How to Use This DPA
This is SignLab's standard Data Processing Agreement. Enterprise and business customers who require a DPA under GDPR Article 28 or equivalent law should:
1. Download this document
2. Complete the Customer details in Schedule 1
3. Sign and return to legal@signlab.app
4. SignLab will countersign and return an executed copy within 5 business days
Questions: privacy@signlab.app
PARTIES
This Data Processing Agreement ("DPA") is entered into between:
Data Processor ("SignLab")
SignLab
Dubai, United Arab Emirates
privacy@signlab.app
Together referred to as the "Parties."
This DPA forms part of and is subject to the SignLab Terms of Service available at signlab.app/terms (the "Agreement"). In the event of conflict between this DPA and the Agreement, this DPA takes precedence with respect to data protection matters.
1. Definitions
In this DPA the following terms have the meanings set out below:
| Term | Definition |
|---|---|
| "Applicable Data Protection Law" | GDPR (EU) 2016/679, UK GDPR, UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, and any other applicable data protection legislation in force from time to time. |
| "Controller" | Has the meaning given in Applicable Data Protection Law — in this DPA, the Customer. |
| "Processor" | Has the meaning given in Applicable Data Protection Law — in this DPA, SignLab. |
| "Personal Data" | Any information relating to an identified or identifiable natural person that is processed by SignLab on behalf of the Customer under the Agreement. |
| "Processing" | Any operation performed on Personal Data including collection, storage, use, transmission, and deletion. |
| "Data Subject" | Any natural person whose Personal Data is processed under this DPA. |
| "Sub-Processor" | Any third party engaged by SignLab to process Personal Data on behalf of the Customer. |
| "Security Incident" | Any accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to Personal Data. |
| "SCCs" | Standard Contractual Clauses as approved by the European Commission for international transfers of personal data. |
2. Scope and Role of the Parties
2.1 The Customer is the Data Controller of Personal Data processed through the SignLab Service. SignLab acts as a Data Processor processing Personal Data solely on behalf of and under the documented instructions of the Customer.
2.2 The subject matter, nature, purpose, and duration of the processing, and the types of Personal Data and categories of Data Subjects, are set out in Schedule 1 to this DPA.
2.3 SignLab shall not process Personal Data for any purpose other than as described in this DPA and the Agreement, or as otherwise required by applicable law.
3. Customer Obligations
The Customer represents and warrants that:
- It has a lawful basis for processing and transferring Personal Data to SignLab as described in this DPA
- It has provided all necessary notices and obtained all necessary consents from Data Subjects as required by Applicable Data Protection Law
- It will promptly inform SignLab of any change that may affect SignLab's ability to comply with its obligations under this DPA
- It will ensure that its instructions to SignLab comply with Applicable Data Protection Law
- It is responsible for the accuracy, quality, and legality of the Personal Data it submits to the Service
4. SignLab Obligations
SignLab shall, in relation to Personal Data processed on behalf of the Customer:
4.1 Instructions
Process Personal Data only on the documented instructions of the Customer (as set out in this DPA and the Agreement), unless required by applicable law to process otherwise. SignLab will inform the Customer if it believes an instruction infringes Applicable Data Protection Law.
4.2 Confidentiality
Ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and are trained in data protection requirements.
4.3 Security
Implement and maintain appropriate technical and organisational measures to protect Personal Data against Security Incidents, including as a minimum:
- AES-256 encryption of Personal Data at rest
- TLS 1.3 encryption of Personal Data in transit
- Access controls and authentication requirements for staff accessing production systems
- Regular security assessments and vulnerability monitoring
- Documented incident response procedures
4.4 Sub-Processors
Not engage new Sub-Processors without prior written authorisation from the Customer, except as set out in Schedule 2 (Authorised Sub-Processors). SignLab will notify the Customer of any intended changes to Sub-Processors with no less than 30 days' notice, giving the Customer the opportunity to object. Where the Customer objects and the Parties cannot resolve the objection, either party may terminate the Agreement on 30 days' written notice without penalty.
4.5 Data Subject Rights
Assist the Customer in responding to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection) by providing the Customer with tools to access and manage data within the Service. Where a Data Subject contacts SignLab directly, SignLab will promptly forward the request to the Customer.
4.6 Assistance
Assist the Customer, taking into account the nature of the processing and information available to SignLab, in ensuring compliance with obligations relating to security, breach notification, Data Protection Impact Assessments (DPIAs), and prior consultation with supervisory authorities.
4.7 Deletion or Return
At the Customer's choice, delete or return all Personal Data to the Customer upon termination of the Agreement, and delete existing copies unless applicable law requires retention. SignLab will certify deletion in writing upon request.
4.8 Audit
Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits or inspections conducted by the Customer or an independent auditor appointed by the Customer. Audits require 30 days' written notice, must be conducted during business hours, and are limited to once per 12-month period. Audit costs are borne by the Customer unless a material breach is identified.
5. Security Incident Notification
5.1 SignLab will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA.
5.2 The notification will include, to the extent known at the time:
- Nature of the Security Incident including categories and approximate number of Data Subjects and Personal Data records affected
- Name and contact details of SignLab's data protection contact
- Likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
5.3 SignLab will provide further information as it becomes available and will cooperate with the Customer in any required notifications to supervisory authorities or Data Subjects.
5.4 Notification of a Security Incident does not constitute an admission of fault or liability by SignLab.
6. International Data Transfers
6.1 SignLab may transfer Personal Data outside the European Economic Area (EEA), UK, or UAE only where an appropriate safeguard is in place, including:
- To countries with an adequacy decision from the European Commission or relevant authority
- Under Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor), which are incorporated by reference into this DPA
- Under any other lawful transfer mechanism under Applicable Data Protection Law
6.2 The current Sub-Processors and their data transfer mechanisms are listed in Schedule 2.
6.3 Where SCCs apply, the Customer (as Controller) and SignLab (as Processor) agree that the SCCs (Module 2) are incorporated into this DPA and shall take precedence in the event of conflict with any other provision of this DPA regarding international transfers.
7. Sub-Processors
7.1 The Customer grants SignLab general written authorisation to engage the Sub-Processors listed in Schedule 2 as at the date of this DPA.
7.2 SignLab shall enter into written agreements with each Sub-Processor imposing data protection obligations no less protective than those in this DPA.
7.3 SignLab remains fully liable to the Customer for the acts and omissions of its Sub-Processors as if they were SignLab's own.
8. Term and Termination
8.1 This DPA comes into effect on the date of execution and continues for the duration of the Agreement.
8.2 Termination of the Agreement automatically terminates this DPA.
8.3 Obligations relating to confidentiality, security, and record retention survive termination.
9. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA limits liability for obligations that cannot be limited by law (including GDPR Article 82 obligations as between Data Subjects and the Parties).
10. Governing Law
This DPA is governed by the law specified in the Agreement (UAE law). For EU/EEA customers, where EU law mandatorily applies to data protection matters, EU law shall prevail to the extent of any conflict with UAE law.
11. Signatures
Schedule 1 — Details of Processing
| Item | Details |
|---|---|
| Subject matter | Operation of the SignLab electronic signature platform on behalf of the Customer |
| Duration | For the term of the Agreement between the Customer and SignLab |
| Nature of processing | Collection, storage, transmission, and deletion of Personal Data in connection with document signing workflows |
| Purpose | Enabling the Customer to send, sign, and manage electronic documents; generating audit trails and signed PDFs; delivering notifications to signers |
| Types of Personal Data | Full name, email address, IP address, device/browser data, signature image, document content, custom field data entered at signing, timestamps |
| Categories of Data Subjects | Customer's employees and agents (document senders); Customer's clients and counterparties (document signers) |
| Special category data | SignLab's Service is not designed to process special category data. Customer must not upload documents containing health, biometric, criminal, or other special category data without implementing appropriate additional safeguards and notifying SignLab. |
| Data retention | As set out in the SignLab Privacy Policy and Terms of Service. Customer may request deletion at any time subject to legal retention requirements. |
Schedule 2 — Authorised Sub-Processors
The following Sub-Processors are authorised as at the date of this DPA:
| Sub-Processor | Location | Purpose | Transfer Mechanism |
|---|---|---|---|
| Stripe, Inc. | United States | Payment processing and subscription management | SCCs (Module 2) |
| Cloud object-storage provider | EEA — data at rest; provider is US-incorporated | Document and file storage. EU is the default storage region; US storage is available on request. | Data stored within EEA; SCCs (Module 2) retained as a backstop |
| Cloud hosting provider | Finland (EEA) | Application hosting and infrastructure | Within EEA — none required |
SignLab will notify Customers of any changes to this list with no less than 30 days' advance notice.