorities to Customer

If a law enforcement agency requires that we disclose the Personal Data, then we make an effort to redirect the law enforcement agency to request the Personal Data directly from you.

📧 This information shall be sent via the Notification Email Address.

As part of this effort, we may provide your basic contact information to the law enforcement agency.

7.3 Signatu’s Notice to Customer

If we are obliged to disclose the Personal Data to a law enforcement agency, then we will give you reasonable notice of the request to allow you to seek a protective order or other appropriate remedy unless we are legally prohibited from doing so.

📧 This information shall be sent via the Notification Email Address.

7.4 Customer’s Notice to Signatu

If a law enforcement agency requests that you make your Personal Data records available to the law enforcement agency, then you shall inform Signatu about how and when Signatu shall make the Personal Data records available to the law enforcement agency.

📧 This information shall be sent via the Notification Email Address.

7.5 Customer’s Responsibility

You are responsible for:

  • safeguarding your Signatu Account Access Credentials.

  • use of Signatu Cloud Service by any user who accesses the Personal Data with your Account Access Credentials.

  • all activities that occur under your account, regardless of whether the activities are authorized by you or undertaken by you, your employees or a third party (including your contractors, agents or End Users).

8 Confidentiality obligations of Signatu personnel

We ensure that Signatu personnel:

  • that are not authorized to process the Personal Data formally agree to not process the Personal Data.

  • that are authorised to process the Personal Data on behalf of you formally agree to confidentiality of our recordings of the Personal Data between you and your Data Subjects.

9 Audits

9.1 Customer’s Audit Rights

We allow for and contribute to audits, including inspections, conducted by you or a qualified and independent auditor mandated by you, to verify our compliance with our obligations under this DPA.

9.2 Request

You shall send a request for audit to us and, if any, include the auditor name, legal name of company of auditor, auditor qualifications.

📧 This information shall be sent via the Notification Email Address.

9.3 Objection

If the auditor is, in our reasonable opinion, not suitably qualified or independent, a competitor of us, or otherwise manifestly unsuitable, then we have the right to object to the use of the Auditor and have the right to appoint another auditor or have the right to require that you conduct the audit yourself.

9.4 Date, scope and duration

In advance of the audit, we and you will discuss and agree on the reasonable start date, scope and duration of an audit.

9.5 Confidential Information

If an audit results in an audit report, then the part of the audit report that concern us shall constitute our Confidential Information that we shall make available to you subject to a mutually agreed upon non-disclosure agreement covering the Report (an “NDA”).

9.6 Responsibility for Auditor’s Fees

You are solely responsible for any fees charged by you or charged by any auditor appointed by you to execute any such audit.

9.7 Responsibility for Signatu’s costs

We may charge a fee (based on Signatu’s reasonable costs) for any of our contribution(s) to audits.

We will after having received a request for audit provide you with further details of any applicable fee.

📧 This information shall be sent via the Notification Email Address.

9.8 Supervisory Authority Audits

We shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.

10 Processing Records

10.1 Processing Record Obligation

We shall maintain a record of all categories of processing activities that we carry out on behalf of you, including your Information (name and contact details), in accordance with GDPR Article 30.2.

10.2 Customer Record Information Obligation

You agree that:

  • you shall provide us with the your Information (name and contact details), name and contact details of your local representative (if applicable), and name and contact details of your Data Protection Officer (if applicable).

  • you shall provide such information to us and will keep that information accurate and up-to-date.

We may make such information available to the supervisory authorities if obliged.

11 Assistance to Customer

11.1 Data Subject Rights

11.1.1 Customer’s Responsibility to Respond to Data Subject Requests

During the applicable Term, you are solely responsible for responding to any request from a Data Subject in relation to Data Subject Rights laid down in GDPR Chapter III.

If we receive such a request from a Data Subject, then we will inform the Data Subject to send the request to you.

11.1.2 Signatu’s Assistance

You agree that we will assist you with regard to your obligation to respond to Data Subjects’ requests for exercising Data Subject Rights laid down in GDPR Chapter III by:

  • enabling you to access the Personal Data, via the functionality of the Consent Service, for you to give access to the Personal Data to the Data Subject.

  • enabling you to transfer the Personal Data, via the functionality of the Consent Service, for you to transfer a copy of the Personal Data to the Data Subject.

  • sending instructions to us that we erase, rectify or restrict the Personal Data.

    • 📧 This information shall be sent via the Notification Email Address.

11.2 Notification of a Personal Data Breach

11.2.1 Signatu’s Notification

If we become aware of a Personal Data Breach, we will:

  • without undue delay notify you of the Personal Data Breach occurence.

    • we do not need to first assess the likelihood of risk arising from a breach before notifying you.

    • you are considered as “aware” of the data breach once we have sent an email to you and informed you of the breach.

    • 📧 This information shall be sent via the Notification Email Address.

  • provide you with further information about the breach in phases as more details become available.

  • take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach Incident.

Our notification of a personal data breach is not and will not be construed as an acknowledgement by us of any fault or liability with respect to the personal data breach.

11.2.2 Signatu’s Assistance

We promise to assist you in ensuring your compliance with the obligations pursuant to GDPR Article 33 and Article 34 taking into account the nature of processing and the information available to us.

11.2.3 Customer’s Responsibility

You are solely responsible for:

  • complying with incident notification laws applicable to you and fulfilling any notification obligations related to any Data Incident(s).

  • assessing the likelihood of risk arising from a breach.

  • meeting the requirement of notification to the supervisory authority within 72 hours.

11.3 Data Protection Impact Assessment and Prior Consultation

11.3.1 Signatu’s Assistance

You agree that we will assist you in ensuring your compliance with the obligations pursuant to GDPR Article 35 and 36, taking into account the nature of processing and the information available to us, by:

  • providing you with this DPA and the Terms of Service.

  • sharing information in line with GDPR Article 28.3(f) without neither compromising secrets nor leading to security risks by disclosing vulnerabilities.

12 Payment for Assistance

You alone shall pay the entire costs for actions we are obliged to take in accordance with law or contract:

  • to cooperate with Supervisory Authorities in their data protection audits,

  • to give Supervisory Authorities access to your Personal Data,

  • to facilitate the exercise of Data Subject’s exercise of rights pursuant to the GDPR,

  • to notify the rectification or erasure of personal data or restriction of processing pursuant to GDPR Articles 16, 17 and 18 to recipients to whom the personal data have been disclosed pursuant to GDPR Article 17.2 and Article 19,

  • to carry out Data Protection Impact Assessments and/or Prior Consultation.

We will after having received a request for assistance from you, provide you with further details of any applicable fee.

📧 This information shall be sent via the Notification Email Address.

13 Sub-processors

13.1 Customer Authorization to engage Sub-processors

You permit that we engage AWS to host our Consent Service.

We do not engage AWS to carry out the specific processing activities that we carry out on behalf of you.

You agree that your permission for us to use AWS as our Sub-processor counts as a permission for AWS to engage Sub-processors.

13.2 Obligations for replacement or addition of Sub-processor

If we engage new or replace existing Subprocessors, we will do so only with your prior general written authorisation, as agreed in this DPA.

We inform you about new Subprocessors by posting their details on this page 🔗.

You agree that by posting new Subprocessors on this page, you will be given the opportunity to object, as required by law.

You agree that you can object only by terminating the applicable Terms of Service and DPA within 30 days after a new Subprocessor has been posted on this page.

You agree that such termination right is your sole and exclusive legal reparation if you object to such replacement or addition.

We enter into a data processing agreement with the Subprocessor in accordance with the GDPR.

14 Liability, penalties and fines

14.1 Separate Responsibility for Damage

You agree that:

  • we process Personal Data of your Data Subjects, as defined in this DPA, without the involvement of you, and we are alone responsible for damage to Data Subjects caused by our processing in accordance with GDPR Article 82.2,

  • you process Personal Data of your Data Subjects, as defined in this DPA, without our involvement, and you are alone responsible for damage to Data Subjects caused by your processing in accordance with GDPR Article 82.2,

  • we shall not be held liable and you shall pay the entire compensation for the part of the damage that corresponds to our part of responsibility for the damage to Data Subjects.

14.2 Customer’s Sole Responsibility

As a result of, or in connection with, your infringement of your obligations under this DPA, the GDPR, other rules in Union or EU Member State law or rules of a third country’s law, you agree to pay:

  • the entire fines imposed on us,

  • the entire costs we have as a result of penalties, orders, warnings and/or reprimands imposed on us,

  • to mitigate the damage suffered by Data Subjects (if required with basis in law),

  • to notify the infringement to Data Subjects and to Supervisory Authorities (if required with basis in law).

14.3 Liability

14.3.1 Liability Cap

The total combined liability for us and our Sub-processors, towards you, and vice versa, under or in connection with the applicable Terms of Service, this DPA, the GDPR, other rules in Union or EU Member State law or rules of a third country’s law will be limited to the Agreed Liability Cap subject to Section 14.3.2.

14.3.2 Liability Cap Exclusions

Section 14.3.1 does not affect the remaining terms of the applicable Terms of Service relating to liability, limitations of liability and exclusions of limitations of liability.

15 Nondisclosure

The content of this DPA will be our confidential information that we make available to you and that you are prohibited from disclosing to any third party except as required by law.

16 Communication between Parties

16.1 Obligation to use Notification Email Address

For communication between us and you, both parties agree to solely use the Notification Email Address.

📧 Your sign up Email Address count as your Notification Email Address.

📧 Our Notification Email Address is: hello@signatu.com

16.2 Customer’s Responsibility

You are solely responsible for:

  • ensuring that the Notification Email Address is current and valid, and

  • the consequences of a failed notification to you if your Notification Email Address is not current and/or valid.

16.3 Language

You agree that all communications and notices made or given pursuant to this Agreement must be in the English language.

17 Entire DPA

You and we agree that this DPA is your entire and final documented instruction to us in relation to our processing of the Personal Data.

Additional instructions outside the scope of this DPA (if any) require prior written agreement between us and you, including agreement on any additional fees payable by you to us for carrying out such instructions.

18 Customer’s independent conclusion of Signatu GDPR compliance

This DPA is entered into after your independent assessment and conclusion, for which you are solely responsible, that our Consent Service:

  • meets your needs,

  • meets the requirements of the GDPR, and

  • ensures the protection of the rights of your Data Subjects.

19 Customer Warranties

You warrant that:

  • you have full legal power, authority and ability to enter into, and grant the rights under, this DPA, and

  • you will comply with the obligations under this DPA.

20 Acceptance of DPA

You agree to be bound by the terms and conditions of this DPA by:

  • clicking an “I Accept” button or checkbox presented with these terms, or

  • signing the DPA by hand, or

  • using any of the Cloud Service Offerings, or

  • making any payment for the Cloud Service Offerings.

A service offering becomes subject to this DPA when the Service is a Service where we have the role of “Processor”.

You agree to be bound by the terms and conditions of the Terms of Service.

21 Entry into force and duration of DPA

You agree that this DPA:

  • shall enter into force on the date when you agree to be bound by this DPA, and

  • shall, in spite of expiry of the Term, remain in force until, and automatically expire upon, deletion of all Personal Data by us, as described in this DPA.

22 Dispute Resolution, Applicable Law and Jurisdiction

Each of the Parties:

  • will allow the other reasonable opportunity to comply before it claims that the other has not met its obligations under this Agreement,

  • will attempt in good faith to resolve all disputes, disagreements, or claims between the parties relating to this Agreement,

  • hereby submits to the exclusive jurisdiction of the Norwegian courts in Oslo City Court (Oslo byrett),

  • agrees to the application of the laws of Norway, excluding Norway’s choice-of-law principles, to govern, interpret, and enforce all of your and our respective rights, duties, and obligations relating to or arising out of this agreement, or the breach thereof, whether sounding in contract, tort or otherwise,

  • is responsible for complying with laws and regulations applicable to its business and Content.

If any provision of this Agreement is invalid, illegal or unenforceable, the remaining provisions remain in full force and effect.

Annex 1 to Data Processing Agreement

Personal Data Processing

Annex 2 to Data Processing Agreement

Data Security Measures

Signatu DPA
Agree to the Signatu Data Processing Agreement (DPA)
Click Accept to consent to this use, or click Refuse to refuse this use.  You have not taken action.