Data Processing Agreement

Last updated: June 1, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller") and Instant Signer Ltd (the "Processor") and governs the processing of personal data in connection with the Services.

1. Definitions

Terms such as “personal data”, “processing”, “data subject”, “controller”, and “processor” have the meanings given in applicable data protection law, including the GDPR.

2. Scope and roles

The Controller determines the purposes and means of processing. The Processor processes personal data only on the Controller's documented instructions, including those set out in the agreement and this DPA.

3. Subject matter and duration

The subject matter is the provision of email signature management services. Processing continues for the term of the agreement and until deletion or return of personal data as described below.

4. Nature and purpose of processing

Processing includes collection, storage, organization, use, and transmission of directory attributes to design and deploy email signatures. For cloud signature deployment, message content is processed in transit and not stored.

5. Categories of data and data subjects

  • Data subjects: the Controller's employees and other authorized users.
  • Categories of data: name, work contact details, job title, department, location, photo, and similar directory attributes.

6. Processor obligations

  • Process personal data only on documented instructions.
  • Ensure persons authorized to process are bound by confidentiality.
  • Implement appropriate technical and organizational measures.
  • Assist the Controller with data subject requests and compliance.
  • Notify the Controller of personal data breaches without undue delay.

7. Sub-processors

The Controller authorizes the Processor to engage the sub-processors listed on our Sub-processors page. We will inform you of changes and impose equivalent data protection obligations on each sub-processor.

8. International transfers

Where personal data is transferred internationally, the parties rely on Standard Contractual Clauses and appropriate supplementary measures.

9. Security

The Processor maintains the security measures described on our Security page, including encryption in transit and at rest, access controls, and audit logging.

10. Audits

The Processor will make available information necessary to demonstrate compliance and allow for reasonable audits, subject to confidentiality and operational safeguards.

11. Deletion and return

Upon termination, the Processor will, at the Controller's choice, delete or return personal data, except where retention is required by law.

12. Requesting a signed DPA

To request a countersigned copy of this DPA, contact legal@instantsigner.com.