← SignedBy

Data Processing Addendum

Effective July 14, 2026

This Data Processing Addendum (“DPA”) supplements the SignedBy Terms of Service between the Customer and SPRK10 B.V., a company incorporated in the Netherlands (“SignedBy”), and applies where SignedBy processes personal data on behalf of a customer (“Customer”) in the course of providing the service — for example, the names and email addresses of Signers a Customer invites to sign a document.

Because SignedBy is established in the Netherlands, this DPA is intended to meet the requirements of Article 28 of the GDPR.

1. Roles of the parties

For personal data submitted to SignedBy by or through a Customer's use of the service (including data about that Customer's Signers), the Customer is the controller and SignedBy is the processor within the meaning of the GDPR (or “business” and “service provider,” respectively, under other applicable law). SignedBy processes such data only on the Customer's documented instructions, as reflected in this DPA and the Customer's configuration and use of the service.

2. Scope and nature of processing

SignedBy processes personal data to: render and store uploaded documents; capture field values and signatures entered by Signers; route signing requests by email; record the audit trail (timestamps, IP addresses, user agent strings, and document hashes) needed for a legally defensible electronic signature; generate the final signed PDF and certificate of completion; and, for Customers using optional AI-assisted features, send relevant document text to an AI sub-processor for field-suggestion, drafting, or summarization — Mistral AI by default, or Anthropic if the Customer has selected it in workspace settings. Processing lasts for the duration of the Customer's use of the service and any applicable retention period described in our Privacy Policy.

3. Sub-processors

SignedBy uses the following sub-processors to provide the service:

  • Supabase — database hosting and authentication
  • Cloudflare, Inc. (R2) — document file storage
  • Resend — transactional email delivery
  • Mistral AI — default AI processing for optional field-suggestion, document-drafting, and summary features
  • Anthropic, PBC — alternative AI processing for the same features, used only for a Customer that selects it in workspace settings instead of Mistral
  • Stripe, Inc. — payment processing for subscriptions
  • Vercel Inc. — application hosting

We will provide reasonable advance notice before adding or replacing a sub-processor that processes personal data covered by this DPA, so the Customer can object on reasonable grounds. Each sub-processor is bound by confidentiality and data-protection obligations at least as protective as this DPA. Where a sub-processor is located outside the European Economic Area, SignedBy relies on appropriate transfer safeguards recognized under GDPR, such as the European Commission's Standard Contractual Clauses.

4. SignedBy's obligations

SignedBy will:

  • Process personal data only on the Customer's documented instructions;
  • Ensure personnel with access to personal data are subject to confidentiality obligations;
  • Implement appropriate technical and organizational security measures, including encryption in transit and at rest;
  • Assist the Customer, to the extent reasonably possible, in responding to data subject requests (access, correction, deletion) relating to data the Customer controls; and
  • Notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data.

5. Deletion or return of data

On termination of the Customer's account, SignedBy will delete or, on written request made before termination, return the personal data processed on the Customer's behalf, except to the extent we are required by law to retain it (for example, audit-trail records tied to a completed electronic signature that must remain reproducible).

6. Audits

SignedBy will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for, and contribute to, audits conducted by the Customer or an auditor mandated by the Customer, subject to reasonable advance notice and confidentiality.

7. Liability

Liability under this DPA is subject to the limitation of liability set out in the SignedBy Terms of Service.

8. Contact

Questions about this DPA can be sent to privacy@signedby.ai.