Doc E Sign — Article 26 Joint Controller Arrangement
Effective date: 30 May 2026 Version: 1.0 URL: doc-e-sign.com/dca
About this arrangement
This Joint Controller Arrangement ("Arrangement") is made under Article 26 of the UK General Data Protection Regulation (UK GDPR) and Article 26 of the EU General Data Protection Regulation (EU GDPR) between:
Party A — Doc E Sign, UK-based. Contact: privacy@doc-e-sign.com
Party B — the Sender, meaning any person or organisation that holds a Doc E Sign account and uses the Doc E Sign service to send documents for signature ("the Sender").
This Arrangement is incorporated by reference into Doc E Sign's Terms of Service and Data Processing Agreement. By using the Doc E Sign service, the Sender agrees to this Arrangement.
The essence of this Arrangement, as required by Article 26(2) UK GDPR and EU GDPR, is summarised in plain English in Part 2 of Doc E Sign's Privacy Notice (doc-e-sign.com/privacy). Data subjects may exercise their rights against either controller as set out in that notice and in Section 7 below.
1. Background and purpose
Doc E Sign provides a document signing service. When the Sender uses Doc E Sign to send a document for signature, both Doc E Sign and the Sender determine certain aspects of how signer personal data is processed. Because each party independently determines the purposes or means of some part of the processing, they are joint controllers for those activities under Article 26.
This Arrangement does not apply to all personal data processed in connection with the Doc E Sign service. It applies only to the specific joint processing activities identified in Section 2. Processing activities for which only one party independently determines purposes and means remain the sole responsibility of that party.
2. Joint processing activities and allocation of responsibility
The following activities involve joint controllership. Each row identifies the processing activity, which party makes the relevant decisions, and which party is responsible for data subject rights relating to that activity.
2.1 — Disclosure acknowledgment records
What is processed: A record that the signer acknowledged Doc E Sign's Privacy Notice and Signing Disclaimer before signing — including the version of each document shown, the timestamp, and the signer's encrypted IP address and user agent.
Why it is processed: To demonstrate that the required privacy disclosures were made during the signing ceremony. Both parties have a legitimate interest in this record: Doc E Sign as evidence of its compliance obligations; the Sender as evidence that the signing ceremony was conducted properly.
| Responsibility | Party | Detail | |---|---|---| | Determines the format and content of the acknowledgment record | Doc E Sign | Doc E Sign decides what fields are captured, how they are stored, and how the record is structured | | Determines the retention period | Doc E Sign | 7 years from the date of signing, on the basis of accountability obligations (Article 5(2)) and potential legal claims (Article 17(3)(b)) | | Benefits from the record as evidence of ceremony integrity | Both parties | The Sender benefits from evidence that the ceremony was properly conducted; Doc E Sign benefits as evidence of its own compliance | | Responds to data subject access requests (Art. 15) relating to this record | Doc E Sign | Contact: privacy@doc-e-sign.com | | Responds to data subject erasure requests (Art. 17) relating to this record | Doc E Sign | Doc E Sign may decline erasure where retention is required under Article 17(3)(b); will respond in writing within 30 days |
2.2 — Audit trail metadata (IP address, user agent, event timestamps)
What is processed: The technical record of the signing ceremony — when the signer opened the link, when consent was given, when the document was signed — together with the signer's encrypted IP address and browser type at each event.
Why it is processed: To create a tamper-evident, independently verifiable audit trail that can be used by either party to establish the authenticity and timing of a signature in the event of a dispute. Both parties benefit from this record.
| Responsibility | Party | Detail | |---|---|---| | Decides to collect IP address and user agent | Doc E Sign | Doc E Sign independently determines that these are necessary for audit integrity; the Sender gives no instruction to collect them | | Determines the hash chain format and algorithm | Doc E Sign | The audit chain algorithm is Doc E Sign's own; the Sender has no control over it | | Determines the retention period | Doc E Sign | 7 years from the date of signing | | Stores the audit records | Doc E Sign | In encrypted form; DEK destruction available on erasure request subject to retention override | | Benefits from the audit record as evidence | Both parties | Either party may rely on the audit record in a dispute | | Responds to data subject access requests (Art. 15) for audit records | Doc E Sign | Contact: privacy@doc-e-sign.com | | Responds to data subject erasure requests (Art. 17) for audit records | Doc E Sign | May decline where Article 17(3)(b) applies; will respond in writing within 30 days |
3. Processing activities that are NOT joint
For clarity, the following processing activities are the sole responsibility of the identified party and are not governed by this Arrangement.
| Processing activity | Sole controller | Basis | |---|---|---| | Deciding which signers receive a signing request | Sender | The Sender independently decides who to send documents to | | The content of the document sent for signature | Sender | Doc E Sign does not determine document content | | The signer's name and email address (provided by the Sender) | Sender | Doc E Sign processes this data on the Sender's instruction (Article 28 Data Processor Agreement) | | Sender account data (Sender's email, billing details, usage history) | Doc E Sign | Doc E Sign independently determines the purposes of processing its own customer data | | Application of Stripe payment processing | Doc E Sign | Billing data processed on Doc E Sign's own basis (contract performance, Article 6(1)(b)) |
4. Security responsibilities
Doc E Sign is responsible for:
- Encryption of all signer PII fields using data encryption keys (DEKs) managed by Supabase Vault
- Enforcing insert-only access controls on audit records (no record can be updated or deleted after creation)
- Maintaining the security of the Doc E Sign platform, including access controls, dependency management, and incident response
- Notifying the Sender within 72 hours of becoming aware of a personal data breach affecting jointly controlled data
The Sender is responsible for:
- Securing their Doc E Sign account credentials
- Ensuring the email addresses they provide for signers are correct and up to date
- Notifying Doc E Sign promptly if they become aware of a breach or suspected misuse of their account
5. Sub-processors
Doc E Sign uses the following sub-processors in connection with the joint processing activities covered by this Arrangement. The full sub-processor list is maintained in Doc E Sign's Privacy Notice and Data Processing Agreement.
| Sub-processor | Role in joint processing | Location | |---|---|---| | Supabase | Database storage and encryption key management for audit records and acknowledgment records | EU (Frankfurt) | | Nuntly | Delivery of signing emails that initiate the ceremony | EU (to be confirmed in writing before production deployment) |
The Sender does not use any additional sub-processors in connection with the joint processing activities covered by this Arrangement; the Sender's sub-processors relevant to the document content and signer identity data are governed by the Sender's own controller obligations, not this Arrangement.
6. International data transfers
Personal data processed under this Arrangement is stored by Supabase on EU (Frankfurt) infrastructure. No transfer of jointly controlled personal data to countries outside the UK or EEA is made by Doc E Sign under this Arrangement, except where adequacy or an appropriate transfer mechanism (IDTA for UK-originating data; EU SCCs for EU-originating data) is in place. Transfer mechanisms for each sub-processor are documented in Doc E Sign's sub-processor DPA register.
7. Data subject rights
Data subjects (signers) may exercise their rights in relation to jointly controlled data by contacting either party. The parties have agreed to the following allocation for handling requests:
| Right | Contact point | Notes | |---|---|---| | Access (Art. 15) to audit records, IP address, user agent, acknowledgment record | Doc E Sign: privacy@doc-e-sign.com | Doc E Sign will respond within 30 days | | Access (Art. 15) to document content and signer identity data held by the Sender | Sender: contact details provided in the signing email | Doc E Sign will assist in identifying the correct contact if the Sender's details are unknown | | Erasure (Art. 17) of Doc E Sign-controlled audit data | Doc E Sign: privacy@doc-e-sign.com | Doc E Sign may decline where Article 17(3)(b) applies; will respond in writing within 30 days explaining the basis and the right to complain | | Erasure (Art. 17) of Sender-controlled data | Sender | | | Restriction (Art. 18) of Doc E Sign-controlled processing | Doc E Sign: privacy@doc-e-sign.com | | | Portability (Art. 20) of Doc E Sign-controlled data | Doc E Sign: privacy@doc-e-sign.com | Returns structured JSON of all Doc E Sign-held data for the requesting data subject | | Objection (Art. 21) to Doc E Sign's legitimate interest processing | Doc E Sign: privacy@doc-e-sign.com | See Legitimate Interest Assessment at doc-e-sign.com/legal/legitimate-interest-assessment |
Where a data subject cannot reach the Sender or does not know the Sender's contact details, Doc E Sign will assist in identifying the appropriate contact where possible, or will escalate the request to the Sender on the data subject's behalf.
8. Supervisory authority
For UK data subjects: the Information Commissioner's Office (ICO), ico.org.uk.
For EU data subjects: the data protection authority of the EU member state where the data subject is located, or (pending Doc E Sign's EU establishment) the authority of the member state where Doc E Sign processes the largest volume of EU data subjects' data.
Either party may be the primary contact for the supervisory authority in relation to the aspects of processing for which they are responsible under this Arrangement.
9. Duration and termination
This Arrangement applies for the duration of the Sender's Doc E Sign account and for the period during which either party retains personal data that is subject to this Arrangement. The retention of audit records for 7 years means that Doc E Sign's obligations under this Arrangement in respect of audit data continue for 7 years after the last signing ceremony conducted under the Sender's account, regardless of whether the account is still active.
Termination of the Sender's Doc E Sign account does not terminate this Arrangement in relation to audit records already created.
10. Governing law
This Arrangement is governed by English law. The parties submit to the jurisdiction of the English courts for any dispute arising under it, without prejudice to either party's right to seek relief in any other competent jurisdiction.
11. Publication and updates
This Arrangement is published at doc-e-sign.com/dca. Material changes to this Arrangement will be communicated to Senders by email with 30 days' notice. Changes that affect data subjects' rights will also be reflected in an updated Privacy Notice at doc-e-sign.com/privacy.