Data Processing Agreement

Last updated: May 2, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Zdottedline ("Data Processor," "we," "our," or "us") and our customers ("Data Controller," "you," or "your") who use our blockchain-verified e-signature platform.

This DPA ensures compliance with the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws regarding the processing of personal data through our services. It is designed to satisfy the requirements of GDPR Article 28.

2. Definitions

  • "Personal Data" — Any information relating to an identified or identifiable natural person processed through our services.
  • "Processing" — Any operation performed on Personal Data, including collection, storage, alteration, retrieval, and transmission.
  • "Data Controller" — The entity that determines the purposes and means of processing Personal Data.
  • "Data Processor" — Zdottedline, which processes Personal Data on behalf of the Data Controller.
  • "Sub-processor" — Any third-party engaged by Zdottedline to process Personal Data.

3. Subject Matter and Duration

This DPA applies to the processing of Personal Data by Zdottedline in connection with the provision of our e-signature services. The duration of this DPA corresponds to the duration of the Terms of Service.

The nature and purpose of processing include document signing, blockchain verification, user authentication, and related e-signature services as described in our Terms of Service.

4. Types of Personal Data

We process the following categories of Personal Data:

  • Identity Data: Names, email addresses, and contact information
  • Document Data: Content and metadata of documents uploaded for signing
  • Signature Data: Electronic signatures and related verification information
  • Technical Data: IP addresses, device information, and usage logs
  • Blockchain Data: Cryptographic hashes and verification records (no personal data on-chain)
  • Communication Data: Messages and notifications related to document signing

5. Obligations of the Data Processor

5.1 Processing Instructions

Zdottedline shall process Personal Data only on documented instructions from the Data Controller, including regarding transfers to third countries or international organizations, unless required to do so by applicable law.

5.2 Confidentiality

We ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular testing and evaluation of security measures
  • Access controls, MFA, and least-privilege authentication
  • Blockchain-based integrity verification of signed documents
  • Regular security assessments and audits (SOC 2 in progress)
  • Incident detection and response procedures

5.4 Sub-processors

We may engage Sub-processors to assist in providing our services. We ensure that Sub-processors are bound by data protection obligations at least as protective as those in this DPA. The current list of Sub-processors is published on our GDPR Compliance page.

6. Data Controller Rights

The Data Controller has the following rights:

  • Right to Information: Request information about our processing activities
  • Right to Audit: Conduct audits and inspections, subject to reasonable notice and confidentiality protections
  • Right to Rectification: Request correction of inaccurate Personal Data
  • Right to Erasure: Request deletion of Personal Data, subject to legal retention requirements
  • Right to Restriction: Request limitation of processing
  • Right to Portability: Receive Personal Data in a structured, machine-readable format

7. Data Breach Notification

In the event of a Personal Data breach, Zdottedline shall:

  • Notify the Data Controller without undue delay after becoming aware of the breach
  • Provide detailed information about the breach, including:
    • Nature of the Personal Data breach
    • Categories and approximate number of data subjects affected
    • Categories and approximate number of Personal Data records concerned
    • Likely consequences of the Personal Data breach
    • Measures taken or proposed to address the breach
  • Assist the Data Controller in fulfilling its breach notification obligations to supervisory authorities and affected data subjects
  • Document all Personal Data breaches and remedial actions taken

8. Data Protection Impact Assessment

Zdottedline shall provide reasonable assistance to the Data Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities, where required under GDPR Articles 35 and 36.

9. Return and Deletion of Personal Data

Upon termination of services or upon request, Zdottedline shall:

  • Return all Personal Data to the Data Controller, or
  • Delete all Personal Data in our possession, except where:
    • Retention is required by applicable law (e.g., audit logs under eIDAS, financial records)
    • Blockchain hash records are immutable by design (and contain no Personal Data)
    • Data is necessary for the establishment, exercise, or defence of legal claims
  • Provide written confirmation of deletion or return on request

10. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), Zdottedline ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, specifically Module 2 (Controller-to-Processor) of the SCCs adopted by Implementing Decision (EU) 2021/914
  • Adequacy decisions for recipient countries where applicable
  • Supplementary measures consistent with the Schrems II ruling, including encryption and access controls

11. Liability and Indemnification

Each party shall be liable to the other for damages caused by its breach of this DPA. The liability provisions of the Terms of Service shall apply to this DPA, except where mandatory provisions of applicable data protection law require otherwise.

Zdottedline shall indemnify the Data Controller for any fines or penalties imposed by supervisory authorities solely due to our material breach of this DPA, subject to the limitations of liability set out in the Terms of Service.

12. Governing Law and Jurisdiction

This DPA shall be governed by the same law as the Terms of Service. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

13. Contact

For questions about this DPA or to request a counter-signed copy under your enterprise agreement, please contact:

14. Amendments

This DPA may be amended from time to time to reflect changes in applicable law or our processing practices. We will notify the Data Controller of any material changes and provide an updated version of this DPA. Continued use of the services following such notice constitutes acceptance of the amended DPA.