Doc E Sign
PricingDocsSign inStart free

Data Processing Agreement

Version v1.0 — effective 30 May 2026

Doc E Sign — Data Processing Agreement

Effective date: 30 May 2026 Version: 1.0 URL: doc-e-sign.com/dpa

This Data Processing Agreement ("DPA") is entered into between Doc E Sign ("Processor") and the sender who accepts Doc E Sign's Terms of Service ("Controller"). It forms part of Doc E Sign's Terms of Service and is incorporated by reference.

This DPA governs Doc E Sign's processing of personal data on the Controller's behalf under Article 28 of the UK General Data Protection Regulation (UK GDPR) and Article 28 of the EU General Data Protection Regulation (EU GDPR), as applicable.

1. Definitions

"Controller" means the sender — the Doc E Sign account holder who uploads documents and instructs Doc E Sign to initiate signing ceremonies.

"Processor" means Doc E Sign.

"Personal Data" has the meaning given in the applicable data protection law.

"Processing" has the meaning given in the applicable data protection law.

"Data Subject" means the individual whose personal data is processed — in this context, primarily the signer.

"Sub-Processor" means any third party engaged by Doc E Sign to process Personal Data under this DPA.

"Applicable Law" means UK GDPR, EU GDPR, and any other data protection legislation applicable to the processing described in this DPA.

"Services" means the Doc E Sign document signing service as described in the Terms of Service and documentation at docs.doc-e-sign.com.

2. Scope and nature of processing

2.1 Subject matter

Doc E Sign processes personal data on the Controller's behalf to deliver the Services: initiating signing ceremonies, delivering documents to signers, capturing signatures and field values, and returning completed signed PDFs.

2.2 Personal data processed under this DPA

This DPA governs the following categories of personal data for which the Controller is the data controller:

| Category | Detail | |---|---| | Signer email addresses | Provided by the Controller when creating an envelope; used to deliver the signing invitation | | Signer names | Provided by the Controller or entered by the signer during the ceremony; embedded in the signed PDF | | Document content | The PDF uploaded by the Controller; may contain personal data of signers or third parties | | Signatures and field values | Captured from signers during the ceremony; embedded in the completed PDF | | Completed signed PDFs | Stored in Doc E Sign's secure storage for the duration of the Controller's active subscription |

Note on jointly controlled data: Doc E Sign independently determines the purposes and means of processing certain signer data (IP address, user agent, event timestamps, and the acknowledgment record). Doc E Sign is a data controller for this data, not a processor acting on the Controller's instructions. This data is governed by the Joint Controller Arrangement and Privacy Notice, not this DPA.

2.3 Categories of data subjects

Signers — individuals who receive a signing invitation from the Controller and are asked to sign a document via the Doc E Sign platform. The Controller is responsible for determining the identity of signers and having a lawful basis for sharing their contact details with Doc E Sign.

2.4 Purpose of processing

To perform the signing ceremony on the Controller's instructions: delivering the document to signers, capturing signatures and other field values, sealing the completed PDF, and storing it in the Controller's account.

2.5 Duration of processing

Doc E Sign will process Personal Data under this DPA for the duration of the Controller's active subscription and for up to 30 days following account cancellation (the post-cancellation download window), after which stored signed PDFs are permanently deleted.

3. Controller instructions

3.1 Processing on instruction

Doc E Sign will process Personal Data only on the documented instructions of the Controller. The Controller's instructions are set out in this DPA and are exercised through the Doc E Sign dashboard and API (where available). The act of creating an envelope, specifying signers, and initiating the signing ceremony constitutes the Controller's instruction to process.

3.2 Legal compliance

Doc E Sign will inform the Controller promptly if, in Doc E Sign's opinion, an instruction infringes Applicable Law. Doc E Sign is not required to follow an instruction that would require it to breach Applicable Law.

3.3 Confidentiality

Doc E Sign will ensure that all personnel authorised to process Personal Data under this DPA are subject to appropriate confidentiality obligations.

4. Security

Doc E Sign will implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

| Measure | Implementation | |---|---| | Encryption at rest | All stored documents and signer PII are encrypted at rest; signer PII fields use per-signer data encryption keys (DEKs) managed by Supabase Vault | | Encryption in transit | TLS 1.2 or higher enforced on all connections | | Access controls | Role-based access; database-level row security policies; insert-only controls on audit records | | Key management | DEKs managed by Supabase Vault; keys are destroyed on valid erasure requests | | Dependency scanning | GitHub Dependabot and npm audit in CI pipeline | | Vulnerability management | Regular dependency updates; security linting in CI | | Incident response | Documented incident response process; data breach notification per clause 7 |

Doc E Sign will regularly review these measures to ensure they remain appropriate to the risk.

5. Sub-processors

5.1 Authorisation

The Controller authorises Doc E Sign to engage the following sub-processors for the purposes of delivering the Services:

| Sub-processor | Purpose | Location | DPA in place | |---|---|---|---| | Supabase | Database, authentication, file storage, encryption key management | EU (Frankfurt, Germany) | Yes | | Nuntly | Delivery of signing invitation emails and completed document emails to signers | EU (EU-native) | Pending — DPA must be executed before production deployment |

Doc E Sign will not engage additional sub-processors without providing the Controller with prior notice. Notice of new sub-processors will be given by updating this DPA (with 30 days' notice for material additions) and by email notification to the Controller's registered address.

5.2 Sub-processor obligations

Doc E Sign will impose data protection obligations on each sub-processor equivalent to those set out in this DPA, in particular regarding confidentiality, security, and data subject rights. Doc E Sign remains liable to the Controller for the acts and omissions of its sub-processors to the same extent as it would be liable if it performed the processing directly.

6. Data subject rights

Doc E Sign will assist the Controller in meeting its obligations to respond to data subject rights requests relating to Personal Data processed under this DPA. Specifically:

  • Where a signer contacts Doc E Sign with an access, erasure, rectification, restriction, or portability request relating to data controlled by the Controller (document content, signer identity data provided by the Controller), Doc E Sign will notify the Controller within 5 business days and provide such assistance as the Controller reasonably requires.
  • Doc E Sign maintains an email lookup mechanism that enables identification of signer records without full-table decryption, enabling efficient response to erasure and access requests.
  • For erasure requests relating to data that Doc E Sign controls in its own right (IP address, user agent, audit record structure), Doc E Sign will respond directly to the data subject. See the Joint Controller Arrangement for the allocation of rights-handling responsibilities.

7. Personal data breach notification

Doc E Sign will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach affecting Personal Data processed under this DPA. The notification will include, to the extent then known:

  • The nature of the breach, including the categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach

Doc E Sign will cooperate with the Controller in investigating the breach and in meeting the Controller's own notification obligations to supervisory authorities and data subjects.

8. Data protection impact assessments

Doc E Sign will provide the Controller with reasonable assistance in carrying out any data protection impact assessment (DPIA) required by Applicable Law in connection with the processing under this DPA.

9. Deletion and return of Personal Data

9.1 On termination

On termination of the Controller's Doc E Sign account, or on the Controller's written request:

  • Completed signed PDFs stored in Doc E Sign's secure storage will be made available for download for 30 days following account closure and will then be permanently deleted
  • Any personal data held by Doc E Sign solely as processor will be deleted or anonymised within 30 days of the end of the 30-day download window

9.2 Retention override

Notwithstanding clause 9.1, Doc E Sign may retain personal data for the period and to the extent required by Applicable Law. In particular:

  • The cryptographic audit chain (which contains no readable personal data — signer PII fields are encrypted and the DEKs are destroyed on erasure) is retained for 7 years from the date of signing, in accordance with Doc E Sign's controller obligations and legitimate interest basis
  • Billing and financial records are retained for 7 years from the date of the relevant transaction in accordance with UK tax law

Doc E Sign will confirm in writing upon request that deletion has been completed.

10. Audits and inspection

The Controller may audit Doc E Sign's compliance with this DPA subject to the following conditions:

  • The Controller provides at least 30 days' written notice
  • Audits are conducted during normal business hours and no more than once per calendar year, unless required by a supervisory authority
  • The Controller bears all costs of any audit unless the audit reveals a material breach by Doc E Sign
  • The audit does not require Doc E Sign to disclose confidential information relating to other customers or third parties

As an alternative to a direct audit, the Controller may request Doc E Sign's most recent security documentation, penetration test results (where available), or third-party certifications (where obtained).

11. International data transfers

11.1 EU data

Personal data originating from EU data subjects is stored by Supabase on EU (Frankfurt, Germany) infrastructure. Where any international transfer of EU-originating personal data is required, it will be covered by EU Standard Contractual Clauses (Commission Decision 2021/914) or an applicable adequacy decision.

11.2 UK data

Personal data originating from UK data subjects is stored on the same EU infrastructure. The EU renewed its adequacy decision for the UK on 19 December 2025 (covering both GDPR and the Law Enforcement Directive) — no transfer mechanism is required for UK-originating data flowing to EU/EEA countries. Where UK-originating personal data is transferred to a country outside the UK and EEA that lacks UK adequacy, Doc E Sign will use an International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, as appropriate. Verification note: adequacy decisions can be amended or revoked; this status should be re-verified annually or whenever a material change in UK–EU data relations is reported.

11.3 Sub-processor transfers

Each sub-processor transfer is covered by the sub-processor's own DPA and applicable transfer mechanisms. Doc E Sign's sub-processor register (maintained internally) documents the transfer mechanism applicable to each data flow.

12. Controller's responsibilities

The Controller is responsible for:

  • Having a lawful basis under Applicable Law for sharing signer personal data with Doc E Sign and for instructing Doc E Sign to process it
  • Ensuring that signers have been informed that their data will be processed by Doc E Sign in accordance with Doc E Sign's Privacy Notice
  • Ensuring that the documents sent for signature do not contain personal data of third parties whose data the Controller is not authorised to share
  • Complying with all obligations imposed on data controllers under Applicable Law in connection with the processing described in this DPA

13. Governing law

This DPA is governed by the law of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales for any dispute arising under this DPA, without prejudice to any supervisory authority's jurisdiction.

14. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the subject matter of data processing. In the event of any conflict between this DPA and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses prevail.