GDPR Compliance
Last updated: April 20, 2026
ZDottedLine Inc. is committed to protecting the personal data of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.
Our Role
When you use Zdottedline, we act as a data processor for the document content and signature data you collect through our platform. You, as the account holder, act as the data controller and are responsible for ensuring you have a lawful basis for collecting personal data from your signers.
For account and billing data that we collect directly from you, we act as the data controller.
Lawful Basis for Processing
We process personal data under the following legal bases:
- Contract performance (Art. 6(1)(b)) — To provide the e-signature Service you subscribed to, including document processing, signature collection, and account management
- Legitimate interests (Art. 6(1)(f)) — To maintain security, prevent fraud, improve the Service, generate aggregate analytics, and operate our business
- Legal obligation (Art. 6(1)(c)) — To maintain audit trails as required by eIDAS, tax regulations, and other applicable laws
- Consent (Art. 6(1)(a)) — For optional features such as marketing communications, which you may withdraw at any time
Your Rights Under GDPR
If you are in the EEA, UK, or Switzerland, you have the right to:
- Access (Art. 15) — Request a copy of the personal data we hold about you
- Rectification (Art. 16) — Request correction of inaccurate or incomplete data
- Erasure (Art. 17) — Request deletion of your data, subject to legal retention requirements for audit logs and the permanent nature of blockchain hash records (which contain no personal data)
- Restriction (Art. 18) — Request that we limit processing of your data in certain circumstances
- Portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format (JSON or CSV)
- Objection (Art. 21) — Object to processing based on legitimate interests
- Automated Decision-Making (Art. 22) — We do not make automated decisions that produce legal effects concerning you
To exercise your rights, email privacy@zdottedline.com. We will respond within thirty (30) days. If we need additional time, we will notify you of the extension and reason within the initial 30-day period.
Data Processing Agreement
We offer a Data Processing Agreement (DPA) for customers who require one under GDPR Article 28. The DPA details our obligations as a data processor, including security measures, sub-processor management, data breach notification procedures, and audit rights. Contact privacy@zdottedline.com to request or execute a DPA.
International Data Transfers
Data is stored and processed on AWS infrastructure in the United States (us-east-1 region). For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs), specifically the Controller-to-Processor module (Module 2) of the SCCs adopted by Commission Implementing Decision (EU) 2021/914.
AWS, our primary infrastructure provider, maintains its own compliance with international data transfer mechanisms, including SOC 2 Type II, ISO 27001, and the EU-US Data Privacy Framework. Details are available at AWS GDPR Center.
Data Retention
We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy:
- Account data: Duration of account plus 30 days for data export
- Document data: Per subscription plan terms, then securely deleted
- Audit logs: Seven (7) years (eIDAS and legal compliance), then anonymized or deleted
- Blockchain hash records: Permanent (on-chain data contains only cryptographic hashes, not personal data)
- Payment records: Seven (7) years (tax and financial regulatory requirements)
Our data retention practices are governed by our internal Data Retention Policy, which defines retention periods, secure deletion procedures, and archival processes for each data category. Upon expiration of a retention period, data is securely deleted using cryptographic erasure or overwrite methods.
Sub-Processors
We use the following sub-processors to deliver the Service:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure, storage, compute, email (SES) | United States |
| Stripe | Payment processing and subscription management | United States |
| Polygon Network | Blockchain integrity anchoring (hashes only) | Decentralized |
We will notify customers of any changes to sub-processors at least thirty (30) days in advance. Customers may object to a new sub-processor by contacting us within the notice period.
Data Breach Notification
In the event of a personal data breach, we will:
- Notify affected data controllers within seventy-two (72) hours of becoming aware of the breach, as required by GDPR Article 33
- Provide the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach
- Notify affected individuals directly where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
- Cooperate with supervisory authorities as required
Our response to security incidents is governed by our internal Incident Response Plan, which defines severity levels, escalation procedures, containment and eradication steps, forensic investigation processes, and post-incident review and remediation procedures. The plan is reviewed and tested at least annually.
Security Measures
We implement appropriate technical and organizational measures to protect personal data, as required by GDPR Article 32, including:
- Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+)
- Access controls with role-based permissions and multi-factor authentication
- Regular testing and assessment of security measures
- Employee access limited to personnel who require it for their role
- Comprehensive audit logging of all data access and modifications
- Automated threat detection (AWS GuardDuty, WAF, Security Hub)
Contact
For GDPR-related inquiries, data subject requests, or to request a Data Processing Agreement, contact our Data Protection team:
ZDottedLine Inc.
Data Protection Contact
390 NE 191st St, STE 36983
Miami, FL 33179
Phone: (786) 693-4578
Email: privacy@zdottedline.com
You also have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.