Skip to main content
Last revised on September 29th, 2025
This Personal Data Processing Addendum (“Addendum”) forms part of the Terms and Conditions (“Terms”) published on the website of Signature API, Inc. This Addendum is between the party agreeing to the Terms (“Customer”) and Signature API, Inc. (“Company” and together with the Company, the “Parties”).

1. Subject Matter and Term

a) Subject Matter. This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with Company’s execution of the Terms. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Terms. If and to the extent language in this Addendum or any of its Schedules conflicts with the Terms, this Addendum shall control. b) Term and Termination. This Addendum will become legally binding upon the date on which the Customer agrees to the Terms (“Effective Date”). The Addendum will remain in full force and effect so long as: i) the Terms remain in effect in between the Parties; or
ii) the Company retains any Customer Personal Data in its possession or control.

2. Definitions

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply. a) “Applicable Data Protection Law(s)” means any applicable law, statute, regulation, or order by governmental authority of competent jurisdiction, or any judgment, decision, decree, injunction, writ, order, subpoena, or like action of any court, arbitrator or other government entity, and at all times during the term of this Addendum, including: Title 1.81.5. California Individual Privacy Act of 2018 [1798.100 - 1799.100] as amended by the California Privacy Rights Act, any future amendments thereto, all regulations implemented thereunder, and any state or federal corollaries of such laws and regulations; any national data protection laws; the EU Privacy & Electronic Communications Directive (2002/58/EC); the EU General Data Protection Regulation 2016/679 (“GDPR”); other applicable laws of the European Union (“EU”) in each case as amended or replaced from time to time; European Commission decisions; binding EU and national guidance and all national implementing legislation; the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 (collectively, “UK GDPR”), and any other foreign or domestic laws to the extent that they are applicable to a Party in the course of its performance of the Addendum. Where any other applicable data protection laws are not explicitly mentioned herein, but bear similarities to such laws, all terms herein shall be interpreted to also assure compliance with such laws to the extent applicable. b) “Customer Personal Data” means Personal Data pertaining to Customer’s end users or employees, contractors, partners, suppliers, customers, and clients as applicable in each case Processed by Company to provide the Service. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Schedule 1 attached hereto, as required by the GDPR. c) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. d) “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s). e) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. f) “Processor” means a natural or legal person, public authority, agency, or other body which Processes Customer Personal Data on behalf of Customer subject to this Addendum. g) “Personal Data Breach(es)” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Company. h) “Service” means any and all services that Company performs under the Terms. i) “Standard Contractual Clauses” means the UK Standard Contractual Clauses, and/or the 2021 Standard Contractual Clauses. j) “Third Party(ies)” means Company’s authorized contractors, agents, vendors and third party service providers that Process Customer Personal Data. k) “UK Standard Contractual Clauses” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/ and completed as described below. l) “2021 Standard Contractual Clauses” means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described below. m) “Officers” means Customer’s leaders, including but not limited to Chief Information Security Officer, Data Protection Officer, Chief Information Officer, and similar officers.

3. Data Use and Processing

a) Compliance with Laws. Customer Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s). b) Purpose Limitation. Company will not Process Customer Personal Data for any purpose other than for the specific purposes set forth in the Terms, unless obligated to do otherwise by applicable law. In such case, Company will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. c) Documented Instructions. Company and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer. The Terms, including this Addendum, along with any applicable instructions from Customer’s Officers, constitute Customer’s instructions to Company regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses. Company will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions. d) Authorization to Use Third Parties. To the extent necessary to fulfill Company’s contractual obligations under the Terms, Customer hereby authorizes (i) Company to engage Third Parties and (ii) Third Parties to engage subprocessors. e) Company and Third Party Compliance. Company agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties (and their subprocessors) data protection and security requirements for Customer Personal Data that are at least as restrictive as the obligations in this Addendum; and (ii) remain responsible to Customer for Company’s Third Parties’ (and their subprocessors’ if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data. f) Right to Object to Third Parties. Company’s list of Third Parties that Process Customer Personal Data is listed in Schedule 2. Prior to engaging any new Third Parties that Process Customer Personal Data, Company will notify Customer via email and allow Customer fourteen (14) days to object. If Customer has legitimate objections to the appointment of any new Third Party, the Parties will work together in good faith to resolve the grounds for the objection for no less than fourteen (14) days, and failing any such resolution, Customer may terminate the part of the service performed under the Agreement that cannot be performed by Company without use of the objectionable Third Party. g) Confidentiality. Any person or Third Party authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality. h) Personal Data Inquiries and Requests. Upon written request from Customer, Company agrees to provide reasonable assistance and comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Applicable Data Protection Laws (e.g., access, rectification, erasure, data portability, etc.). If a request is sent directly to Company, Company shall promptly notify Customer and shall not respond to the request unless Customer has authorized Company to do so. i) Government Access Requests. Unless prohibited by applicable law or a legally-binding request of law enforcement, Company shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Customer Personal Data, and shall render reasonable assistance to Customer, if Customer wishes to contest the access or seizure. j) Data Protection Impact Assessment and Prior Consultation. Upon written request from Customer, Company agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgment, the type of Processing performed by Company is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities. k) Sale of Customer Personal Data Prohibited. Company shall not sell Customer Personal Data as the term “sell” is defined by the CCPA. l) CCPA Certification. Company hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.

4. Cross-Border Transfers of Personal Data

a) Cross-Border Transfers of Personal Data. Customer authorizes Company and its Third Parties to transfer Customer Personal Data across international borders, including from the European Economic Area (the “EEA”), the United Kingdom, and Switzerland to United States of America and other countries listed in Schedule 2 if applicable. Company and Customer agree to use the Standard Contractual Clauses as the adequacy mechanism supporting the transfer and Processing of Customer Personal Data, as further detailed below. b) 2021 Standard Contractual Clauses. For transfers of Customer Personal Data out of the EEA that are subject to Section 4(a) of this Addendum, the 2021 Standard Contractual Clauses will apply and are incorporated into this Addendum. For purposes of this Addendum, the 2021 Standard Contractual Clauses will apply as set forth in this Section 4(b). “Module Two: Transfer controller to processor” will apply and all other module options will not apply. Under Annex 1 of the 2021 Standard Contractual Clauses, the “data exporter” is Customer and the “data importer” is Company and the information required by Annex 1 can be found in Schedule 1 and Schedule 2. For the purposes of Annex 2 of the Standard Contractual Clauses, the technical and organizational measures implemented by the data importer are those listed in Section 5 and Schedule 3 of this Addendum. Clause 7 will not apply. For clause 9, the Parties choose Option 2 and the Parties agree that the time period for prior notice of Third Party changes will be as set forth in Section 3(f) of this Addendum. For clause 17, the Parties choose Option 1 and the Parties agree that the governing law will be the Republic of Ireland. For clause 18, the Parties agree that the courts of the Republic of Ireland will apply for subsection (b). c) UK Standard Contractual Clauses. For transfers of Customer Personal Data out of the United Kingdom that are subject to Section 4(a) of this Addendum, the UK Standard Contractual Clauses will apply and are incorporated into this Addendum. For purposes of this Addendum, the UK Standard Contractual Clauses will apply as set forth in this Section 4(c). For Table 1 of the UK Standard Contractual Clauses, (i) the Parties’ details shall be the Parties, including those set forth in Annex 1 of the 2021 Standard Contractual Clauses and (ii) the Key Contacts shall be the contacts set forth in Annex 1 of the 2021 Standard Contractual Clauses. The Approved EU SCCs referenced in Table 2 shall be the 2021 Standard Contractual Clauses as executed by the Parties pursuant to this Addendum. For Table 3, Annex 1A, 1B, and II shall be set forth in Annex 1 of the 2021 Standard Contractual Clauses. For Table 4, either Party may end the UK Standard Contractual Clauses as set out in Section 19 of the UK Standard Contractual Clauses. d) Switzerland Transfers. For transfers of Customer Personal Data out of Switzerland that are subject to Section 4(a) of this Addendum, the 2021 Standard Contractual Clauses will apply and will be deemed to have the differences set forth in this Section 4(d), to the extent required by the Swiss Federal Act on Data Protection (“FADP”). References to the GDPR in the 2021 Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR. The term “member state” in the 2021 Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 Standard Contractual Clauses. References to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope. Under Annex I(C) of the 2021 Standard Contractual Clauses (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the 2021 Standard Contractual Clauses insofar as the transfer is governed by the GDPR. e) The Customer’s acceptance of the Terms including this Addendum shall be considered a signature to the Standard Contractual Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Standard Contractual Clauses as separate documents. In case of conflict between the Standard Contractual Clauses and this Addendum, the Standard Contractual Clauses will prevail.

5. Information Security Measures

a) Company agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by Applicable Data Protection Law(s) (the “Information Security Measures”). Such measures shall be designed to include the requirements listed in Schedule 3.

6. Personal Data Breaches

a) Personal Data Breach Management Procedure. Company will deploy and follow policies and procedures to detect, respond to, and otherwise address Personal Data Breaches, including procedures to (i) identify and respond to reasonably suspected or known Personal Data Breaches, mitigate harmful effects of Personal Data Breaches, document Personal Data Breaches and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner. b) Notice. Company agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) (but in no event longer than seventy-two (72) hours) to Customer becoming aware that a Personal Data Breach has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Personal Data Breach.

7. Records and Audits

a) The Company will keep detailed, accurate and up-to-date written records regarding any Processing of Personal Data it carries out for Customer, including, but not limited to, the access, control and security of the Personal Data, approved subcontractors and affiliates, the Processing purposes, categories of Processing, any transfers of Personal Data to a third country and related safeguards, and a general description of the technical and organizational security measures referred to in Section 5 (Information Security Measures). b) Right to Audit; Permitted Audits. Company shall make available to Customer and its regulators all information necessary to demonstrate compliance with Applicable Data Protection Laws and this Addendum. Customer and its regulators shall have the right to inspect Company’s architecture, systems, and documentation which are relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator: i) Following any notice from Company to Customer of an actual or reasonably suspected Personal Data Breach involving Customer Personal Data;
ii) Upon Customer’s reasonable belief that Company is not in compliance with Applicable Data Protection Laws or this Addendum;
iii) As required by governmental regulators; or
iv) Upon request by Customer for any reason, or no reason at all, once annually.
c) Audit Terms. Any audits described in this Section shall be: i) Conducted by Customer or its regulator, or through a third party independent contractor selected by one of these parties, and to whom Company does not reasonably object.
ii) Conducted during reasonable times.
iii) Conducted upon reasonable advance notice to Company.
iv) Of reasonable duration and scope and shall not unreasonably interfere with Company’s day-to-day operations.
v) Conducted in such a manner that does not violate any agreement between Company and its service providers, including cloud providers, or violate or cause Company to violate its reasonable policies related to security and confidentiality;
vi) Paid in full by Customer for all costs, expenses, and Company personnel time and costs incurred by Company in connection with supporting the audit.
d) Third Parties. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Company’s and Company’s customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement. e) Audit Results. Upon Company’s request, after conducting an audit, Customer shall notify Company of the manner in which Company does not comply with any of the applicable security, confidentiality or privacy obligations or Applicable Data Protection Laws herein. Upon such notice, Company shall make any necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. To the extent that a Customer audit identifies any material security vulnerabilities, Company shall promptly remediate those vulnerabilities.

8. Data Storage, Return and Deletion

a) Data Storage. Company will not store or retain any Customer Personal Data except as necessary to perform the Service under the Terms. b) Data Return and Deletion. At Customer’s request, Company will give Customer a copy of or access to all or part of Customer’s Personal Data in its possession or control in the format and on the media reasonably specified by Customer. On termination of the Agreement for any reason or expiry of its term, Company will securely delete or destroy or, if directed in writing by Customer, return and not retain, all or any Personal Data related to this Addendum in its possession or control. Company will certify in writing that it has destroyed the Personal Data within thirty (30) days after it completes the destruction.

9. Limitation of Liability

a) For the avoidance of doubt, the limitation of liability set forth in the Terms applies.

10. Miscellaneous

a) Notwithstanding anything else to the contrary in the Terms, the Company reserves the right to make any modifications to this Addendum as may be necessary to comply with Applicable Data Protection Laws so long as such modifications shall not degrade any service functionalities or safeguards associated with providing the Service.

Schedule 1

Description of Transfer

Categories of Data Subjects

Customer’s authorized users, representatives, and end users, including, without limitation, Customer’s employees, contractors, partners, suppliers, customers, and clients

Categories of Personal Data Transferred

Any personal data that is provided in connection with this Addendum, including, without limitation, contact information such as name, address, telephone or mobile number, email addresses.

Frequency of Transfer (e.g., one off or continuous)

On a continuous basis as needed to provide the Service to Customer for the term provided herein in this Addendum

Nature of Processing

Collection, recording, organization, structuring, storage, archiving, receiving data, data entry, adaptation, alteration, or correction, retrieval, consultation, use, analysis; protection of data; disclosure by transmission; dissemination, allowing access or otherwise making available; alignment, combination; erasure, destruction; restriction; return of data to controller or data subject.

Purpose of Processing

The purpose of the personal data processing is to provide the Service pursuant to the Terms

Duration of Processing

The personal data will be retained for as long as Customer maintains an active subscription and for 30 days thereafter. Customer may delete any envelopes including personal data at any time, in which case the Company will erase any associated personal data within 30 days.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Personal data may potentially be accessed by the following sub-processors:
Sub-ProcessorSubject matter, nature and duration of the processing
Amazon Web Services, Inc. (USA)Provision of cloud infrastructure for the same duration as the data processing carried out by the processor
Crunchy Data Solutions, Inc. (USA)Provision of database hosting solutions for the same duration as the data processing carried out by the processor
Svix Inc. (USA)Provision of webhooks management services for the same duration as the data processing carried out by the processor
Tinybird, Inc. (USA)Provision of logs hosting services for the same duration as the data processing carried out by the processor

Schedule 2

Subprocessors

SubprocessorCountryAddressPurpose of the processing
Amazon Web Services, Inc.USA410 Terry Avenue North, Seattle, WA 98109, United StatesProvision of cloud infrastructure
Crunchy Data Solutions, Inc.USA162 Seven Farms Drive, Suite 220, Charleston, SC 29492, United StatesProvision of database hosting services
Svix Inc.USA169 Madison Avenue, Suite 2278, New York, NY 10016, United StatesWebhooks management services
Tinybird, Inc.USA41 East 11th Street, 11th Floor, New York, NY 10003, United StatesLogs hosting services

Schedule 3

Security Measures

Company shall implement at a minimum the following security processes and practices. This Schedule 3 represents the minimum security measures that will be taken by Company.

1. Information Security Policies and Standards.

Company will implement security requirements for staff and all subcontractors, suppliers, or agents who have access to Personal Data that are designed to:
  • Prevent unauthorized persons from gaining access to Personal Data processing systems (physical access control);
  • Prevent Personal Data processing systems being used without authorization (logical access control);
  • Ensure that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of processing or use and after storage Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
  • Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);
  • Ensure the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from processing systems (entry control); and
  • Ensure that Personal Data are protected against accidental destruction or loss (availability control).
Company will conduct periodic risk assessments and review and, as appropriate, revise its information security practices at least annually or whenever there is a material change in Company’s business practices that may reasonably affect the security, confidentiality or integrity of Personal Data, provided that Company will not modify its information security practices in a manner that will weaken or compromise the confidentiality, availability or integrity of Personal Data.

2. Physical Security.

Company will maintain commercially reasonable security systems at all Company sites at which an information system that uses or houses Personal Data is located. Company shall reasonably restrict access to such Personal Data appropriately.

3. Organizational Security

  • When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of Personal Data stored on them.
  • Company will implement security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.
  • All Personal Data Breaches are managed in accordance with appropriate incident response procedures.
  • Company will encrypt, using industry-standard encryption tools, all sensitive data that Company: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; and (iii) stores on portable devices, where technically feasible. Company will safeguard the security and confidentiality of all encryption keys associated with encrypted Personal Information.

4. Network Security.

Company maintains network security using commercially available equipment and industry‑standard techniques, including firewalls, intrusion detection and prevention systems, access control lists and routing protocols.

5. Access Control

  • Company will maintain appropriate access controls, including, but not limited to, restricting access to Personal Data to the minimum number of Company personnel who require such access.
  • Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Data.
  • User administration procedures: define user roles and their privileges; define how access is granted, changed and terminated; address appropriate segregation of duties; and define the logging/monitoring requirements and mechanisms.
  • All employees of Company are assigned unique User-IDs.
  • Access rights are implemented adhering to the “least privilege” approach.
  • Company implements commercially reasonable physical and electronic security to create and protect passwords.

6. Virus and Malware Controls.

Company installs and maintains anti-virus and malware protection software on systems to protect Personal Data from anticipated threats or hazards and protect against unauthorized access to or use of Personal Data.

7. Personnel.

  • Prior to providing access to Personal Data to Company personnel, Company will require Company personnel to comply with its information security program.
  • Company implements a security awareness program to train personnel about their security obligations. This program includes training about data classification obligations; physical security controls; security practices; and security incident reporting.
  • Company has clearly defined roles and responsibilities for the employees. Screening is implemented before employment with terms and conditions of employment applied appropriately.
  • Company employees strictly follow established security policies and procedures. Disciplinary processes will be applied if employees commit a security breach.

8. Business Continuity.

Company implements appropriate back-up, disaster recovery and business resumption plans. Company reviews both its business continuity plan and risk assessment regularly. The Company’s business continuity plan and risk assessment process are tested and updated regularly to ensure that they are up to date and effective.
I