Version 1.0, applicable as from 01.01.2018
This Data Processing Agreement (“DPA”):
is entered into by and between Signatu AS (“Signatu”, “we”, “our”, “us”) and the Customer or the entity Customer represents (“Customer”, “you”, “your”).
supplements the Terms of Service or other agreement(s) that govern the contractual relationship between you and us with regard to your use of our Consent Service.
reflects the parties’ agreement with respect to the terms governing the processing and security of Personal Data under the applicable Terms of Service or other agreements.
is formed to comply with the requirements of GDPR Article 28.3.
prevails, in case of conflicting terms between agreements, over:
the Terms of Service,
Attachments, and
Transaction Documents.
is supplemented by Annexes that form an integral part of this DPA:
“Annex 1: Personal Data Processing”, and
“Annex 2: Data Security Measures”.
does not apply to the processing of personal data in connection with our provision of any Additional Products installed or used by you, including personal data transmitted to or from such Additional Products.
is delivered at our website: 🔗 https://signatu.com/
Unless otherwise defined in this DPA, all capitalized terms used in this DPA will have the meanings given to them on this page: 🔗 https://signatu.com/legal/definitions
You may act either as “Controller” or “Processor” of the Personal Data.
You inform us of your role of the Personal Data.
If you are “Controller” of the Personal Data, then the legal responsibility belongs to you.
If you are “Processor” of the Personal Data, then you inform us who is “Controller”.
📧 This information shall be sent via the Notification Email Address.
We act as a “Processor” that process the Personal Data on behalf of you.
You permit that we, on behalf of you, act as a Processor that process Personal Data of Data Subjects, as described in Annex 1 (on Personal Data Processing).
You acknowledge and agree that we and you are not involved in the same processing so that GDPR Article 82.4 does not apply.
You agree that we will process Personal Data as required by Union or Member State law to which we are subject in which case we shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, in accordance with GDPR Article 28.3(a).
📧 This information shall be sent via the Notification Email Address.
You warrant that:
if you are a “Processor”, then you warrant to us that your instructions and actions with respect to the Personal Data, including its appointment of us as another processor, have been authorized by the relevant Controller,
you hold the legal power and have the legal basis to permit and instruct that we process the Personal Data,
the use of the legal ground in GDPR Article 6.1(c) of legal obligation in GDPR Article 7.1 and/or GDPR Article 24.1, first sentence, and/or another legal obligation, or another legal basis for the recording of Personal Data, is appropriate and valid,
your instructions, permissions and granting of rights to us in this DPA comply with all laws, rules and regulations applicable in relation to the Personal Data.
you will comply with all laws, rules and regulations applicable to this DPA, including the GDPR.
You are solely responsible:
for your instructions and permissions with regard to our processing of the Personal Data do not cause us to be in breach of the GDPR or other laws and regulations.
for our processing of the Personal Data when our processing is in accordance with your instructions and permissions to us.
You agree that we shall immediately inform you if, in our opinion, your instruction to us infringes the GDPR or other Union or Member State data protection provisions.
📧 This information shall be sent via the Notification Email Address.
You agree that you are solely responsible for your instruction to us and for our performance of your instruction to us.
If a law in the Union or a Member State of the EU obliges that we process the Personal Data in conflict with this DPA, then our processing of the Personal Data in compliance with such laws do not count as breach of this DPA.
Our recording and storage of the Personal Data between you and your Data Subjects is designed so that the record:
can be deleted directly by you if you have created consent vaults in Signatu, and
can be deleted by us, upon your request, if you use the consent default vault.
During the applicable Term, you alone are responsible for determining how long we shall store the Personal Data that we record and store on behalf of you.
⏳ Upon your instruction to us that we delete the Personal Data, we shall delete your Personal Data as instructed by you without undue delay and at the latest within thirty (30) days of receipt of the instruction.
📧 This information shall be sent via the Notification Email Address.
If you are obliged to delete the Personal Data in accordance with GDPR Art 17, and you communicate an instruction to us that we delete that Personal Data, then we shall delete your Personal Data without undue delay.
📧 This information shall be sent via the Notification Email Address.
⏳ At the end of Term, and upon your instruction to us that we delete or return the Personal Data to you, we shall return or delete you Personal Data as instructed by you thirty (30) days after having received the deletion instruction, except:
for the data referred to in Annex 1 of this DPA, and
if Union or Member State law requires continued storage.
📧 This information shall be sent via the Notification Email Address.
If you choose to have the Personal Data returned to you, then you alone are responsible for transferring the Personal Data from us to you before the applicable Term expires.
⏳ If you do not continue Term within 30 days after Term Expiry and if you do not instruct us to delete or return the Personal Data, then you agree that we have the right to keep or delete your Personal Data.
We take all data security measures required pursuant to GDPR Article 32. See Annex 2 below.
You agree that:
we have no obligation to protect Personal Data that you elect to store or transfer outside of our and our Sub-processors’ systems (for example, offline or on-premise storage).
we have no obligation to protect Personal Data by implementing or maintaining Additional Security Controls.
you are solely responsible for your use of the Consent Service.
We will not disclose Personal Data between you and your Data Subjects to any third party except where the law or a binding order of a law enforcement agency require to do so.
If a law enforcement agency requires that we disclose the Personal Data, then we make an effort to redirect the law enforcement agency to request the Personal Data directly from you.
📧 This information shall be sent via the Notification Email Address.
As part of this effort, we may provide your basic contact information to the law enforcement agency.
If we are obliged to disclose the Personal Data to a law enforcement agency, then we will give you reasonable notice of the request to allow you to seek a protective order or other appropriate remedy unless we are legally prohibited from doing so.
📧 This information shall be sent via the Notification Email Address.
If a law enforcement agency requests that you make your Personal Data records available to the law enforcement agency, then you shall inform Signatu about how and when Signatu shall make the Personal Data records available to the law enforcement agency.
📧 This information shall be sent via the Notification Email Address.
You are responsible for:
safeguarding your Signatu Account Access Credentials.
use of Signatu Cloud Service by any user who accesses the Personal Data with your Account Access Credentials.
all activities that occur under your account, regardless of whether the activities are authorized by you or undertaken by you, your employees or a third party (including your contractors, agents or End Users).
We ensure that Signatu personnel:
that are not authorized to process the Personal Data formally agree to not process the Personal Data.
that are authorised to process the Personal Data on behalf of you formally agree to confidentiality of our recordings of the Personal Data between you and your Data Subjects.
We allow for and contribute to audits, including inspections, conducted by you or a qualified and independent auditor mandated by you, to verify our compliance with our obligations under this DPA.
You shall send a request for audit to us and, if any, include the auditor name, legal name of company of auditor, auditor qualifications.
📧 This information shall be sent via the Notification Email Address.
If the auditor is, in our reasonable opinion, not suitably qualified or independent, a competitor of us, or otherwise manifestly unsuitable, then we have the right to object to the use of the Auditor and have the right to appoint another auditor or have the right to require that you conduct the audit yourself.
In advance of the audit, we and you will discuss and agree on the reasonable start date, scope and duration of an audit.
If an audit results in an audit report, then the part of the audit report that concern us shall constitute our Confidential Information that we shall make available to you subject to a mutually agreed upon non-disclosure agreement covering the Report (an “NDA”).
You are solely responsible for any fees charged by you or charged by any auditor appointed by you to execute any such audit.
We may charge a fee (based on Signatu’s reasonable costs) for any of our contribution(s) to audits.
We will after having received a request for audit provide you with further details of any applicable fee.
📧 This information shall be sent via the Notification Email Address.
We shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.
We shall maintain a record of all categories of processing activities that we carry out on behalf of you, including your Information (name and contact details), in accordance with GDPR Article 30.2.
You agree that:
you shall provide us with the your Information (name and contact details), name and contact details of your local representative (if applicable), and name and contact details of your Data Protection Officer (if applicable).
you shall provide such information to us and will keep that information accurate and up-to-date.
We may make such information available to the supervisory authorities if obliged.
During the applicable Term, you are solely responsible for responding to any request from a Data Subject in relation to Data Subject Rights laid down in GDPR Chapter III.
If we receive such a request from a Data Subject, then we will inform the Data Subject to send the request to you.
You agree that we will assist you with regard to your obligation to respond to Data Subjects’ requests for exercising Data Subject Rights laid down in GDPR Chapter III by:
enabling you to access the Personal Data, via the functionality of the Consent Service, for you to give access to the Personal Data to the Data Subject.
enabling you to transfer the Personal Data, via the functionality of the Consent Service, for you to transfer a copy of the Personal Data to the Data Subject.
sending instructions to us that we erase, rectify or restrict the Personal Data.
If we become aware of a Personal Data Breach, we will:
without undue delay notify you of the Personal Data Breach occurence.
we do not need to first assess the likelihood of risk arising from a breach before notifying you.
you are considered as “aware” of the data breach once we have sent an email to you and informed you of the breach.
📧 This information shall be sent via the Notification Email Address.
provide you with further information about the breach in phases as more details become available.
take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach Incident.
Our notification of a personal data breach is not and will not be construed as an acknowledgement by us of any fault or liability with respect to the personal data breach.
We promise to assist you in ensuring your compliance with the obligations pursuant to GDPR Article 33 and Article 34 taking into account the nature of processing and the information available to us.
You are solely responsible for:
complying with incident notification laws applicable to you and fulfilling any notification obligations related to any Data Incident(s).
assessing the likelihood of risk arising from a breach.
meeting the requirement of notification to the supervisory authority within 72 hours.
You agree that we will assist you in ensuring your compliance with the obligations pursuant to GDPR Article 35 and 36, taking into account the nature of processing and the information available to us, by:
providing you with this DPA and the Terms of Service.
sharing information in line with GDPR Article 28.3(f) without neither compromising secrets nor leading to security risks by disclosing vulnerabilities.
You alone shall pay the entire costs for actions we are obliged to take in accordance with law or contract:
to cooperate with Supervisory Authorities in their data protection audits,
to give Supervisory Authorities access to your Personal Data,
to facilitate the exercise of Data Subject’s exercise of rights pursuant to the GDPR,
to notify the rectification or erasure of personal data or restriction of processing pursuant to GDPR Articles 16, 17 and 18 to recipients to whom the personal data have been disclosed pursuant to GDPR Article 17.2 and Article 19,
to carry out Data Protection Impact Assessments and/or Prior Consultation.
We will after having received a request for assistance from you, provide you with further details of any applicable fee.
📧 This information shall be sent via the Notification Email Address.
You permit that we engage AWS to host our Consent Service.
We do not engage AWS to carry out the specific processing activities that we carry out on behalf of you.
You agree that your permission for us to use AWS as our Sub-processor counts as a permission for AWS to engage Sub-processors.
If we engage new or replace existing Subprocessors, we will do so only with your prior general written authorisation, as agreed in this DPA.
We inform you about new Subprocessors by posting their details on this page 🔗 https://signatu.com/legal/tos/.
You agree that by posting new Subprocessors on this page, you will be given the opportunity to object, as required by law.
You agree that you can object only by terminating the applicable Terms of Service and DPA within 30 days after a new Subprocessor has been posted on this page.
You agree that such termination right is your sole and exclusive legal reparation if you object to such replacement or addition.
We enter into a data processing agreement with the Subprocessor in accordance with the GDPR.
You agree that:
we process Personal Data of your Data Subjects, as defined in this DPA, without the involvement of you, and we are alone responsible for damage to Data Subjects caused by our processing in accordance with GDPR Article 82.2,
you process Personal Data of your Data Subjects, as defined in this DPA, without our involvement, and you are alone responsible for damage to Data Subjects caused by your processing in accordance with GDPR Article 82.2,
we shall not be held liable and you shall pay the entire compensation for the part of the damage that corresponds to our part of responsibility for the damage to Data Subjects.
As a result of, or in connection with, your infringement of your obligations under this DPA, the GDPR, other rules in Union or EU Member State law or rules of a third country’s law, you agree to pay:
the entire fines imposed on us,
the entire costs we have as a result of penalties, orders, warnings and/or reprimands imposed on us,
to mitigate the damage suffered by Data Subjects (if required with basis in law),
to notify the infringement to Data Subjects and to Supervisory Authorities (if required with basis in law).
The total combined liability for us and our Sub-processors, towards you, and vice versa, under or in connection with the applicable Terms of Service, this DPA, the GDPR, other rules in Union or EU Member State law or rules of a third country’s law will be limited to the Agreed Liability Cap subject to Section 14.3.2.
Section 14.3.1 does not affect the remaining terms of the applicable Terms of Service relating to liability, limitations of liability and exclusions of limitations of liability.
The content of this DPA will be our confidential information that we make available to you and that you are prohibited from disclosing to any third party except as required by law.
For communication between us and you, both parties agree to solely use the Notification Email Address.
📧 Your sign up Email Address count as your Notification Email Address.
📧 Our Notification Email Address is: hello@signatu.com
You are solely responsible for:
ensuring that the Notification Email Address is current and valid, and
the consequences of a failed notification to you if your Notification Email Address is not current and/or valid.
You agree that all communications and notices made or given pursuant to this Agreement must be in the English language.
You and we agree that this DPA is your entire and final documented instruction to us in relation to our processing of the Personal Data.
Additional instructions outside the scope of this DPA (if any) require prior written agreement between us and you, including agreement on any additional fees payable by you to us for carrying out such instructions.
This DPA is entered into after your independent assessment and conclusion, for which you are solely responsible, that our Consent Service:
meets your needs,
meets the requirements of the GDPR, and
ensures the protection of the rights of your Data Subjects.
You warrant that:
you have full legal power, authority and ability to enter into, and grant the rights under, this DPA, and
you will comply with the obligations under this DPA.
You agree to be bound by the terms and conditions of this DPA by:
clicking an “I Accept” button or checkbox presented with these terms, or
signing the DPA by hand, or
using any of the Cloud Service Offerings, or
making any payment for the Cloud Service Offerings.
A service offering becomes subject to this DPA when the Service is a Service where we have the role of “Processor”.
You agree to be bound by the terms and conditions of the Terms of Service.
You agree that this DPA:
shall enter into force on the date when you agree to be bound by this DPA, and
shall, in spite of expiry of the Term, remain in force until, and automatically expire upon, deletion of all Personal Data by us, as described in this DPA.
Each of the Parties:
will allow the other reasonable opportunity to comply before it claims that the other has not met its obligations under this Agreement,
will attempt in good faith to resolve all disputes, disagreements, or claims between the parties relating to this Agreement,
hereby submits to the exclusive jurisdiction of the Norwegian courts in Oslo City Court (Oslo byrett),
agrees to the application of the laws of Norway, excluding Norway’s choice-of-law principles, to govern, interpret, and enforce all of your and our respective rights, duties, and obligations relating to or arising out of this agreement, or the breach thereof, whether sounding in contract, tort or otherwise,
is responsible for complying with laws and regulations applicable to its business and Content.
If any provision of this Agreement is invalid, illegal or unenforceable, the remaining provisions remain in full force and effect.