Signatu's Data Processing Agreement

This is the Summary and Table of Content of our Data Processing Agreement.

Summary

Agree: You may order our Consent Service Under the Cloud Service Agreement (“CSA”). We process Personal Data on your behalf under Signatu AS Data Processing Agreement ("DPA").
Personal data: We process Consent Event Data on your behalf.
Lawful processing: You are responsible for why and how we process Consent Event Data on your behalf.
Data deletion You decide when we shall delete the Consent Event Data. We delete or return the Consent Event Data shortly after your term expiry.
Data Security: We secure the Consent Event Data with appropriate technical or organisational measures.
Confidentiality: We do not disclose the Consent Event Data to third parties.
Audits: We allow you to audit us.
Processing Records: We maintain a record of processing activities that we carry out on your behalf.
Assistance: We assist you to respond to end users' request to exercise their Data Subject Rights with regard Consent Event Data.
Data Breach: In case of a data breach we will notify you without undue delay, mitigate effects and minimise any damage.
DPIA and Consultation: We will assist you with Data Protection Impact Assessment and Prior Consultation with Data Protection Authorities.
Cloud host: We use AWS in Ireland to host our Consent Service.
Limited liability: We have limited liability in relation to you and third parties.
Friendly problem solving: If we ever end up in a dispute, we will try to solve issues in a friendly way.
Disputes in Norway: Any dispute will be resolved in Norway only, and under Norwegian law only.
Communication with you: To communicate with you, we will use your sign up Email Address.
Communication with us: To communicate with us, you will use our Email Address: hello@signatu.com
English communication: Together, we and you communicate in English only.

1 Parties and Scope

2 Meaning of terms in DPA

3 Customer instructions and responsibilities with regard to Processing

3.1 Role of Customer

3.2 Role of Signatu

3.3 Scope of Permission

3.4 Customer’s acknowledgment

4 Lawful processing

4.1 Customer’s Warranties for Lawful Processing

4.2 Customer’s Responsibility for Lawful Processing

4.3 Customer’s Responsibility for Customer’s Instruction

4.4 Processing in conflict with DPA

5 Data Deletion or Return

5.1 Power to delete

5.2 Deletion during Term

5.4 Deletion on Term Expiry

5.5 Omitted Deletion Instruction

6 Data Security

6.1 Signatu’s Security Measures

6.2 Customer’s Security Responsibility

7 Confidentiality

7.1 Signatu’s Confidentiality Obligation

7.2 Signatu’s redirection of Authorities to Customer

7.3 Signatu’s Notice to Customer

7.4 Customer’s Notice to Signatu

7.5 Customer’s Responsibility

8 Confidentiality obligations of Signatu personnel

9 Audits

9.1 Customer’s Audit Rights

9.2 Request

9.3 Objection

9.4 Date, scope and duration

9.5 Confidential Information

9.6 Responsibility for Auditor’s Fees

9.7 Responsibility for Signatu’s costs

9.8 Supervisory Authority Audits

10 Processing Records

10.1 Processing Record Obligation

10.2 Customer Record Information Obligation

11 Assistance to Customer

11.1 Data Subject Rights

11.1.1 Customer’s Responsibility to Respond to Data Subject Requests

11.1.2 Signatu’s Assistance

11.2 Notification of a Personal Data Breach

11.2.1 Signatu’s Notification

11.2.2 Signatu’s Assistance

11.2.3 Customer’s Responsibility

11.3 Data Protection Impact Assessment and Prior Consultation

11.3.1 Signatu’s Assistance

12 Payment for Assistance

13 Sub-processors

13.1 Customer Authorization to engage Sub-processors

13.2 Obligations for replacement or addition of Sub-processor

14 Liability, penalties and fines

14.1 Separate Responsibility for Damage

14.2 Customer’s Sole Responsibility

14.3 Liability

14.3.1 Liability Cap

14.3.2 Liability Cap Exclusions

15 Nondisclosure

16 Communication between Parties

16.1 Obligation to use Notification Email Address

16.2 Customer’s Responsibility

16.3 Language

17 Entire DPA

19 Customer Warranties

20 Acceptance of DPA

21 Entry into force and duration of DPA

22 Dispute Resolution, Applicable Law and Jurisdiction

Annex 1 to Data Processing Agreement

Personal Data Processing

Annex 2 to Data Processing Agreement

Data Security Measures

Summary

1 Parties and Scope

2 Meaning of terms in DPA

3 Customer instructions and responsibilities with regard to Processing

3.1 Role of Customer

3.2 Role of Signatu

3.3 Scope of Permission

3.4 Customer’s acknowledgment

4 Lawful processing

4.1 Customer’s Warranties for Lawful Processing

4.2 Customer’s Responsibility for Lawful Processing

4.3 Customer’s Responsibility for Customer’s Instruction

4.4 Processing in conflict with DPA

5 Data Deletion or Return

5.1 Power to delete

5.2 Deletion during Term

5.3 Deletion in accordance with GDPR Art 17.1 and 19

5.4 Deletion on Term Expiry

5.5 Omitted Deletion Instruction

6 Data Security

6.1 Signatu’s Security Measures

6.2 Customer’s Security Responsibility

7 Confidentiality

7.1 Signatu’s Confidentiality Obligation

7.2 Signatu’s redirection of Authorities to Customer

7.3 Signatu’s Notice to Customer

7.4 Customer’s Notice to Signatu

7.5 Customer’s Responsibility

8 Confidentiality obligations of Signatu personnel

9 Audits

9.1 Customer’s Audit Rights

9.2 Request

9.3 Objection

9.4 Date, scope and duration

9.5 Confidential Information

9.6 Responsibility for Auditor’s Fees

9.7 Responsibility for Signatu’s costs

9.8 Supervisory Authority Audits

10 Processing Records

10.1 Processing Record Obligation

10.2 Customer Record Information Obligation

11 Assistance to Customer

11.1 Data Subject Rights

11.1.1 Customer’s Responsibility to Respond to Data Subject Requests

11.1.2 Signatu’s Assistance

11.2 Notification of a Personal Data Breach

11.2.1 Signatu’s Notification

11.2.2 Signatu’s Assistance

11.2.3 Customer’s Responsibility

11.3 Data Protection Impact Assessment and Prior Consultation

11.3.1 Signatu’s Assistance

12 Payment for Assistance

13 Sub-processors

13.1 Customer Authorization to engage Sub-processors

13.2 Obligations for replacement or addition of Sub-processor

14 Liability, penalties and fines

14.1 Separate Responsibility for Damage

14.2 Customer’s Sole Responsibility

14.3 Liability

14.3.1 Liability Cap

14.3.2 Liability Cap Exclusions

15 Nondisclosure

16 Communication between Parties

16.1 Obligation to use Notification Email Address

16.2 Customer’s Responsibility

16.3 Language

17 Entire DPA

18 Customer’s independent conclusion of Signatu GDPR compliance

19 Customer Warranties

20 Acceptance of DPA

21 Entry into force and duration of DPA

22 Dispute Resolution, Applicable Law and Jurisdiction

Annex 1 to Data Processing Agreement

Annex 2 to Data Processing Agreement