Overview
The General Data Protection Regulation (GDPR) is a comprehensive data protection law in the European Union that regulates the processing of personal data. This page explains how Documenso handles GDPR compliance and your responsibilities as a data controller.When you use Documenso, you are the data controller and Documenso is the data processor. You
determine what data to process and why; Documenso processes it according to your instructions.
Data Controller vs Data Processor
Understanding roles under GDPR is essential:- Tab Title
- Tab Title
Your Role and Responsibilities
As the data controller, you:Determine purposes and means:- Decide what personal data to collect
- Determine why you’re processing the data
- Choose what signing workflows to use
- Obtain consent or establish another legal basis (contract, legitimate interest, etc.)
- Inform data subjects about processing activities
- Provide privacy notices
- Handle access requests
- Process rectification requests
- Fulfill erasure requests (“right to be forgotten”)
- Provide data portability
- Conduct Data Protection Impact Assessments (DPIAs) when required
- Maintain records of processing activities
- Report data breaches to supervisory authorities
- Choose processors that provide sufficient guarantees
What Personal Data Does Documenso Process?
Documenso processes personal data necessary to provide document signing services:| Data Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Identity Data | Name, email address | User accounts, recipient identification | Contract performance |
| Document Data | Uploaded PDFs, field values, form entries | Document storage and signing | Contract performance |
| Signature Data | Signature images, typed names, signing actions | Recording signatures | Contract performance |
| Audit Data | IP addresses, browser info, timestamps | Audit trail and security | Legitimate interest |
| Account Data | Profile settings, preferences | Providing service features | Contract performance |
| Billing Data | Payment information (via Stripe) | Payment processing | Contract performance |
Data Minimization
Documenso follows the principle of data minimization:- Only collects data necessary for signing services
- Does not require unnecessary personal information
- Allows anonymous document signing in some configurations
- You control what data is included in documents
Data Storage Locations
Where your data is stored depends on how you use Documenso:- Tab Title
- Tab Title
Documenso Cloud Storage
For the hosted cloud service:| Component | Location | Encryption |
|---|---|---|
| Application DB | EU data centers | Encrypted at rest |
| Document storage | EU data centers | Encrypted at rest |
| Backups | EU (separate location) | Encrypted |
| Email delivery | Via EU servers | TLS in transit |
- All personal data stored within the European Union
- Infrastructure hosted in EU data centers
- No transfer of personal data outside the EU without appropriate safeguards
- Cloud hosting - EU-based infrastructure providers
- Email delivery - EU-based email service providers
- Payment processing - Stripe (with Standard Contractual Clauses)
Data Subject Rights
GDPR grants individuals specific rights regarding their personal data. As the data controller, you are responsible for fulfilling these requests:Data Deletion and Retention
Data Processing Agreement (DPA)
A Data Processing Agreement is required by GDPR when a data controller engages a data processor.- Tab Title
- Tab Title
DPA for Documenso Cloud
Availability:- DPA available upon request
- Contact [email protected] to request a DPA
- Included in Enterprise agreements
- Subject matter and duration of processing
- Nature and purpose of processing
- Type of personal data and categories of data subjects
- Obligations and rights of the controller and processor
- Security measures
- Sub-processor authorization
- Data breach notification
- Assistance with data subject requests
- Deletion or return of data upon termination
- For any data transfers outside the EU (if applicable)
- EU Commission-approved SCCs
- Ensures adequate safeguards for international transfers
Data Breach Notification
Under GDPR, data breaches must be reported promptly.Documenso’s Responsibilities
If Documenso (as processor) becomes aware of a personal data breach:- Notify you (controller) without undue delay (target: within 24-48 hours)
- Provide details including:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
- Assist with breach investigation and mitigation
Your Responsibilities
As the data controller:- Assess the breach - Determine risk to data subjects
- Report to supervisory authority (if required) - Within 72 hours of becoming aware
- Notify affected individuals (if high risk) - Without undue delay
- Document the breach - Keep records of all breaches
Self-Hosted Breach Response
For self-hosted deployments:- You are responsible for detecting and responding to breaches
- Implement monitoring and alerting
- Establish incident response procedures
- Document breach response plan
Privacy by Design and Default
Documenso implements privacy by design and default:Self-Hosting for GDPR Compliance
Self-hosting Documenso can simplify GDPR compliance:Benefits
- Data residency - Store all data in your chosen jurisdiction
- No external processor - Eliminate Documenso as a processor
- Direct control - Full database and infrastructure access
- Custom retention - Implement your own retention policies
- Air-gapped deployment - Complete data isolation
- Simplified DPIAs - Fewer third parties to assess
Configuration Recommendations
- Enable encryption at rest and in transit
- Configure strong authentication (MFA)
- Implement audit logging
- Establish backup and disaster recovery
- Document security controls
- Train users on privacy practices
Data Protection Impact Assessment (DPIA)
A DPIA may be required when processing operations are likely to result in high risk to data subjects.When a DPIA is Required
Consider conducting a DPIA if you:- Process sensitive categories of data (health, biometric, etc.)
- Process data on a large scale
- Systematically monitor individuals
- Use automated decision-making with legal effects
- Process vulnerable populations’ data (children, employees)
Documenso DPIA Support
Documenso can assist with your DPIA by providing:- Description of processing operations
- Security measures implemented
- Sub-processor information
- Data flow documentation
- Risk mitigation measures
International Data Transfers
Documenso Cloud
- Primary data storage: EU data centers
- No routine transfers outside EU
- Any transfers use Standard Contractual Clauses
Self-Hosted
- You control all data locations
- No transfers to Documenso infrastructure
- Your responsibility to implement appropriate safeguards for international transfers
Contact
For GDPR-related inquiries:- General questions: [email protected]
- Data Protection Officer: [email protected]
- Data Processing Agreement: [email protected]
- Security incidents: [email protected]
Disclaimer
This documentation is provided for informational purposes only and does not constitute legal
advice. GDPR compliance depends on your specific circumstances, including how you use Documenso,
what data you process, and your organisation’s obligations.
- Determine your GDPR obligations
- Assess lawful bases for processing
- Draft appropriate privacy notices
- Establish data retention policies
- Respond to data subject requests
- Conduct Data Protection Impact Assessments
- Prepare for supervisory authority audits
Related
- Privacy Policy - Documenso’s privacy practices
- Security - Security measures and practices
- E-Sign Compliance - Electronic signature laws
- Self-Hosting - Deploy on your own infrastructure
- Environment Variables - Security configuration