Data Processing Addendum

1. Definitions

In this DPA, the following terms have the meanings set forth below. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

• “Agreement” means the BulkSignature Terms of Service or other agreement between BulkSignature and Customer governing the provision of the Services.
• “Customer Personal Data” means Personal Data that BulkSignature Processes on behalf of Customer in the course of providing the Services.
• “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“EU GDPR”) and the United Kingdom General Data Protection Regulation as incorporated into UK domestic law by the Data Protection Act 2018 (“UK GDPR”), together with any implementing or supplementary national legislation, in each case as applicable to the Processing of Customer Personal Data under this DPA.
• “Personal Data,” “Controller,” “Processor,” “Data Subject,” “Processing,” “Personal Data Breach,” and “Supervisory Authority” have the meanings given to them in the EU GDPR or UK GDPR (as applicable).
• “Restricted Transfer” means a transfer of Customer Personal Data from the European Economic Area (“EEA”), the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority.
• “Services” means the BulkSignature email signature management services and related products described in the Agreement.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR, as approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• “Sub-processor” means any third party engaged by BulkSignature (or any of its affiliates) to Process Customer Personal Data in connection with the provision of the Services.
• “UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the UK Information Commissioner’s Office under section 119A of the Data Protection Act 2018.

2. Scope and Roles

This DPA applies when Customer Personal Data is Processed by BulkSignature in the course of providing the Services. The parties acknowledge and agree that, with respect to the Processing of Customer Personal Data:

• Customer is the Controller of Customer Personal Data;
• BulkSignature is the Processor of Customer Personal Data; and
• BulkSignature will engage Sub-processors in accordance with Section 7 of this DPA.

Each party shall comply with its respective obligations under Data Protection Laws.

3. Customer Instructions

BulkSignature shall Process Customer Personal Data only on documented instructions from Customer, including with regard to Restricted Transfers, unless required to do so by law to which BulkSignature is subject. The Agreement (including this DPA), Customer’s use and configuration of the Services, and any additional written instructions agreed by the parties constitute Customer’s documented instructions to BulkSignature.

BulkSignature shall promptly inform Customer if, in BulkSignature’s opinion, an instruction infringes Data Protection Laws. BulkSignature shall not be required to comply with an instruction that would result in such an infringement.

4. Confidentiality

BulkSignature shall ensure that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. BulkSignature shall limit access to Customer Personal Data to personnel who require access to perform their duties.

5. Security Measures

BulkSignature shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to Data Subjects, in accordance with Article 32 of the EU GDPR and UK GDPR.

The technical and organizational measures applied by BulkSignature are described in Annex 2 to this DPA. BulkSignature may update these measures from time to time provided that such updates do not materially diminish the level of protection of Customer Personal Data.

6. Data Subject Requests

BulkSignature shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

If BulkSignature receives a request from a Data Subject relating to Customer Personal Data, BulkSignature shall promptly notify Customer and shall not respond to the Data Subject directly without Customer’s authorization, except as required by applicable law.

7. Sub-processors

Customer authorizes BulkSignature to engage Sub-processors to Process Customer Personal Data in connection with the Services. BulkSignature’s current list of Sub-processors is published in the BulkSignature Privacy Policy at bulksignature.com/privacy.

BulkSignature shall provide Customer with at least 30 days’ prior written notice by email of any addition or replacement of a Sub-processor. If Customer reasonably objects to the addition or replacement of a Sub-processor on legitimate data protection grounds, the parties shall discuss in good faith. If the parties cannot reach agreement, Customer may terminate the affected portion of the Services without liability by giving written notice to BulkSignature.

BulkSignature shall enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA, including with respect to the security of Customer Personal Data and the obligations of a Processor. BulkSignature shall remain liable to Customer for the performance of each Sub-processor’s obligations.

8. Personal Data Breach Notification

BulkSignature shall notify Customer without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data, in accordance with the BulkSignature Incident Response Plan (including Appendix D — GDPR / UK GDPR Breach Procedures for Personal Data of EU and UK Residents).

BulkSignature’s notification shall, taking into account the nature of the Processing and the information available to BulkSignature, include:

• a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• the name and contact details of the BulkSignature Privacy Lead or other contact point where more information can be obtained (privacy@bulksignature.com);
• a description of the likely consequences of the Personal Data Breach; and
• a description of the measures taken or proposed to be taken by BulkSignature to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all of the above information at the same time, the information may be provided in phases without undue further delay.

9. Data Protection Impact Assessment

BulkSignature shall provide reasonable assistance to Customer, taking into account the nature of the Processing and the information available to BulkSignature, with any data protection impact assessments required under Article 35 of the EU GDPR or UK GDPR, and with prior consultations with Supervisory Authorities required under Article 36 of the EU GDPR or UK GDPR, in each case solely in relation to the Processing of Customer Personal Data.

10. International Data Transfers

Customer authorizes BulkSignature to transfer Customer Personal Data to the United States and to such other jurisdictions as may be necessary to provide the Services. BulkSignature’s primary processing location is the United States (AWS US-EAST-1).

To the extent that any transfer of Customer Personal Data from the EEA, Switzerland, or the United Kingdom to BulkSignature constitutes a Restricted Transfer, the parties agree that:

• For transfers from the EEA or Switzerland, the Standard Contractual Clauses (Module Two: controller to processor, and Module Three: processor to processor, as applicable) approved by Commission Implementing Decision (EU) 2021/914 are hereby incorporated into this DPA by reference and apply to such transfers, with the parties’ details, processing details, and technical and organizational measures populated as set out in this DPA and its Annexes.
• For transfers from the United Kingdom, the UK IDTA (Version B1.0) is hereby incorporated into this DPA by reference and applies to such transfers, with the SCCs incorporated as the “Approved EU SCCs” for the purposes of the UK IDTA.

Where any other lawful transfer mechanism becomes available and is appropriate to the transfer, BulkSignature may rely on such mechanism in addition to or in place of the SCCs and UK IDTA, and the parties shall cooperate in good faith to give effect to it.

11. Audits and Information

BulkSignature shall make available to Customer the information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA. Such information may be satisfied by BulkSignature providing, upon Customer’s reasonable written request and no more than once per twelve (12) month period:

• BulkSignature’s most recent SOC 2 Type II report (or equivalent independent third-party attestation);
• BulkSignature’s most recent third-party penetration test summary; and
• responses to a reasonable security questionnaire from Customer.

All information disclosed under this Section is BulkSignature’s Confidential Information and shall be subject to the confidentiality terms of the Agreement. Where Customer reasonably determines that the information provided is insufficient to verify compliance with this DPA, the parties shall discuss in good faith additional measures BulkSignature may take to provide such verification. On-site or remote audits requiring direct access to BulkSignature’s systems, personnel, or facilities are not granted by this DPA.

12. Return or Deletion of Customer Personal Data

Following the termination or expiration of the Agreement, BulkSignature shall delete Customer Personal Data within 6 months in accordance with the BulkSignature Privacy Policy. Customer may request expedited deletion or return of Customer Personal Data by submitting a written request to privacy@bulksignature.com, in which case BulkSignature shall complete deletion or return within 30 days of receipt of the request.

Personal Data deletion requests propagate to backups within 90 days through the backup rotation. BulkSignature may retain Customer Personal Data only to the extent and for the period required by applicable law, and only for the purposes and subject to the conditions specified in such law.

13. Liability

Each party’s aggregate liability arising under or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement. Liability under this DPA shall apply in the aggregate with liability under the Agreement, not in addition to it.

14. Term and Termination

This DPA shall remain in effect for the term of the Agreement and shall continue to apply to any Processing of Customer Personal Data carried out after the termination or expiration of the Agreement until such Personal Data has been deleted or returned in accordance with Section 12.

15. General Provisions

BulkSignature may update this DPA from time to time to reflect changes in applicable law, BulkSignature’s practices, or industry standards. Material changes will be notified to Customer with at least 30 days’ prior notice via email or through the Services. Continued use of the Services after the effective date of an update constitutes acceptance of the updated DPA.

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. This DPA is governed by the laws specified in the Agreement.

Annex 1 — Description of Processing

Subject matter of the Processing: The provision of the BulkSignature email signature management Services to Customer.

Duration of the Processing: The term of the Agreement, plus any post-termination retention period set out in Section 12 of this DPA.

Nature and purpose of the Processing: Processing of Customer Personal Data as necessary to provide, support, secure, and improve the Services, including the storage, transmission, formatting, and delivery of email signature content; user authentication; customer support; and integration with Customer’s authorized third-party platforms.

Categories of Data Subjects:

• Customer’s authorized users (e.g., employees, contractors, and other personnel granted access to the Services by Customer);
• Recipients of emails sent by Customer’s authorized users that include signatures generated by the Services;
• Other Data Subjects whose Personal Data is provided to or collected by the Services in the course of Customer’s use.

Categories of Customer Personal Data:

• Identity and contact data (name, business email address, phone number, job title, company);
• Authentication data (account credentials, authentication tokens for connected platforms);
• Email signature content (text, images, formatting, and any Personal Data included by Customer or its users);
• Device, connection, and usage data (IP address, browser type, device identifiers, timestamps);
• Communication content related to support requests submitted to BulkSignature by Customer or its users.

Special categories of Personal Data (if any): BulkSignature does not request or require Customer to provide special categories of Personal Data within the meaning of Article 9 of the EU GDPR or UK GDPR. Customer is responsible for ensuring that special category data is not submitted to the Services without an appropriate legal basis.

Frequency of the transfer: Continuous, as required to provide the Services.

Period for which the Personal Data will be retained: As set out in the BulkSignature Privacy Policy at bulksignature.com/privacy and in Section 12 of this DPA.

Annex 2 — Technical and Organizational Measures

BulkSignature implements and maintains the following categories of technical and organizational measures, as further described in the BulkSignature Information Security and Data Privacy Policies:

• Encryption. Personal Data is encrypted at rest and in transit. Field-level encryption is applied to sensitive data elements where supported. TLS 1.2 or higher is used for all data transmitted over public networks.
• Access controls. Access to Personal Data is limited to personnel with a documented business need, on a least-privilege basis. Multi-factor authentication is required for access to production systems. Access is reviewed periodically and revoked promptly upon role change or termination.
• Secure infrastructure. The Services operate on the Amazon Web Services (AWS) cloud platform and benefit from AWS’s security infrastructure, including network segmentation, intrusion detection, and physical security controls at AWS data centers.
• Secrets management. Application credentials, API keys, and cryptographic keys are stored in approved secrets management systems and are rotated on a defined schedule and on suspected compromise.
• Logging and monitoring. Production systems generate detailed event logs which are retained and monitored in accordance with the BulkSignature Operations Security Policy. Alerts are configured for events posing significant risk to the confidentiality, integrity, or availability of Customer Personal Data.
• Vulnerability management. BulkSignature conducts regular vulnerability scans, dependency analysis, dynamic application security testing, and at least annual third-party penetration testing of production-facing systems.
• Backups and resilience. Encrypted backups of Personal Data are maintained on a rolling basis in a separate cloud account or region, with access controls distinct from production. Backup restore tests are performed at least annually.
• Personnel security. All employees and contractors with access to Personal Data are subject to background checks (where lawful), confidentiality obligations, and mandatory security and privacy awareness training at hire and annually thereafter.
• Secure development. Code changes are subject to peer review, automated testing, static and dynamic security scanning, dependency and license analysis, and protected branch controls. Production data is not used in non-production environments without masking or anonymization and Data Owner approval.
• Incident response. BulkSignature maintains an Incident Response Plan that defines detection, triage, containment, remediation, customer notification, and post-incident review processes. Tabletop exercises are conducted at least annually.
• Vendor and sub-processor management. BulkSignature performs security reviews of vendors handling Personal Data, requires Data Processing Agreements and (where applicable) SOC 2 attestations, and maintains a current sub-processor list.

Annex 3 — Sub-processors

BulkSignature’s current list of Sub-processors is published in the BulkSignature Privacy Policy at bulksignature.com/privacy. BulkSignature shall notify Customer of additions or replacements of Sub-processors as set out in Section 7 of this DPA.

Annex 4 — Standard Contractual Clauses and UK IDTA

For Restricted Transfers from the EEA or Switzerland, the parties hereby incorporate the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 (Module Two: controller to processor, and Module Three: processor to processor, as applicable). The SCCs are populated as follows:

• Clause 7 (Docking clause): applies.
• Clause 9 (Use of sub-processors): Option 2 (general written authorization) applies, with the 30-day notice period set out in Section 7 of this DPA.
• Clause 11 (Redress): the optional language regarding independent dispute resolution does not apply.
• Clause 17 (Governing law): the laws of the Republic of Ireland apply.
• Clause 18 (Choice of forum and jurisdiction): disputes shall be resolved before the courts of Ireland.
• Annex I.A (Parties): Customer (data exporter, Controller) and BulkSignature (data importer, Processor), with contact details as set out in the Agreement and at privacy@bulksignature.com.
• Annex I.B (Description of transfer): as set out in Annex 1 of this DPA.
• Annex I.C (Competent supervisory authority): the competent Supervisory Authority of the EU Member State in which the Customer (or, where applicable, Customer’s EU Representative) is established, or the Irish Data Protection Commission where Customer is not established in the EEA.
• Annex II (Technical and organizational measures): as set out in Annex 2 of this DPA.
• Annex III (List of Sub-processors): as set out in Annex 3 of this DPA.

For Restricted Transfers from the United Kingdom, the parties hereby incorporate the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0 (the “UK IDTA”). For the purposes of the UK IDTA:

• Table 1 (Parties): as set out in Annex I.A above.
• Table 2 (Selected SCCs, Modules and selected clauses): the SCCs incorporated above, as the “Approved EU SCCs.”
• Table 3 (Appendix Information): the information set out in Annexes 1, 2, and 3 of this DPA.
• Table 4 (Ending the Addendum when the Approved Addendum changes): neither party may end the UK IDTA as set out in Section 19 of the UK IDTA.