Data Processing Addendum

1. Definitions

• Personal Data means any information relating to an identified or identifiable natural person Processed by CelerSign on behalf of Customer through the Service.
• Processing means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
• Data Subject means the identified or identifiable natural person to whom Personal Data relates.
• Sub-processor means any third party engaged by CelerSign to Process Personal Data on behalf of Customer.
• Standard Contractual Clauses ("SCCs") means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.
• Applicable Data Protection Laws means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including the GDPR, the UK GDPR, PIPEDA, the CCPA/CPRA, and other US state privacy laws (Virginia, Colorado, Connecticut, Utah, Texas).

2. Subject Matter and Duration of Processing

The subject matter of the Processing is the provision of electronic signature services by CelerSign to Customer. Processing will continue for the duration of the main agreement between the parties, plus any retention period required to maintain the legal validity of executed documents and audit trails (typically a minimum of seven years), unless otherwise instructed by Customer or required by law.

3. Nature and Purpose of Processing

CelerSign Processes Personal Data for the following purposes:

• Execution of electronic signature workflows initiated by Customer
• Generation, storage, and verification of tamper-evident audit trails
• Delivery of transactional email notifications (signing invitations, completion notices, reminders)
• Authentication of signers (e.g., email OTP)
• Account, billing, and service administration
• Security monitoring, fraud detection, and incident response

4. Types of Personal Data

The Personal Data Processed may include:

• Names and email addresses of Customer's users and signers
• IP addresses and browser user-agent strings
• Signature images, typed signatures, or signature glyphs
• Document content and document metadata (titles, file names, page counts)
• Timestamps of signing events and other audit-trail events
• Authentication artifacts (OTP codes, hashed credentials)
• Any other Personal Data contained within documents uploaded by Customer

5. Categories of Data Subjects

• Customer's employees, contractors, and authorized users of the Service
• Customer's signers (parties Customer invites to sign documents)
• Customer's recipients (parties who receive copies of executed documents)
• Any other natural persons whose Personal Data appears in documents Customer uploads

6. Customer Obligations

Customer represents, warrants, and agrees that:

• It has a valid lawful basis under Applicable Data Protection Laws for the Processing of Personal Data through the Service.
• It has obtained any consents, provided any notices, and complied with any other requirements applicable to its collection of Personal Data from its signers and other Data Subjects.
• Its instructions to CelerSign regarding the Processing of Personal Data comply with Applicable Data Protection Laws.
• It will not upload documents containing categories of data for which Customer is not authorized to use the Service (e.g., regulated health data where no BAA is in place, payment card data where no PCI scope is agreed).

7. CelerSign Obligations

CelerSign will:

• Process Personal Data only on documented instructions from Customer, including with regard to transfers to third countries, unless required by law.
• Ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures as described in Section 8.
• Engage Sub-processors only in accordance with Section 9 and remain responsible for their performance.
• Notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's data.
• Provide reasonable assistance to Customer in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) and in meeting Customer's obligations under Applicable Data Protection Laws (including data protection impact assessments and prior consultations with supervisory authorities).
• At Customer's choice, delete or return all Personal Data to Customer after the end of the provision of services, and delete existing copies unless retention is required by law.
• Make available to Customer all information necessary to demonstrate compliance with its obligations under this DPA.

8. Security Measures

CelerSign maintains technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, damage, alteration, or disclosure, including:

• Encryption in transit via TLS 1.3 for all data transmitted between clients, the Service, and Sub-processors.
• Encryption at rest via AES-256 for documents, audit trails, and database storage.
• Access controls: role-based access, principle of least privilege, JWT-based session management, and restricted production access.
• Audit logging for production system access and document lifecycle events.
• Cryptographic integrity: SHA-256 hash chains for audit trails, appended to executed PDFs to make tampering detectable.
• Secret management: production credentials stored in managed secret stores, not source control.
• Backups: managed by infrastructure providers with retention in the same region as the primary database.
• Vulnerability management: dependency monitoring and routine patching.

9. Sub-processors

Customer provides general authorization for CelerSign to engage Sub-processors. A current list of Sub-processors is maintained at /legal/subprocessors. CelerSign will provide at least thirty (30) days' notice before adding or replacing any Sub-processor that Processes Personal Data. Customer may object to a new Sub-processor on reasonable data protection grounds; in such case, the parties will work in good faith to resolve the objection, including, where necessary, termination of the affected portion of the Service.

10. International Data Transfers

Personal Data may be transferred to and Processed in jurisdictions outside the country in which it was collected, including the United States, where certain CelerSign Sub-processors operate. CelerSign relies on the following safeguards:

• For transfers from the European Economic Area, United Kingdom, and Switzerland: the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), incorporated by reference into this DPA.
• For transfers from Canada: safeguards compatible with PIPEDA, including contractual protections with Sub-processors and the technical security measures described in Section 8.
• For transfers involving US state privacy laws: CelerSign acts as a service provider / processor and does not sell or share Personal Data for cross-context behavioral advertising.

Details of where Personal Data resides are published at /legal/data-residency.

11. Data Subject Rights

Taking into account the nature of the Processing, CelerSign will assist Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws. Where a Data Subject contacts CelerSign directly regarding Customer's data, CelerSign will refer the Data Subject to Customer and notify Customer of the request.

12. Audits

CelerSign will, on an annual basis, perform a self-attestation of compliance with this DPA and make a summary available to Customer on request. For enterprise customers, CelerSign will, on reasonable notice and no more than once per twelve (12) month period, make available the results of third-party audits or permit a mutually agreed independent auditor to conduct an audit, subject to confidentiality and reasonable cost arrangements.

13. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set forth in the main agreement between the parties. Nothing in this DPA limits or excludes the liability of either party for any liability that cannot be limited or excluded under applicable law.

14. Term, Termination, and Return or Deletion of Data

This DPA takes effect on the effective date of the main agreement and remains in force until the main agreement terminates. On termination, Customer may, within thirty (30) days, request return of its Personal Data in a commonly used format. After that period, CelerSign will delete Personal Data from active systems, except that audit-trail records and executed documents may be retained for the period necessary to maintain the legal validity of executed documents, or where retention is required by applicable law. Personal identifiers in retained audit records will be anonymized to the extent compatible with the integrity of the audit trail.

15. Contact and Execution

Enterprise customers may request a counter-signed copy of this DPA, or negotiate bespoke terms, by contacting legal@celersign.com.