Data processing agreement

This Data Processing Agreement (“DPA”) is entered into as of the Effective Date by and between Sigsync, a limited partnership established under the laws of the United States of America, with its registered office in Rehoboth Beach, DE (“Sigsync” or simply “we”) and the entity or person set forth on the last page hereto (“Customer” or simply “you”). Sigsync and Customer are sometimes referred to individually as “Party” or collectively as “Parties”.

The “Effective Date” shall be understood by the Parties as the date the Customer expresses their consent to be bound by the provisions of the DPA either by checking the appropriate box on Sigsync’s website that confirms reading and accepting the terms of the DPA or by signing a copy of this DPA received by email.

This DPA is made with reference to the following facts:

The Customer is interested in using Sigsync Email Signatures for Office 365 – a centrally managed, server-side email signature management service consisting of a web-based Dashboard and associated services, such as Sigsync Outlook add-in, hosted on Microsoft Azure store. The Sigsync server is hosted at a geolocation of your choice (the signature service and associated services are jointly referred to as “Services”).

The use of the Services requires that some of the personal data controlled by the Customer is processed by Sigsync. Under art. 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) before the Customer starts using the Services, a Data Processing Agreement must be concluded between the Customer and Sigsync.

1. General

You, as the data controller, acknowledges and confirms that:

  • Making use of the Services requires that some Azure Active Directory user attributes and group memberships of people who have accounts in your Office 365 tenant (“Customer Data”) are associated with the Services.
  • Making use of the Services requires that emails sent from your Office 365 tenant (“Customer Emails”) are relayed through the Services.
  • This DPA along with your use and configuration of the Services are your complete and final instructions to us for the processing of Customer Data. Customer Data was and will be obtained in accordance with applicable laws, including the GDPR and that all required consents (if necessary) from people whose personal data is processed using the Services were collected and all information duties fulfilled.

We, as a data processor, undertake:

  • We only process Customer Data and relay Customer Emails through the Services to make it possible for you to make use of the Services, solely on the basis and under the conditions specified in this DPA and applicable provisions of law.
  • Not to record, register, store, back up, or physically access the content of Customer Emails.

2. Personal data processing scope and categories of data subjects

Customer Data encompasses the following categories of personal data: names, email addresses, company contact details and job titles of people who have accounts in your Office 365 tenant. These people are those who will be concerned by this DPA.

3. Subprocessing

We use Microsoft Azure to provide our Services to you. This means that Customer Data will be processed in Microsoft Azure datacenters in a geolocation of your choice. You can find a list of currently available geolocations while adding tenants in Sigsync Dashboard.

Microsoft Azure datacenters are managed by Microsoft Corporation and its affiliates. You can find detailed terms and conditions of services provided by Microsoft Corporation and its affiliates here. These documents describe Microsoft’s obligations regarding the security of data and measures that were implemented in Microsoft datacenters to protect the confidentiality of Customer Data. You can also find information about Microsoft’s Azure security here

We confirm that we have entered into an agreement based on EU Standard Contractual Clauses with Microsoft Corporation. The aim of this agreement is to ensure that a level of protection of personal data similar to this ensured by us is maintained when Customer Data is transferred to Microsoft Azure datacenters, including those located outside of the European Economic Area (EEA). You acknowledge and agree that we may use Microsoft Corporation, its affiliates and subcontractors, as described above, as subprocessors to provide the Services to you. These entities may be engaged only within the limits and for the purpose of providing the Services to you. The standard of personal data protection applicable to these subprocessors is at least equal to the protection standard provided by us.

4. Data copies and information confidentiality

We will not create copies or duplicates of any data without your knowledge, except for backup copies concerning the following types of data:

  • Sigsync Dashboard settings and configuration details.
  • Customer Data (i.e. some Azure Active Directory user attributes and group memberships of people who have accounts in your Office 365 tenant, as described in 1).

These backup copies are necessary to ensure smooth functioning of the Services. All backup copies are automatically created by Microsoft Azure and stored on Microsoft Azure in a geolocation that you chose when associating your Office 365 tenant with the Services. We will not use these backup copies outside of Microsoft Azure environment or for any other purposes than those specified above. We will not create backup copies of any other types of data than those specified above. We will not create backup copies of Customer Emails.

We acknowledge and agree that Customer Emails in some cases may contain information that should reasonably be understood to be proprietary or confidential information of the Customer. We will undertake all reasonable organizational, technical and administrative steps to prevent Customer Emails from being disclosed to any unauthorized person. Because we do not record, register, store, back up, or physically access the content of Customer Emails, we will not disclose it to any third parties and will always refuse all requests to disclose Customer Emails to law enforcement.

We acknowledge and agree that Customer Data in some cases may contain information that should reasonably be understood to be proprietary or confidential information of the Customer. We will undertake all reasonable organizational, technical and administrative steps to prevent Customer Data from being disclosed to any unauthorized person. We will not disclose Customer Data to law enforcement unless required by law. If law enforcement contacts us with a request for Customer Data, we will attempt to redirect the law enforcement agency directly to you. If compelled to disclose Customer Data to law enforcement, we will promptly notify you and provide a copy of the demand unless we are legally prohibited from doing so.

5. Assistance in fulfillment of the rights of data subjects and performance of other data controller’s obligations

We will help you fulfill your duty to respond to the requests of data subjects, particularly in relation to the right to be forgotten, the right to data portability, the right to restriction of data processing or the right to object to data processing provided that you inform us immediately of any requests from data subjects that require our assistance. In any event, you should inform us of any requests that you received no later than 3 (three) business days from its receipt. You can do it by sending an email to privacy-mail

We have the right to refuse your request if it is forwarded to us later than 3 (three) business days from its receipt by you and if the request is too difficult or impossible to fulfill. A request may be difficult or impossible to fulfill especially when it is too complex, evidently unjustified, excessive or impossible to fulfill because of technical limitations.

We will confirm the receipt of your request within 3 (three) business days from its receipt. Within the next 3 (three) business days we will let you know if we are able to assist you and we will inform you of the expected deadline to fulfill your request. In any event, the deadline may not be shorter than 2 (two) weeks.

If we receive a request from your data subject to exercise one or more of its rights under the GDPR, we will redirect the data subject to make its request directly to you. Taking into account available information and the nature of processing, as described in section 1 of this DPA, we will provide you with information necessary for you to perform obligations arising out of article 32 – 36 of the GDPR, including Data Protection Impact Assessments (“DPIA”). If you require our assistance in relation to DPIA, you can contact us any time by email at privacy-mail

6. Security

Considering the risk of violation of the rights and freedoms of individuals and the state of technical knowledge, implementation costs, scope, nature, context and purposes of processing personal data, we declare that in accordance with art. 32 of the GDPR, we have implemented appropriate technical and organizational measures to secure the processing of Customer Data. These measures are described in Appendix 1 to this DPA. You can also use information contained in Appendix 1 to perform DPIA.

We undertake to protect Customer Data from unauthorized access, unauthorized removal, damage or destruction and we will take all necessary steps to keep personal data confidential and to protect it in accordance with the provisions of the GDPR.

We declare that all our employees who are authorized to process personal data, are bound to confidentiality and undergo regular training regarding data protection provisions relevant to their work.

We regularly monitor all internal processes and the technical and organizational measures to ensure that processing is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.

We are entitled to implement alternative, suitable measures than those described in this section above and in Appendix 1 to this DPA, especially due to technical advances and developments. Such measures must not fall below the security level of those described above.

7. Data breaches

We will notify you without undue delay after becoming aware of a personal data breach. Such notice will, at a minimum:

Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal records concerned. Communicate the name and contact where more information can be obtained. Describe the likely consequences of the personal data breach and describe the measures taken or proposed to be taken by you to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Period of processing and return of data

You acknowledge and understand that we will start the processing of Customer Data after your Office 365 tenant is associated with the Sigsync service.

We will process personal data that you entrust to us for the duration of your license for the Services. The DPA shall remain in force when using the Services with a trial license as well as after the trial period, i.e. after purchasing the license for the Services. Furthermore, the DPA shall remain in force regardless of whether the Services were purchased directly from Sigsync or through a reseller.

If your license is terminated or expires, we will erase Customer Data from the Services within 180 days after you cancel your subscription with us, unless the law requires that this data is processed for a longer period.

After termination or expiration of your license, we will not perform any operations on Customer Data, except for storing it within the Services, unless we are required to do otherwise by law.

9. Auditing rights of the customer

If you need any additional information regarding how we process and protect Customer Data and fulfill obligations arising out of the GDPR you can contact us at any time by email at privacy-mail

You can also verify security measures implemented by Microsoft Corporation and its affiliates by referencing to their Online Services Terms.

Sigsync has implemented the Information Security Management System certified against international standards ISO/IEC 27001. To confirm the compliance with ISO/IEC 27001, we conduct the audit once a year. Audits are conducted by the external and independent certifying entities. We will resolve any audit findings immediately in a way that is satisfactory for the certifying agencies in order to stay compliant with ISO/IEC 27001. On your demand, we will provide you with proof that Sigsync holds the ISO/IEC 27001. The report will be restricted by the distribution and confidentiality limitations imposed by the certifying entity. You might be asked to sign an additional Non-Disclosure Agreement before we share the report with you.

10. Control and audits

You should inform us without undue delay of any control or audit performed by competent supervisory authorities if it relates to Customer Data.

We will inform you immediately of any inspections and measures conducted by the supervisory authorities if they relate to the Services or Customer Data.

11. Jurisdiction specific data protection clauses

If you are subject to any data protection laws of jurisdictions listed in Appendix 2, then the terms of Appendix 2 supplement the clauses of sections 1 – 10 of this DPA.

12. Miscellaneous

This DPA can only be modified by a written document signed by both you and us. This DPA should be read and constructed together with Sigsync’s Terms and Conditions. In case the provisions of Sigsync’s Terms and Conditions are contrary to the provisions of this DPA, this DPA should prevail.

This DPA will be governed by the GDPR and the laws of the United states of America, excluding any conflict of law rules. Any and all disputes relating to this DPA will be settled between you and Sigsync through good faith negotiations. In case these negotiations are not successful, any subsequent dispute should be litigated in front of the competent courts of the United states of America.

Should any provision of this DPA be found invalid or unenforceable by a court of competent jurisdiction, the rest of this DPA will remain in full effect.

This DPA can be signed in one or more counterparts and each counterpart will be considered an original DPA. All of the counterparts will be considered one document and become a binding agreement when one or more counterparts have been signed by each of the Parties and delivered to the other.

The term of this DPA corresponds with the term of your license for Sigsync Email Signatures for Office 365.

Appendix 1 – Summary of security measures implemented by Sigsync

This document describes security measures that we have implemented to ensure that Customer Data is processed in accordance with the law and the DPA. This document is regularly updated to reflect changes made in our security and data privacy compliance program.

1. General organizational measures

Confidentiality: Our entire personnel are subject to confidentiality obligations and may only access personal data subject to a prior, written authorization issued by Sigsync.

2. Training and awareness

Personnel Training: We conduct regular training sessions for our personnel on data protection rules and personnel roles within our Compliance Program. We also inform our personnel about possible consequences of non-compliance. These training sessions are conducted using anonymized data.

3. Physical and environmental security

Physical Access to Data Centers: Customer Data is processed within Microsoft Azure datacenters. Access to these datacenters is restricted only to identified Microsoft staff members. Our personnel may not physically access these centers.

Physical Access to our facilities: Only identified and authorized members of our personnel may access our facilities. Unauthorized personnel may not access these facilities.

Monitoring of Facilities: Our facilities are constantly monitored by us and external security service to prevent unauthorized access. Visitors may only access a designated space of our facilities where no data is processed.

Protection from Disruptions: We use a variety of industry accepted solutions to protect against loss of data due to power supply failure, fire, natural disaster or line interference.

Component Disposal: We use industry accepted solutions to delete Customer Data when it is no longer needed.

4. Access control

Access Authorization: We maintain a record of personnel authorized to access our facilities and information systems. We have implemented a system of controls to make sure that no one can stop working for our organization without having their authentication credentials deactivated and all access rights revoked. Additionally, we conduct regular (at least once every 6 months) audits to make sure that authentication credentials that have not been used are deactivated. De-activated or expired identifiers are not granted to other or new members of our personnel. We maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.

Limitation of privileges: Only a small, selected group of personnel may grant, alter or cancel access privileges to our facilities and information systems. The scope of access rights granted to our personnel is limited strictly to assets necessary to perform their functions.

Authentication of users: We use industry accepted solutions, such as multi factor authentication, to identify and authenticate users who access our IT systems. Passwords are renewed regularly and must comply with minimum requirements imposed by our security policies. We use various best practices designed to maintain the confidentiality and integrity of passwords when they are assigned, distributed and stored.

Monitoring: We monitor our information systems against all attempts of unauthorized access and use of expired or invalid credentials.

5. Asset and operations management

Endpoint protection: All computing endpoints are encrypted and protected against malware.

Backup copies: We make regular copies of Services’ settings and configuration details and Customer Data (Azure Active Directory user attributes and group memberships of people who have accounts in your Office 365 tenant, as described in point 1 of the DPA). We do not create backup copies of Customer Emails.

Access to backups: All backups are automatically created by Microsoft Azure and stored on Azure at a geolocation that you chose when associating your Office 365 tenant with the Services. We have processes in place which ensure that access to backup copies is restricted to the necessary minimum, that backups may not be used outside of Microsoft Azure’s environment, and that no data can be restored without the authorization of senior personnel members.

Integrity and Confidentiality: Our personnel have to disable all sessions when leaving our facilities or leaving computers unattended. Only a small, selected group of our personnel who require remote access due to the character of their duties may carry mobile devices and use them outside of our premises. All mobile devices are password protected and have encrypted storage.

Printing and portable data carriers: We have procedures in place which guarantee that no data can be printed or copied to portable data carriers without our prior authorization. Members of our personnel are prohibited from using unauthorized portable data carriers within our premises.

Network controls: Only authorized devices may use our networks. We have controls in place which ensure that unauthorized devices may not be used within our network.

6. Incident management

Malicious Software: We have anti-malware controls in place to help avoid malicious software gaining unauthorized access to Customer data and our information systems, including malicious software originating from public networks.

Incident record: We maintain a record of security incidents which include the date and time of the incident, the consequences of the breach and measures implemented to avoid similar situations in the future.

Service Monitoring: We verify and monitor logs against irregularities and suspicious activity.

7. Application controls

Guidelines and policies: We maintain guidelines and policies for developers which ensure that personal data processing principles such as privacy by design and privacy by default principles are observed while developing our applications.

Code review and patch management: We regularly review application codes for errors and issue patches or fixes.

Appendix 2 – Jurisdiction specific data protection clauses
California

This section sets forth specific terms and conditions concerning compliance with the California Consumer Privacy Act (“CCPA”). It only applies if you are a “business” under relevant provisions of the CCPA and you purchase a license for Sigsync Email Signatures for Office 365. This section does not apply in all other cases.

Where we process Customer Data and Customer Emails containing California consumers’ personal information we are a “service provider” who processes Customer Data and Customer Emails on your behalf and you are a “business” as defined in the CCPA.

Unless explicitly stated otherwise, in sections 1 – 10 of this DPA the term “data controller” should be read to include “business”, the term “data processor” should be read to include “service provider”, the term “data subject” should be read to include “consumer” and “Customer Data” and “Customer Emails” should be read to include “personal information”, each as defined under the CCPA.

As a service provider, we undertake not to retain, use, disclose or otherwise process Customer Data and Customer Emails for any purpose other than making your use of Sigsync Email Signatures for Office 365 possible or as otherwise may be permitted for “service providers” under the CCPA.

Our obligations regarding data subject requests contained in section 5 of this DPA apply to consumer’s rights under the CCPA.

Streamline Email Signature Management with a Free On-demand Demo from Sigsync

Sigsync email signature service provides effortless, centralized signature management for Office 365 and Exchange. Our team can assist you in quickly setting up company-wide signatures. Request a free on-demand demo to see how Sigsync can simplify your email signature management process.

SCHEDULE A DEMO

Demo sitemap