Data Processing Agreement

“GDPR” means Regulation (EU) 2016/679. “Personal data”, “processing”, “controller”, “processor”, “data subject”, “personal data breach” and “supervisory authority” have the meanings given in the GDPR. “Sub-processor” means any third party engaged by Kaddye to process personal data on the Customer’s behalf. “Applicable Data Protection Law” means the GDPR and any national data protection law applicable to the Customer’s use of the service.

The Customer is the controller and Kaddye is the processor in respect of the personal data processed through the service. The Customer determines the purposes and means of processing; Kaddye processes that personal data only to provide the service and only as set out in this DPA. The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are described in Annex 1.

Where the Customer is itself a processor acting on behalf of a third-party controller, the Customer warrants that it is authorised to instruct Kaddye and to enter into this DPA on that controller’s behalf.

Kaddye processes personal data only on the Customer’s documented instructions, including with regard to international transfers, unless required to act otherwise by EU or member-state law (in which case Kaddye will inform the Customer of that requirement before processing, unless the law prohibits it). The Terms, this DPA and the Customer’s use and configuration of the service constitute the Customer’s complete documented instructions.

Kaddye will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

Kaddye ensures that persons authorised to process the personal data are bound by an appropriate duty of confidentiality and process the data only as necessary to perform their duties.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk to data subjects, Kaddye implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2. The Customer is responsible for assessing whether those measures meet its requirements.

The Customer provides general authorisation for Kaddye to engage sub-processors. The sub-processors engaged as at the date of this DPA are listed in Annex 3.

Kaddye imposes on each sub-processor, by written contract, data protection obligations that are substantially the same as those set out in this DPA, and remains fully liable to the Customer for the performance of each sub-processor’s obligations.

Kaddye will give the Customer reasonable prior notice of any intended addition or replacement of a sub-processor (for example by updating Annex 3 and notifying the Customer). The Customer may object on reasonable data-protection grounds within the notice period; if the parties cannot resolve the objection, the Customer may terminate the affected part of the service.

Kaddye does not transfer personal data outside the EU/EEA except where a transfer mechanism recognised under the GDPR is in place (such as an adequacy decision or the Standard Contractual Clauses) together with any additional safeguards required. Where a sub-processor processes personal data outside the EU/EEA, the applicable transfer mechanism is identified in Annex 3.

Taking into account the nature of the processing, Kaddye assists the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to requests from data subjects exercising their rights under the GDPR. If Kaddye receives such a request directly, it will, unless legally required to respond, refer the data subject to the Customer.

Kaddye notifies the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s personal data, and provides the Customer with the information reasonably available to it to assist the Customer in meeting its own breach-notification obligations.

Taking into account the nature of processing and the information available to it, Kaddye provides reasonable assistance to the Customer with data protection impact assessments and any prior consultation with a supervisory authority required under Articles 35–36 GDPR.

On termination or expiry of the service, Kaddye will, at the Customer’s choice, delete or return the personal data processed on the Customer’s behalf and delete existing copies, unless EU or member-state law requires continued storage. As described in the Terms, audit trails and evidence packages remain exportable for 12 months after cancellation, after which they are deleted.

Kaddye makes available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates. Audits are conducted on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a personal data breach), during business hours, and subject to confidentiality. Kaddye may satisfy audit requests by providing relevant third-party certifications or reports where available.

The Customer warrants that: it has a lawful basis under the GDPR for the personal data it processes through the service, including for sending documents to signers and recipients; its instructions comply with Applicable Data Protection Law; and it has provided any notices and obtained any rights or permissions required for Kaddye to process the personal data as described. The Customer is responsible for the content of the documents it uploads, including any special categories of personal data (Article 9 GDPR) it chooses to include.

This DPA forms part of the Terms. In the event of a conflict between this DPA and the rest of the Terms in respect of the processing of personal data, this DPA prevails. Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.

This DPA takes effect on the Customer’s acceptance of the Terms and remains in force for as long as Kaddye processes personal data on the Customer’s behalf.

Subject matter: provision of the Kaddye electronic signing service.

Duration: for the term of the Customer’s use of the service, plus the retention period described in the Terms.

Nature and purpose: hosting, processing, transmitting, storing and sealing documents for electronic signature; verifying signer identity; generating and storing audit trails and evidence packages; sending notifications relating to signing.

• Personal data is hosted within the EU/EEA (see Annex 3).
• Encryption of personal data in transit (TLS) and at rest.
• Access controls limiting access to authorised personnel on a need-to-know basis, with individual authentication.
• Cryptographic integrity protection of signed documents (document hashing; PAdES sealing with timestamps and validation data for advanced signatures).
• Logging and audit trails of signing-related events.
• Regular backups and measures to restore availability and access to personal data in a timely manner after an incident.
• Confidentiality obligations binding on personnel.
• Processes for testing and evaluating the effectiveness of the measures.