Last updated: May 7, 2026
This Data Processing Addendum (“DPA”) supplements the agreement between you (the “Customer”) and Austrat Trading Corp., operating as Signatura (“Signatura,” “we,” or “us”), under our Terms of Service (the “Agreement”). It applies whenever Signatura processes Personal Data on the Customer's behalf and is automatically incorporated into the Agreement — no signed copy is required for it to apply, although a counter-signed version is available on request to legal@getsignatura.com.
In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.
For Personal Data processed under the Agreement, the parties agree:
The Agreement, this DPA, and the Customer's use of the Service's features and configuration options together constitute the Customer's complete and final instructions to Signatura for the processing of Customer Personal Data. Signatura will only process Customer Personal Data as so instructed unless required to do otherwise by applicable law (in which case Signatura will inform the Customer of that legal requirement before processing, unless the law prohibits doing so on important grounds of public interest).
Signatura ensures that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations and have received appropriate training on data protection.
Signatura implements appropriate technical and organizational measures to protect Customer Personal Data, described in detail at getsignatura.com/security. These include TLS 1.3 in transit, AES-256 at rest, row-level security in the database, server-side OAuth-token encryption, document hash sealing (SHA-256), and audit-trail logging.
The Customer authorizes Signatura to engage the sub-processors listed at getsignatura.com/sub-processors. Signatura relies on each sub-processor's published commercial data-protection terms (which typically impose obligations equivalent to this DPA on the sub-processor) and remains liable to the Customer for the performance of each sub-processor's obligations in connection with the Service.
Signatura will notify the Customer at least 30 days before adding or replacing a sub-processor. The Customer may object on reasonable data-protection grounds within 14 days of notice; if the parties cannot agree on a resolution, the Customer may terminate the affected portion of the Service without penalty.
Customer Personal Data may be transferred to and processed in the United States and other countries where our sub-processors operate. The following safeguards apply:
Signatura will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable law (access, rectification, erasure, restriction, objection, portability, automated-decision review). Where Signatura receives a Data Subject request directly, it will redirect the Data Subject to the Customer (controller) without undue delay, except where Signatura is acting as an independent controller (e.g., for audit-trail integrity).
Signatura will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) GDPR to the extent then known, and Signatura will provide reasonable cooperation in the Customer's investigation, mitigation, and regulatory notification obligations.
On reasonable request, Signatura will provide the Customer with the information necessary to perform Data Protection Impact Assessments and prior consultations with supervisory authorities, including information about the Auto-Sign automated decision-making feature.
Signatura will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including by providing copies of certifications, summaries of relevant audit reports, and security documentation. The Customer may, no more than once per year (or more frequently if a Personal Data Breach has occurred or as required by a supervisory authority), conduct an audit upon reasonable advance written notice and during normal business hours, subject to confidentiality obligations. On-site audits are at the Customer's expense.
Within 30 days after termination or expiry of the Agreement, Signatura will, at the Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless continued retention is required by applicable law — in particular, signed documents and their audit trails are retained for the period required by electronic-signature record-keeping laws (e.g., the ESIGN Act, eIDAS, and equivalent statutes) and any longer limitation period applicable to the underlying transaction.
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. No double-recovery is permitted: any liability paid under one document discharges equivalent liability under the other.
This DPA is governed by the law specified in the Agreement, except that with respect to the EU SCCs, UK Addendum, and Swiss Addendum, those instruments are governed by the laws specified in those instruments themselves.
For DPA-related inquiries, contact legal@getsignatura.com or privacy@getsignatura.com.