Data Processing Agreement
Effective date: April 17, 2026
Last updated: April 17, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between ZPresso LLC(“Processor”, “we”) and the customer that has entered into our Terms of Service(“Controller”, “you”) and applies whenever we process personal data on your behalf in our role as a processor under Article 28 of Regulation (EU) 2016/679 (“GDPR”) or equivalent data-protection laws.
This DPA is entered into by you by accepting the Terms of Service or by continuing to use the Service on or after the effective date above. You represent that you are authorised to enter into this DPA on behalf of the Controller. If you require a counter-signed copy for your records, email legal@onesign.click.
1. Definitions
Terms used but not defined here have the meanings given to them in the GDPR. “Customer Personal Data” means personal data that we process on your behalf in performing the Service. “Data Protection Law” means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, the UAE PDPL, and any other data-protection laws applicable to the processing.
2. Roles and scope
You are the controller of Customer Personal Data and we are the processor. The subject matter, duration, nature, and purpose of the processing; the types of personal data; and the categories of data subjects are set out in Annex A. Our processing of personal data about you (your account) is governed by our Privacy Policy, not this DPA.
3. Processing instructions
We will process Customer Personal Data only on your documented instructions, including as set out in the Terms of Service, your configuration of the Service, and this DPA, unless required to do so otherwise by Union or Member-State law to which we are subject. If we are required by law to process Customer Personal Data otherwise, we will inform you of that legal requirement before processing, unless that law prohibits it on important grounds of public interest. We will tell you without undue delay if, in our opinion, an instruction infringes Data Protection Law.
4. Confidentiality
We ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations (contractual or statutory) and are trained on their data-protection responsibilities.
5. Security measures (Article 32)
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in Annex B. Those measures include encryption in transit and at rest, access controls, authentication, logging, backup and restore procedures, secure software development, and a documented incident-response plan. We regularly review and update these measures.
6. Sub-processors
You grant us general written authorisation to engage sub-processors to process Customer Personal Data in order to deliver the Service. A current list of sub-processors, including their location and the purpose of processing, is available at /legal/subprocessors.
We will notify you of any changes concerning the addition or replacement of sub-processors by updating that page and, if you have subscribed to change notifications (available via the form on that page), by email, in either case at least 30 days before the change takes effect. You may object in writing to a proposed sub-processor on reasonable data-protection grounds. If the objection cannot be resolved, you may terminate the parts of the Service that cannot be provided without the sub-processor, with a refund of any prepaid fees covering the remainder of the term for those parts.
We impose on each sub-processor data-protection obligations that are no less protective than those in this DPA and we remain fully liable to you for each sub-processor’s performance of its obligations.
7. Data-subject rights
Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as this is possible, to fulfil your obligation to respond to requests from data subjects to exercise their rights. The Service provides self-service tools to help you access, correct, export, and delete Customer Personal Data.
If we receive a request directly from a data subject concerning Customer Personal Data, we will, without undue delay, inform the data subject to contact you and will not respond to the request ourselves (except to confirm receipt and advise the data subject to contact you) unless required by law or authorised by you.
8. Assistance with compliance obligations
We will assist you, taking into account the nature of processing and the information available to us, in ensuring compliance with your obligations under Articles 32–36 GDPR, including security, personal-data-breach notification, data-protection impact assessments, and prior consultation with supervisory authorities.
9. Personal data breaches
We will notify you without undue delay, and in any event within 72 hours after becoming aware, of any personal-data breach affecting Customer Personal Data. The notification will describe the nature of the breach (where possible the categories and approximate number of data subjects and records concerned), the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. We will keep you reasonably informed as the investigation progresses.
10. International transfers
Where Customer Personal Data originating in the EEA, the United Kingdom, Switzerland, or the UAE is transferred to a country that has not received an adequacy decision from the relevant authority, the transfer is made subject to the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914), which are incorporated into this DPA by reference and deemed entered into with us as data importer. For UK-origin data, the UK International Data Transfer Addendum issued by the ICO applies. For Swiss-origin data, the Swiss FDPIC amendments apply. We also implement supplementary technical measures (encryption in transit and at rest, access controls, logging) to protect transferred data.
For UAE-origin data, we comply with the transfer requirements of Articles 22–23 of Federal Decree-Law No. 45 of 2021.
11. Return or deletion at end of processing
On termination of the Service, we will, at your choice, delete or return all Customer Personal Data to you and delete existing copies, unless Union or Member-State law requires storage of the personal data. Signed documents remain available for download for at least 30 days after termination, after which we will delete them unless otherwise instructed.
12. Audits
We will make available to you all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, subject to reasonable confidentiality and operational-security conditions. To satisfy audit rights, we may provide summaries of independent third-party certifications or assessments we hold (where applicable). Customer on-site audits are limited to once every twelve (12) months (except where required by a supervisory authority or following a personal-data breach), on at least 30 days’ prior written notice, during business hours, and at your cost.
13. Liability
Each party’s liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
14. Order of precedence
If there is any conflict between this DPA and the Terms of Service in relation to processing of Customer Personal Data, this DPA prevails. If the Standard Contractual Clauses apply and conflict with this DPA, the Standard Contractual Clauses prevail.
Annex A — Description of processing
| Subject matter | Provision of the OneSign electronic-signature platform and related services, as described in the Terms of Service. |
|---|---|
| Duration | For the term of the Terms of Service, plus the retention and return/deletion periods set out in this DPA and the Privacy Policy. |
| Nature and purpose | Hosting, storing, transmitting, and displaying documents and signatures; capturing audit-trail metadata; sending transactional emails; producing signed PDFs; providing customer support. |
| Types of personal data | Names, email addresses, IP addresses, device/browser metadata, signature images (drawn, typed, or uploaded), form-field entries made by signers, any personal data contained in documents the controller uploads, and audit timestamps. |
| Categories of data subjects | The controller’s employees, contractors, clients, counterparties, and any other individuals invited to sign or receive documents. |
| Special categories | Only to the extent voluntarily included by the controller in a document or by a signer in a form field. Not required by the Service. |
Annex B — Technical and organisational measures
- Encryption in transit: all connections to the Service use TLS 1.2 or higher with modern cipher suites.
- Encryption at rest: databases and persistent storage use AES-256 encryption at rest at the infrastructure layer.
- Access control: least-privilege access for staff; MFA required on administrative accounts; role-based access for application users.
- Authentication: salted password hashing using a modern adaptive algorithm; session tokens with secure cookies.
- Network security: firewalling, rate limiting, and automated abuse detection provided by our hosting platform.
- Logging and monitoring: server logs, application audit logs, and alerting on anomalous activity.
- Backup and recovery: regular encrypted database backups; documented restore procedures.
- Secure development: code review, dependency scanning, and regular patching of known vulnerabilities.
- Incident response: documented process for identifying, containing, investigating, and notifying personal-data breaches within 72 hours.
- Staff: confidentiality commitments and data-protection training.
- Sub-processor diligence: written contracts imposing equivalent protection on each sub-processor.