Data Protection

GDPR & UK GDPR Statement

This statement explains SalesSign’s approach to GDPR compliance under both the EU and UK regimes overseen by the ICO. How SalesSign approaches the EU General Data Protection Regulation and the UK GDPR — the lawful bases we rely on, the rights you can exercise, how we handle international transfers, and who to contact. Written in plain English so a procurement, security or legal reviewer can assess us quickly.

Request a Demo → View our Security overview

Last updated: 3 June 2026

1. Scope of this statement

This statement explains how SalesSign, operated by SalesSign Limited (company number 16612732), registered office 4a Fairway, Petts Wood, Orpington, England, BR5 1EG (“SalesSign”, “we”, “us”), complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “EU GDPR”) and the United Kingdom General Data Protection Regulation as it forms part of UK law under the Data Protection Act 2018 (“UK GDPR”). Where this statement refers simply to “GDPR”, it means both regimes as applicable.

SalesSign is a Salesforce-native proposal and eSignature platform: you build, send, track and eSign proposals without leaving Salesforce. This statement should be read alongside our Privacy Policy, our Data Processing Addendum (DPA) and our list of sub-processors.

2. Our role: controller and processor

Whether SalesSign is a “controller” or a “processor” depends on the data in question.

  • As a controller — we determine the purposes and means of processing for our own business data: prospects and customers who interact with our marketing website, sign up for or use the product, contact support, or attend a demo. This includes account, billing and usage data.
  • As a processor — when you use the SalesSign product, the customer documents and CRM data involved in your proposals and signature workflows remain within your own Salesforce org, under your control. To the extent SalesSign processes any personal data on your behalf in delivering the service, we act as your processor and only on your documented instructions. Those instructions and our obligations are governed by our Data Processing Addendum.
Note — the SalesSign marketing website and the web application are operated as separate environments. The substance of your proposals, contracts and CRM records resides in your own Salesforce org rather than being stored by SalesSign as a primary record system.

3. Lawful bases for processing

When SalesSign acts as a controller, we rely on one or more of the following lawful bases under Article 6 of the GDPR:

Processing activityLawful basis
Providing and administering the SalesSign service to a customer; managing the account relationshipPerformance of a contract (Art. 6(1)(b))
Billing, invoicing, tax and statutory record-keepingLegal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f))
Securing our systems, preventing fraud and abuse, and product improvementLegitimate interests (Art. 6(1)(f))
Responding to enquiries, demos and support requestsPerformance of a contract or pre-contract steps (Art. 6(1)(b)) / legitimate interests (Art. 6(1)(f))
Marketing communications where consent is required; non-essential cookies and analyticsConsent (Art. 6(1)(a))

Where we rely on legitimate interests, we carry out a balancing assessment to ensure your interests and rights are not overridden. Where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal. We do not carry out solely automated decision-making producing legal or similarly significant effects within the meaning of Article 22.

4. Your rights as a data subject

Subject to the conditions and exemptions in the GDPR, you have the right to:

  • Be informed about how your personal data is used (this statement and our Privacy Policy).
  • Access a copy of the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) in certain circumstances.
  • Restrict processing in certain circumstances.
  • Data portability — to receive your data in a structured, commonly used, machine-readable format.
  • Object to processing based on legitimate interests, and to object to direct marketing at any time.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with a supervisory authority (see section 9).

How to exercise your rights

To make a request, contact us at admin@salessign.io. We will respond within one month of receipt, with the option to extend by a further two months for complex or numerous requests (we will tell you if this applies). We may ask you to verify your identity before acting on a request.

If you are an individual whose data appears within a customer’s Salesforce org or proposals (for example, a signer on a document), SalesSign typically acts as a processor for that data. In that case, please direct your request to the relevant SalesSign customer who controls it; we will assist that customer in responding as required under our DPA.

5. International transfers

Where personal data is transferred outside the UK or the European Economic Area to a country that is not covered by an adequacy decision, we put in place an appropriate safeguard recognised under the GDPR before the transfer takes place. Depending on the transfer, this includes:

  • the European Commission’s Standard Contractual Clauses (SCCs) for EU GDPR transfers; and
  • the UK’s International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs, for UK GDPR transfers.

Where required, we carry out a transfer risk assessment and apply supplementary measures. Our sub-processors list identifies the third parties involved in delivering the service and the relevant transfer mechanism for each. The transfer terms that apply between you and SalesSign are set out in our DPA.

6. Sub-processors

We engage a limited set of sub-processors to help deliver the service (for example, infrastructure and operational tooling). We maintain an up-to-date list, impose data-protection obligations on each sub-processor that are no less protective than those in our DPA, and provide a mechanism for you to be notified of and object to changes. See our current sub-processors.

7. Data retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting or reporting requirements.

  • Account and contract data — for the duration of your relationship with SalesSign and a defined period afterwards for legal and audit purposes: the life of your contract plus six years, to meet UK tax and legal requirements.
  • Billing and statutory records — for the period required by applicable tax and company law: six years (UK statutory limitation and tax records).
  • Marketing and enquiry data — until consent is withdrawn or the data is no longer relevant: until you unsubscribe or withdraw consent.
  • Customer content processed on your behalf — handled in accordance with the deletion and return terms in our DPA. Your proposal and CRM records reside in your own Salesforce org and are subject to your retention settings.

When data is no longer needed, we delete it or irreversibly anonymise it.

8. Security

We apply technical and organisational measures appropriate to the risk, in line with Article 32 of the GDPR. A summary of our controls is available on our Security overview, and detailed measures are described in our DPA. SalesSign is currently undergoing Salesforce’s AppExchange Security Review.

9. Data Protection Officer and representatives

You can reach our data protection contact and exercise your rights using the details below.

RoleDetails
Data protection contact / Data Protection Officer (if appointed)Our Data Protection Officer is Alex Burrell (alexburrell@salessign.io)
UK GDPR representative (if required under Art. 27)As a UK-established company, SalesSign Limited acts directly and a UK representative is not required
EU GDPR representative (if required under Art. 27)an EU representative has not been appointed at this time; we will appoint one if and when Article 27 requires it
Privacy enquiriesadmin@salessign.io

If you are not satisfied with how we have handled your personal data, you have the right to complain to a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). In the EU, you may contact the supervisory authority in your country of residence, place of work, or where the alleged infringement took place.

10. Changes to this statement

We may update this statement to reflect changes in law or our practices. When we do, we will revise the “Last updated” date above and, where appropriate, notify customers in accordance with our agreements.

Related documents

For the full picture, please also read our Privacy Policy, our Data Processing Addendum and our Sub-processors list. You can find everything in our Legal Centre.

At a glance

How we support compliant data handling.

Your data stays in your org

Proposal content and CRM records live in your own Salesforce org, under your control and your retention settings.

Transfers done properly

SCCs for EU transfers and the IDTA or UK Addendum for UK transfers, backed by transfer risk assessments where required.

Rights handled clearly

A single privacy contact, a one-month response window, and a clear route for processor-held data via the relevant customer.

Questions about this policy? If you are a procurement, security or legal reviewer and need clarification, want our DPA executed, or have a data-subject request, contact admin@salessign.io or get in touch with our team.