Data Processing Addendum
Last updated 2026-07-12
This Data Processing Addendum ("DPA") describes how CompanySignatures processes personal data on behalf of a customer workspace when providing the service described in our terms of service. It supplements, and does not replace, our privacy policy and terms of service. For a signed or counter-signed copy for your records, contact us using the details below.
1. Roles
For the personal data of a customer's own teammates (names, job titles, and contact details entered on personal signature links), the customer is the data controller and we act as the data processor, processing that data only to provide the service and only on the customer's instructions as reflected in the product's configuration.
For account-level data tied directly to a customer's relationship with us (billing contact, workspace admin email), CompanySignatures acts as an independent controller for the limited purposes of operating and billing the account.
2. Scope of processing
- Categories of data subjects: the customer's employees and contractors who are added as members of the workspace.
- Categories of data: name, job title, department, work contact details (email, phone), and any optional fields a member chooses to add (calendar link, social profile URLs, pronouns).
- Nature of processing: storage, rendering into signature HTML, and inbound-email pattern matching for install verification. No sensitive or special-category data is required by the service, and customers should not enter any into optional free-text fields.
- Duration: for as long as the workspace is active, plus the retention windows described in the privacy policy after cancellation or deletion.
3. Subprocessors
We use the following subprocessors to provide the service. We will provide reasonable advance notice before adding a new subprocessor that will process customer personal data.
- Cloudflare , infrastructure, hosting, storage, and content delivery for the application and signature images.
- Postmark (Active Campaign), transactional email delivery, including inbound email processing for install verification.
- Paddle , billing and payment processing; Paddle acts as merchant of record and processes payment data directly.
- Anthropic , AI-assisted brand enrichment (matching a company domain to a public company name, logo, and colors) from publicly available data.
4. International transfers
Our subprocessors may process data in the United States and other countries where they or their own infrastructure operate. Where personal data is transferred out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs), or an equivalent lawful transfer mechanism, with the relevant subprocessor.
5. Security measures
- Data encrypted in transit (TLS) between the browser, our application, and our infrastructure.
- Access to customer data restricted to the systems and personnel that need it to operate the service.
- Sign-in via one-time magic links rather than stored passwords, reducing the risk of credential-based account compromise.
- No recipient tracking is built into the product by design, reducing the scope of personal data collected in the first place, see our privacy policy section 2.
6. Data subject requests
If we receive a request from one of a customer's team members to access, correct, or delete their data, and the request is clearly directed at the customer rather than us, we will refer the requester to the customer. We will reasonably assist the customer in responding to data subject requests concerning data we process on their behalf. Workspace admins can also directly edit or remove member data at any time from the dashboard.
7. Audit and cooperation
On reasonable written request, and no more than once per year absent a specific security concern, we will provide available information reasonably necessary to demonstrate compliance with this DPA. We will cooperate with a customer's reasonable requests related to a data protection impact assessment concerning our processing of their data.
8. Term, deletion, and return of data
This DPA remains in effect for as long as we process personal data on the customer's behalf under the terms of service. On workspace deletion, personal data is deleted as described in our privacy policy's retention section, subject to a short operational grace period for backups.
9. Contact
For a countersigned copy of this DPA or any questions about it, contact us at support@companysignatures.com.
For any queries, reach us at support@companysignatures.com