Data Processing Agreement

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
• “Data Protection Laws” means GDPR (Regulation (EU) 2016/679), the UK GDPR, CCPA, and any other applicable data protection legislation.
• “Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• “Sub-processor” means any third party engaged by ZSign to process Personal Data on behalf of the Customer.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• “Data Subject” means an identified or identifiable natural person whose Personal Data is processed.

2. Scope & Purpose of Processing

2.1 Subject Matter

ZSign processes Personal Data on behalf of the Customer to provide the document automation and electronic signature services described in the Terms of Service.

2.2 Categories of Data Subjects

• Customer's employees and team members
• Customer's clients and counterparties
• Document signers and recipients

2.3 Types of Personal Data

• Names, email addresses, and contact information
• Electronic signature data and audit trail information
• IP addresses, browser information, and device identifiers
• Document content containing Personal Data
• Payment and billing information

2.4 Duration

Processing shall continue for the duration of the service agreement, plus the data retention periods specified in our Privacy Policy.

3. Obligations of the Data Processor

ZSign shall:

• Process Personal Data only on documented instructions from the Customer, including transfers to third countries, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Assist the Customer, taking into account the nature of processing, in fulfilling obligations to respond to Data Subject requests.
• Assist the Customer in ensuring compliance with data breach notification obligations.
• At the Customer's choice, delete or return all Personal Data upon termination of the agreement, and delete existing copies unless retention is required by law.
• Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

4. Security Measures

ZSign implements the following technical and organizational security measures:

4.1 Encryption

• TLS 1.2+ for all data in transit
• AES-256 encryption for all data at rest
• Encrypted database backups

4.2 Access Controls

• Role-based access control (RBAC) for all systems
• Multi-factor authentication for employee access
• Principle of least privilege enforced across infrastructure
• Regular access reviews and de-provisioning of former employees

4.3 Infrastructure

• SOC 2 Type II compliant infrastructure providers
• Geographic redundancy and automated backups
• DDoS protection and web application firewalls
• Regular penetration testing and vulnerability scanning

4.4 Organizational Measures

• Security awareness training for all employees
• Documented information security policies
• Incident response plan with defined procedures
• Background checks for employees with data access

5. Sub-processors

5.1 Authorized Sub-processors

The Customer provides general authorization for ZSign to engage the following sub-processors:

5.2 Changes to Sub-processors

ZSign will notify the Customer at least 30 days before engaging a new sub-processor or replacing an existing one. The Customer may object to a new sub-processor by providing written notice within 14 days. If the objection cannot be reasonably resolved, the Customer may terminate the affected services.

5.3 Sub-processor Obligations

ZSign ensures that all sub-processors are bound by written agreements imposing data protection obligations substantially similar to those in this DPA, including confidentiality, security measures, and cooperation with audits.

6. Data Breach Notification

• ZSign will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting the Customer's Personal Data.
• The notification will include, to the extent available:
  • The nature of the Data Breach
  • Categories and approximate number of affected Data Subjects
  • Likely consequences of the breach
  • Measures taken or proposed to mitigate the breach
  • Contact details for the designated point of contact
• ZSign will cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.
• Notification of a Data Breach shall not be construed as an acknowledgment of fault or liability by ZSign.

7. Data Subject Rights

ZSign will assist the Customer in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws (access, rectification, erasure, portability, restriction, and objection). ZSign will:

• Promptly notify the Customer if ZSign receives a request directly from a Data Subject, unless prohibited by law.
• Not respond to a Data Subject request directly unless authorized by the Customer or required by law.
• Provide reasonable technical capabilities to help the Customer fulfill Data Subject requests, including data export tools.

8. Audit Rights

• ZSign will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.
• The Customer (or an independent third-party auditor appointed by the Customer) may conduct an audit of ZSign's processing activities, subject to:
  • At least 30 days' written notice
  • Reasonable scope and duration
  • No more than one audit per 12-month period unless required by a supervisory authority
  • Compliance with ZSign's security and confidentiality policies
• ZSign may satisfy audit requests by providing relevant SOC 2 reports, certifications, or other independent audit documentation.
• The Customer shall bear the costs of any audit unless the audit reveals material non-compliance by ZSign.

9. International Transfers

Where Personal Data originating from the EEA, UK, or Switzerland is transferred to a country that does not provide an adequate level of data protection, ZSign will ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Module Two: Controller to Processor).
• The UK International Data Transfer Addendum, where applicable.
• Supplementary measures, such as encryption and access controls, to address any residual risks.

10. Term & Termination

This DPA shall remain in effect for the duration of ZSign's processing of Personal Data on behalf of the Customer. Upon termination:

• ZSign will, at the Customer's election, return or delete all Personal Data within 30 days of the termination date, and certify deletion in writing upon request.
• ZSign may retain Personal Data to the extent required by applicable law, provided that such data is processed solely for that purpose and subject to appropriate security measures.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection obligations that cannot be limited under applicable law.

12. Contact

For questions about this DPA or to request execution of a customized DPA, please contact: