Data Processing Agreement

Last updated: January 15, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between eSignHub ("Processor") and the Customer ("Controller") to reflect the parties' agreement with regard to the Processing of Personal Data.

1. Definitions

For purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Data Subject" means the individual to whom Personal Data relates
  • "Sub-processor" means any processor engaged by eSignHub to process Personal Data
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679

2. Scope and Purpose

This DPA applies to all Processing of Personal Data by eSignHub on behalf of the Customer in connection with the Services. The purpose of Processing includes:

  • Providing electronic signature services
  • Document storage and management
  • User authentication and access control
  • Audit trail and compliance logging
  • Customer support and service improvement

3. Processor Obligations

eSignHub agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Delete or return Personal Data upon termination of services
  • Make available information necessary to demonstrate compliance

4. Security Measures

eSignHub implements the following security measures:

  • Encryption of Personal Data at rest and in transit (AES-256, TLS 1.3)
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Incident detection and response procedures
  • Employee security training and awareness programs
  • Physical security controls at data centers

5. Sub-processors

The Customer authorizes eSignHub to engage Sub-processors. eSignHub will:

  • Maintain a list of current Sub-processors
  • Notify the Customer of any intended changes to Sub-processors
  • Ensure Sub-processors are bound by data protection obligations
  • Remain liable for Sub-processor compliance

Current Sub-processors include: Google Cloud Platform (hosting), Stripe (payments), and SendGrid (email delivery).

6. International Transfers

Personal Data may be transferred to countries outside the European Economic Area. eSignHub ensures appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

7. Data Subject Rights

eSignHub will assist the Controller in fulfilling Data Subject rights including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to object to processing
  • Right to restrict processing

8. Data Breach Notification

eSignHub will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories of data affected, and remedial measures taken.

9. Audit Rights

eSignHub will allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller. eSignHub's security documentation and compliance reports are available upon request.

10. Contact

For questions about this DPA or to request a signed copy, contact our Data Protection Officer at [email protected].