SignRequest & GDPR
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The new regulation applies to all organizations that have EU citizens as customers. For more information about the GDPR visit: Commission: Data Protection.
SignRequest has taken the necessary actions to be GDPR compliant.
Among other actions SignRequest performed a data privacy impact assessment (DPIA), assigned a data protection officer, adheres to the principles of “privacy by design & privacy by default”, created a register for personal data and carefully selected its subcontractors.
In addition SignRequest offers a Data Processing Agreement (DPA) which states how SignRequest processes and secures your data. If your organization has European Citizens as customers, and you process their personal data with SignRequest, then to comply with the GDPR you'll need to sign a DPA with SignRequest.
Make sure to review the updated privacy statement and sign the data processing agreement.
Updated Data Processing Agreement
To review and sign the updated Data Processing Agreement visit: Data Processing Agreement.
Updated Privacy Statement
To review the updated privacy statement visit: Privacy Statement
Data security measures
SignRequest has from the beginning (irrespective of the GDPR) taken necessary actions to ensure the safety of your data. The most important ones are listed here. To continuously improve on our data security measures and protocols SignRequest is currently in the process of achieving ISO27001 certification.
- Encryption of digital files containing personal data
- Security of the network connection with Secure Socket Layer (SSL) technology or a similar technology
- Restriction of access to the personal data to authorised employees
- Security of the personal data in accordance with the ISO 27001 standard for the selected server (Amazon Web Services, EU)
- SignRequest passed the extensive Salesforce Security Review which is based on the OWASP top 10 list
The EU-US Privacy Shield & Subcontractors
To offer the SignRequest service SignRequest uses subcontractors. For example our technical infrastructure and data storage is handled by Amazon Web Services (within the EU). A full list of subcontractors can be found in the SignRequest DPA.
The use of subcontractors is regulated by the GDPR as well. Contracts are only processed and stored within the EU. For subcontractors outside the EU that process limited personal data SignRequest has selected subcontractors that adhere to the principles of the Privacy Shield or have taken into account comparable technical and organisational measures.
Added security features (coming very soon)
SignRequest is also adding additional (optional) security features for customers that require an extra level of safety.
- Two-factor login: you can now add a two-factor verification to your account. For more information visit: Two-factor verification
- Signer password: optionally you can now add a separate password per signer to your SignRequests. This means the signer can only view (and sign) the document after entering the separate password. You’ll need to send this password to your signers through a separate channel for example by phone or text message.