GDPR Compliance

Your rights and our commitment to data protection under the General Data Protection Regulation.

Last updated: August 2025

1. Our Commitment to GDPR

DotSign Inc. ("we", "us", "our") is committed to protecting the privacy and personal data of all individuals in the European Union and European Economic Area. We have implemented comprehensive measures to ensure full compliance with Regulation (EU) 2016/679 - the General Data Protection Regulation (GDPR) and related data protection laws.

As a data controller and processor of personal data, we recognize our responsibilities under GDPR and have established robust governance frameworks, technical safeguards, and organizational measures to protect your fundamental rights and freedoms with respect to the processing of personal data.

Key Compliance Highlights

  • Appointed dedicated Data Protection Officer (DPO)
  • Implemented Privacy by Design and Privacy by Default principles
  • Conducted comprehensive Data Protection Impact Assessments (DPIAs)
  • Established lawful basis for all data processing activities
  • Implemented robust consent management systems
  • Established procedures for data breach notification within 72 hours

2. Data Controller and Processor Information

Data Controller

Entity: DotSign Inc.

Address: 123 Digital Avenue, San Francisco, CA 94105, USA

EU Representative: DotSign EU Ltd., Dublin, Ireland

Registration: Irish Data Protection Commission

Contact: dpo@dotsign.net

Data Protection Officer

Name: Sarah Mitchell, CIPP/E, CIPM

Certification: Certified Information Privacy Professional

Email: dpo@dotsign.net

Phone: +353 1 234 5678 (EU hours)

Languages: English, German, French, Spanish

3. Categories of Personal Data We Process

We process the following categories of personal data in accordance with GDPR principles:

Identity and Contact Data

Data Types:

  • Full name and title
  • Email addresses (primary and secondary)
  • Phone numbers (mobile and landline)
  • Postal addresses (billing and correspondence)
  • Company name and job title
  • Profile photographs (optional)

Processing Purposes:

  • Account creation and management
  • Service delivery and communication
  • Customer support and assistance
  • Legal compliance and verification
  • Fraud prevention and security

Electronic Signature Data

Data Types:

  • Digital signature images and vectors
  • Biometric signature data (pressure, speed, timing)
  • Document content and metadata
  • Signature timestamps and locations
  • Authentication credentials and certificates
  • Audit trail information

Processing Purposes:

  • Electronic signature creation and verification
  • Document integrity and authenticity
  • Legal compliance and evidence
  • Dispute resolution and litigation support
  • Regulatory reporting and audits

Technical and Usage Data

Data Types:

  • IP addresses and geolocation data
  • Device identifiers and browser information
  • Usage patterns and feature interactions
  • Performance metrics and error logs
  • Cookie and tracking data
  • API access logs and authentication tokens

Processing Purposes:

  • Service optimization and performance
  • Security monitoring and threat detection
  • Analytics and business intelligence
  • Technical support and troubleshooting
  • Product development and improvement

Financial and Billing Data

Data Types:

  • Payment method information (tokenized)
  • Billing addresses and tax information
  • Transaction history and invoices
  • Subscription and usage records
  • Refund and chargeback data
  • Credit and risk assessment data

Processing Purposes:

  • Payment processing and billing
  • Subscription management
  • Financial reporting and accounting
  • Fraud prevention and risk management
  • Tax compliance and reporting

4. Your Rights Under GDPR

As a data subject under GDPR, you have comprehensive rights regarding your personal data. We have implemented systems and procedures to facilitate the exercise of these rights:

Right to Access (Article 15)

You can request access to your personal data and information about how we process it.

Includes: Data categories, processing purposes, recipients, retention periods, source of data

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

Timeline: Without undue delay, typically within 30 days

Right to Erasure (Article 17)

You can request deletion of your personal data under certain circumstances.

Exceptions: Legal obligations, legitimate interests, freedom of expression

Right to Portability (Article 20)

You can request your data in a structured, machine-readable format.

Formats: JSON, CSV, XML, or direct transfer to another controller

Right to Restrict Processing (Article 18)

You can request limitation of processing under certain conditions.

Conditions: Accuracy disputes, unlawful processing, legal claims

Right to Object (Article 21)

You can object to processing based on legitimate interests or direct marketing.

Marketing: Absolute right to object, no exceptions

Right to Withdraw Consent (Article 7)

You can withdraw consent at any time where processing is based on consent.

Effect: Withdrawal does not affect lawfulness of prior processing

Right to Lodge a Complaint (Article 77)

You can file a complaint with a supervisory authority if you believe we violate GDPR.

Authority: Your local DPA or Irish Data Protection Commission (our lead authority)

5. Legal Basis for Processing

We process your personal data only when we have a valid legal basis under Article 6 of GDPR:

Contract (Article 6(1)(b))

Processing necessary for the performance of our service agreement with you.

Examples: Account creation, document processing, signature verification, service delivery, billing

Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate interests, balanced against your rights and freedoms.

Examples: Fraud prevention, security monitoring, service improvement, analytics, direct marketing to existing customers

Consent (Article 6(1)(a))

Processing based on your freely given, specific, informed, and unambiguous consent.

Examples: Marketing communications, optional features, cookies (non-essential), newsletter subscriptions

Legal Obligation (Article 6(1)(c))

Processing necessary for compliance with legal obligations to which we are subject.

Examples: Tax reporting, regulatory compliance, law enforcement requests, audit requirements, record keeping

Vital Interests (Article 6(1)(d))

Processing necessary to protect vital interests of you or another natural person.

Examples: Emergency situations, medical emergencies, safety threats (rarely applicable to our services)

6. Data Protection Measures and Security

We have implemented comprehensive technical and organizational measures to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage:

Technical Measures

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Controls: Multi-factor authentication, role-based access
  • Network Security: Firewalls, intrusion detection, VPN access
  • Data Integrity: Checksums, digital signatures, audit logs
  • Backup & Recovery: Encrypted backups, disaster recovery testing
  • Monitoring: 24/7 security monitoring, anomaly detection
  • Vulnerability Management: Regular scans, penetration testing
  • Secure Development: Security by design, code reviews

Organizational Measures

  • Staff Training: Regular GDPR and security awareness training
  • Access Management: Principle of least privilege, regular reviews
  • Incident Response: 72-hour breach notification procedures
  • Vendor Management: Due diligence, data processing agreements
  • Privacy Governance: Privacy by design, impact assessments
  • Documentation: Records of processing activities
  • Compliance Monitoring: Regular audits, compliance reviews
  • Physical Security: Secure data centers, access controls

Certifications and Standards

ISO 27001:2013
Information Security Management
SOC 2 Type II
Security, Availability, Confidentiality
GDPR Compliance
Regular third-party assessments

7. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through appropriate safeguards as required by Chapter V of GDPR:

Standard Contractual Clauses (SCCs)

We use the European Commission's Standard Contractual Clauses (Decision 2021/914/EU) for transfers to third countries without adequacy decisions.

Additional Measures: Transfer impact assessments, supplementary measures where necessary

Adequacy Decisions

We may transfer data to countries with European Commission adequacy decisions, including:

Countries: Canada, Japan, New Zealand, Switzerland, United Kingdom, and others as determined by the Commission

Binding Corporate Rules (BCRs)

For intra-group transfers, we are developing Binding Corporate Rules approved by relevant supervisory authorities.

Status: Under development, expected completion Q2 2025

Transfer Impact Assessments (TIAs)

We conduct Transfer Impact Assessments for all international transfers to evaluate risks and implement supplementary measures where necessary.

Factors Considered: Local laws, government access, data subject rights, available remedies

8. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and protect our legitimate interests:

Data CategoryRetention PeriodLegal BasisDeletion Method
Account InformationActive account + 7 years after closureLegal obligation, legitimate interestSecure deletion, cryptographic erasure
Electronic Signatures10 years (or as legally required)Legal obligation, contractArchived, then secure deletion
Usage Analytics26 months (Google Analytics)Legitimate interest, consentAutomatic expiration, anonymization
Marketing DataUntil consent withdrawn + 3 yearsConsent, legitimate interestImmediate removal from active systems
Support Communications3 years after case closureLegitimate interest, contractSecure deletion, audit trail maintained
Financial Records7 years (tax and accounting laws)Legal obligationSecure archival, then deletion
Security Logs1 year (operational), 7 years (incidents)Legitimate interest, legal obligationAutomated deletion, pseudonymization

Deletion Procedures

  • Secure Deletion: Multi-pass overwriting, cryptographic erasure for encrypted data
  • Backup Handling: Deletion from backups within 90 days of retention period expiry
  • Third-Party Data: Deletion requests sent to all processors and sub-processors
  • Verification: Deletion certificates and audit trails maintained
  • Legal Holds: Data preserved when subject to legal proceedings or investigations

9. Data Processing Activities and Third Parties

We maintain detailed records of our processing activities as required by Article 30 GDPR. Below are our key data processors and their roles:

Cloud Infrastructure Providers

Amazon Web Services (AWS)

  • Data hosting and storage
  • Compute and processing services
  • EU data residency (Frankfurt, Ireland)
  • AWS Data Processing Agreement

Google Cloud Platform

  • Analytics and machine learning
  • Email delivery services
  • EU data processing locations
  • Google Cloud Data Processing Amendment

Payment and Financial Services

Stripe Inc.

  • Payment processing and billing
  • PCI DSS Level 1 certified
  • EU-US data transfers via SCCs
  • Stripe Data Processing Agreement

PayPal Holdings Inc.

  • Alternative payment processing
  • Fraud detection and prevention
  • EU operations and data residency
  • PayPal Data Processing Addendum

Communication and Support Services

Intercom Inc.

  • Customer support and chat
  • Help documentation
  • EU data processing via SCCs
  • Intercom Data Processing Agreement

SendGrid Inc. (Twilio)

  • Transactional email delivery
  • Email analytics and tracking
  • EU email infrastructure
  • Twilio Data Protection Agreement

Analytics and Marketing Services

Google LLC

  • Google Analytics and Tag Manager
  • Google Ads and conversion tracking
  • EU-US data transfers via SCCs
  • Google Ads Data Processing Terms

HubSpot Inc.

  • Marketing automation and CRM
  • Lead generation and nurturing
  • EU data processing capabilities
  • HubSpot Data Processing Agreement

Processor Oversight and Compliance

  • All processors are bound by comprehensive Data Processing Agreements (DPAs)
  • Regular audits and compliance assessments of key processors
  • Incident notification requirements within 24 hours
  • Processor certification requirements (ISO 27001, SOC 2, etc.)
  • Right to audit and inspect processor facilities and systems
  • Mandatory data breach notification and response procedures

10. Exercising Your Rights

We have established streamlined procedures to facilitate the exercise of your GDPR rights. You can submit requests through multiple channels:

Online Request Portal

Use our secure online portal for data subject requests:

URL: privacy.dotsign.net/requests

Features: Secure authentication, request tracking, document upload

Languages: Available in 12 EU languages

Direct Contact

Contact our Data Protection Officer directly:

Email: dpo@dotsign.net

Phone: +353 1 234 5678 (EU business hours)

Secure Form: Encrypted contact form available

Request Processing Timeline

Acknowledgment
Within 72 hours
Identity Verification
1-3 business days
Processing
Up to 30 days
Complex Requests
Up to 60 days (with notice)

Identity Verification Requirements

To protect your personal data, we may require identity verification for certain requests:

  • Government-issued photo ID (passport, driver's license, national ID card)
  • Proof of address (utility bill, bank statement) for sensitive requests
  • Additional verification for third-party or representative requests
  • Secure document upload through encrypted channels
  • Alternative verification methods for individuals without standard ID

11. Data Breach Notification

We have implemented comprehensive data breach response procedures in accordance with Articles 33 and 34 of GDPR:

Supervisory Authority Notification

  • Timeline: Within 72 hours of becoming aware
  • Authority: Irish Data Protection Commission (lead authority)
  • Content: Nature of breach, categories and numbers affected, consequences, measures taken
  • Follow-up: Additional information provided without undue delay

Data Subject Notification

  • Criteria: High risk to rights and freedoms
  • Timeline: Without undue delay
  • Method: Direct communication (email, in-app notification)
  • Content: Nature of breach, likely consequences, measures taken, contact information

Breach Response Team

Incident Commander
Chief Security Officer
Privacy Lead
Data Protection Officer
Legal Counsel
General Counsel

12. Complaints and Supervisory Authorities

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority:

Lead Supervisory Authority

Authority: Data Protection Commission (Ireland)

Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Phone: +353 57 868 4757

Email: info@dataprotection.ie

Website: dataprotection.ie

Local Supervisory Authorities

You may also lodge a complaint with the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.

Directory: EDPB Member Authorities

Internal Complaint Resolution

Before lodging a complaint with a supervisory authority, we encourage you to contact us directly. We are committed to resolving privacy concerns promptly and fairly.

Complaint Email: privacy-complaints@dotsign.net

Resolution Timeline: We aim to resolve complaints within 30 days

13. Contact Information

For any questions about our GDPR compliance or to exercise your rights, please contact us:

Data Protection Officer

Name: Sarah Mitchell, CIPP/E, CIPM

Email: dpo@dotsign.net

Phone: +353 1 234 5678

Secure Contact: privacy.dotsign.net/contact

Privacy Team

General Inquiries: privacy@dotsign.net

Data Requests: data-requests@dotsign.net

Complaints: privacy-complaints@dotsign.net

Security Issues: security@dotsign.net

Mailing Address

DotSign Inc. - Privacy Team

624 South Grand Avenue #2211

Los Angeles, CA 90017

United States

EU Representative: DotSign EU Ltd., 45 Grafton Street, Dublin 2, Ireland

Response Time: We will acknowledge your inquiry within 72 hours and provide a substantive response within 30 days. For complex requests, we may extend this period by an additional 60 days with prior notice.