Data Processing & GDPR
Effective 2026-05-28
This page sets out the data-processing terms that apply between you, the Customer (the "Controller"), and Sodasoft LLC(the "Processor"), the operator of EmailSignature.io, located at 30 N Gould St, Sheridan, Wyoming 82801, United States.
Together with our Terms of Service and Privacy Policy, this constitutes our Data Processing Addendum ("DPA") for the purposes of Article 28 of the EU General Data Protection Regulation ("GDPR") and the UK GDPR.
1. Roles of the Parties
For personal data of your employees and contacts that you input into the Service (e.g. employee names, titles, emails, phone numbers, profile photos, signature recipients), you are the Controller and we are the Processor.
For personal data we collect directly from you as our account holder (your name, account email, billing data), we act as Controller and our Privacy Policy applies.
2. Subject Matter, Nature and Duration
- Subject matter: hosting and processing of personal data necessary to provide the Service.
- Nature of processing: storage, transmission, rendering, and (upon your instruction) deployment of signatures to your Google Workspace or Microsoft 365 tenant.
- Categories of data: identification data (name, email, photo), professional data (job title, department, office location, phone numbers), and technical data (IP, user-agent) for logged-in users.
- Categories of data subjects: your employees, your contractors, and the recipients of email signatures.
- Duration: for the term of your subscription, plus deletion windows described in our Privacy Policy.
3. Processor Obligations
We will:
- process personal data only on your documented instructions, including with regard to transfers outside the EEA;
- ensure that personnel authorized to process the data are bound by confidentiality obligations;
- implement and maintain appropriate technical and organizational measures (see Section 5);
- assist you in responding to data-subject requests and in fulfilling your obligations under Articles 32–36 GDPR;
- notify you without undue delay (and in any case within 72 hours of becoming aware) of a personal-data breach affecting your data;
- on termination, delete or return all personal data unless retention is required by law.
4. Customer Obligations
As Controller, you are responsible for:
- establishing and maintaining a lawful basis for processing data you put into the Service;
- informing your employees and contacts about your use of the Service in your own privacy notice;
- configuring access controls within your organization;
- responding to data-subject requests for your data (we will assist as Processor).
5. Subprocessors
You consent to our use of the subprocessors below to provide the Service. We remain responsible for their performance under this DPA. We will give at least 30 days' notice of any new subprocessor; you may object on reasonable data-protection grounds by emailing privacy@emailsignature.io.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting (compute + edge network) | United States, with global edge presence |
| Supabase Inc. | Managed Postgres database + object storage | European Union (Frankfurt) for EmailSignature.io |
| Stripe, Inc. | Payment processing and subscription management | United States |
| Resend, Inc. | Transactional email delivery (magic links, invitations) | United States |
| Google LLC | Google Workspace signature deployment integration (only when an organization opts in) | United States |
| Microsoft Corporation | Microsoft 365 / Exchange signature deployment integration (only when an organization opts in) | United States |
6. Security Measures
- TLS 1.2+ encryption in transit for all customer traffic;
- encryption at rest for the production database (Supabase managed encryption);
- passwordless authentication (magic-link), eliminating password-based attack surface;
- strict tenant isolation: every database query is scoped by
organization_idin application code; per-organization audit logs; - least-privilege access for personnel; production credentials are rotated and never shared by email or chat;
- request rate-limiting and abuse detection;
- vulnerability monitoring via dependency-scanning tools; security patches applied promptly.
7. International Transfers
Where personal data is transferred outside the European Economic Area, United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent transfer mechanisms.
8. Data Subject Rights
We will assist you, taking into account the nature of the processing, in fulfilling your obligations to respond to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). For requests, write to privacy@emailsignature.io.
9. Audits
Upon reasonable written request and no more than once per year (or more frequently if required by a supervisory authority or following a breach), we will provide information necessary to demonstrate compliance with this DPA, including summaries of any audits or certifications obtained from our subprocessors.
10. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
11. Governing Law
This DPA is governed by the same law as the Terms of Service, except where overridden by mandatory provisions of EU / EEA / UK data protection law applicable to data subjects in those territories.
12. Contact
For DPA-related matters and to act as your point of contact for data protection enquiries, email privacy@emailsignature.io or write to Sodasoft LLC, 30 N Gould St, Sheridan, Wyoming 82801, United States.