Legal Centre

Data Processing Agreement

This Data Processing Agreement (DPA) sets out how SalesSign processes personal data on your behalf under Article 28 of the GDPR. The contractual data-protection terms that apply when SalesSign processes personal data on your instructions. Drafted to satisfy Article 28 of the UK GDPR and the EU GDPR, so your procurement, security and legal teams can sign with confidence.

Request a Demo → Visit the Trust Centre →

Last updated: 3 June 2026 · Version: 1.0

This Data Processing Agreement (the “DPA”) forms part of, and is incorporated into, the agreement between you (the “Customer”) and SalesSign Limited (company number 16612732), registered office 4a Fairway, Petts Wood, Orpington, England, BR5 1EG (“SalesSign”, “we”, “us”) under which we provide the SalesSign proposal and electronic-signature platform (the “Service”) — the “Principal Agreement”. It governs the processing of personal data carried out by SalesSign on the Customer’s behalf in connection with the Service.

Where there is any conflict between this DPA and the Principal Agreement on the subject of data protection, this DPA prevails. Capitalised terms not defined here have the meaning given in the Principal Agreement. “Data Protection Law” means the UK GDPR, the Data Protection Act 2018, the EU GDPR (Regulation (EU) 2016/679) and any other applicable law relating to the protection of personal data, in each case as amended or replaced.

1. Roles of the parties

SalesSign is a Salesforce-native application. The Customer’s documents, proposals, signature records and CRM-synced records are created and stored within systems the Customer controls and operates the Service against. As a result, the parties’ roles differ depending on the data in question:

  • Customer as controller, SalesSign as processor. For personal data contained in the documents, proposals, recipient details and signature data that the Customer uploads, generates or routes through the Service (“Customer Personal Data”), the Customer is the controller and SalesSign is the processor. SalesSign processes that data only on the documented instructions of the Customer, as set out in this DPA and the Principal Agreement.
  • SalesSign as controller. For limited data that SalesSign determines the purpose and means of processing — for example account-administration data, billing data, security and audit logs, and product-usage analytics used to operate and improve the Service — SalesSign acts as a controller. That processing is described in our Privacy Policy and is outside the scope of this DPA.
Note — the Customer is responsible for ensuring it has a lawful basis to provide Customer Personal Data to SalesSign and to instruct the processing described here, including providing any notices and obtaining any consents required from data subjects.

2. Subject-matter and duration of processing

Subject-matter. SalesSign’s processing of Customer Personal Data for the purpose of providing the Service: enabling the Customer to build, send, track and electronically sign proposals and related documents from within Salesforce.

Duration. Processing continues for the term of the Principal Agreement and for any additional period during which SalesSign provides the Service to the Customer, followed by the deletion or return period described in Section 9. SalesSign will not retain Customer Personal Data for longer than necessary to provide the Service or as required by applicable law.

3. Nature and purpose of processing

SalesSign processes Customer Personal Data for the following purposes:

  • Generating, assembling and formatting proposals and documents from Customer-supplied content and data;
  • Delivering documents to, and collecting electronic signatures from, recipients the Customer designates;
  • Capturing and retaining signature audit information (such as signing events, timestamps and related metadata) to evidence the integrity of signed documents;
  • Tracking document status (viewed, signed, declined) and returning that status to the Customer;
  • Storing and making available signed documents and records as configured by the Customer;
  • Providing support, maintaining the security and availability of the Service, and complying with legal obligations.

Our electronic-signature processing is designed to comply with the EU eIDAS Regulation and the UK Electronic Communications Act 2000 in the UK and EU, and with the ESIGN Act and UETA in the United States.

4. Categories of personal data and data subjects

The categories below describe the personal data SalesSign may process as a processor and the types of data subject to whom that data relates. The Customer controls the content it routes through the Service, so the precise scope is determined by the Customer’s use.

Category of data subject Categories of personal data
Customer’s personnel and authorised users (those who build, send and manage documents) Name, business email address, job title, Salesforce user identifiers, and activity logs relating to use of the Service.
Recipients and signatories (the people the Customer sends documents to for review or signature) Name, email address, and any identifying details the Customer includes in a document; signature data and signing metadata (timestamps, signing events, and other audit-trail information).
Third parties named within Customer documents (e.g. contacts, accounts, opportunity records synced from the Customer’s CRM) Any personal data the Customer chooses to include in proposals, contracts or related documents — typically business-contact and commercial details.
Note — the Service is not intended for the processing of special categories of personal data (Article 9 UK/EU GDPR) or criminal-offence data (Article 10). The Customer should not submit such data through the Service unless expressly agreed in writing with SalesSign and supported by appropriate safeguards.

5. Obligations of SalesSign as processor

SalesSign will:

  1. process Customer Personal Data only on the documented instructions of the Customer, including this DPA, unless required to do otherwise by applicable law (in which case SalesSign will, where legally permitted, inform the Customer of that requirement before processing);
  2. ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
  3. implement and maintain the technical and organisational measures set out in Annex 1;
  4. respect the conditions in Section 6 for engaging sub-processors;
  5. taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects exercising their rights under Data Protection Law;
  6. assist the Customer in ensuring compliance with its obligations relating to security, breach notification, data-protection impact assessments and prior consultation with supervisory authorities, taking into account the information available to SalesSign;
  7. make available to the Customer the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits as described in Section 7;
  8. immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Law.

If SalesSign becomes aware that it can no longer meet its obligations under Data Protection Law, it will inform the Customer without undue delay.

6. Sub-processors

The Customer provides a general authorisation for SalesSign to engage sub-processors to assist in providing the Service. SalesSign maintains a current list of sub-processors — including each sub-processor’s name, the processing activity and the location of processing — at /legal/subprocessors/.

For each sub-processor, SalesSign will:

  • impose data-protection obligations by written contract that are no less protective than those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures; and
  • remain fully liable to the Customer for the performance of that sub-processor’s obligations.

Change notice. SalesSign will give the Customer at least 14 days prior notice of any intended addition or replacement of a sub-processor, by updating the sub-processor page and/or by email to subscribers of the change-notification list. The Customer may object on reasonable, data-protection-related grounds within 14 days of the notice. If the parties cannot resolve the objection, the Customer may terminate the affected part of the Service as set out in the Principal Agreement.

Note — customer documents and CRM data that remain within the Customer’s own Salesforce org are under the Customer’s control and are not sub-processed by SalesSign by virtue of that storage.

7. Audit and inspection rights

SalesSign will make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

To minimise disruption and protect the confidentiality and security of other customers, the parties agree that:

  • SalesSign may satisfy audit requests in the first instance by providing relevant policies, certifications and third-party assessment reports (where available — see our Trust Centre);
  • any on-site or more detailed audit will be on reasonable prior written notice, during business hours, no more than once per 12 months (save where required by a supervisory authority or following a personal-data breach), subject to confidentiality obligations, and conducted so as not to compromise the security of other customers; and
  • the Customer bears its own costs of an audit unless the audit reveals a material non-compliance by SalesSign.

8. Personal-data breach notification

SalesSign will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any personal-data breach affecting Customer Personal Data. The notification will, to the extent known and as it becomes available, describe:

  • the nature of the breach, including the categories and approximate number of data subjects and records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and to mitigate its possible adverse effects; and
  • a point of contact from whom further information can be obtained.

SalesSign will cooperate with the Customer and take reasonable steps as directed by the Customer to assist in the investigation, mitigation and remediation of the breach, and to enable the Customer to meet its own notification obligations to supervisory authorities and data subjects. SalesSign will not make any public statement attributing a breach to the Customer without the Customer’s prior written consent, except where required by law.

9. Return and deletion of data on termination

On termination or expiry of the Principal Agreement, and at the choice of the Customer, SalesSign will delete or return all Customer Personal Data and delete existing copies, unless applicable law requires storage of the personal data.

  • The Customer may export or retrieve its data through the Service for a period of 30 days after termination;
  • following that period, SalesSign will delete Customer Personal Data held in its systems within 30 days, with residual copies in routine backups deleted on their normal cycle (no later than 90 days);
  • where SalesSign is required by law to retain certain Customer Personal Data, it will keep that data confidential and process it only as necessary for the purpose of that legal requirement.

On request, SalesSign will certify in writing that deletion has been completed. Customer Personal Data that remains within the Customer’s own Salesforce org is not affected by this Section and remains under the Customer’s control.

10. International transfers

SalesSign will not transfer Customer Personal Data outside the UK or the European Economic Area unless an appropriate transfer mechanism under Data Protection Law is in place. Where a transfer of UK or EEA personal data to a third country occurs, the following safeguards apply:

  • EU transfers: the European Commission’s Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914), with the modules and options relevant to the parties’ roles, are incorporated into this DPA by reference and apply to the transfer;
  • UK transfers: the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs issued by the Information Commissioner, applies to the transfer of UK personal data;
  • where required, SalesSign will carry out and document a transfer-risk assessment and apply any supplementary measures necessary to ensure an essentially equivalent level of protection.

The transfer destinations relevant to the Service are:

Processing activity Destination country / region Transfer mechanism
Application hosting and storage the United Kingdom and European Union, with certain sub-processors in the United States the UK IDTA and EU Standard Contractual Clauses for any transfers outside the UK or EEA
the sub-processors listed at salessign.io/legal/subprocessors/ the United Kingdom and European Union, with certain sub-processors in the United States the UK IDTA and EU Standard Contractual Clauses for any transfers outside the UK or EEA
Note — destinations and mechanisms must be confirmed against SalesSign’s actual infrastructure and sub-processor arrangements before publication. The full list of sub-processors and their locations is maintained at /legal/subprocessors/.

Annex 1 — Technical and organisational security measures

SalesSign maintains the technical and organisational measures below to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures are subject to technical progress and may be updated, provided the level of security is not materially reduced. Further detail is available in our Trust Centre.

  • Encryption. Encryption of personal data in transit using TLS, and encryption at rest for data stored within SalesSign’s systems.
  • Access control. Role-based access on a least-privilege basis, individual user accounts, and multi-factor authentication for administrative access.
  • Confidentiality & integrity. Logical separation of customer data, change-management controls, and audit logging of access to systems processing Customer Personal Data.
  • Availability & resilience. Backups, monitoring, and the ability to restore availability and access to personal data in a timely manner following an incident.
  • Secure development. A secure software-development lifecycle, dependency and vulnerability scanning, and periodic security testing.
  • Vendor management. Assessment of sub-processors before engagement and contractual data-protection obligations as described in Section 6.
  • People. Confidentiality obligations and data-protection and security awareness for personnel with access to Customer Personal Data.
  • Incident response. Documented procedures for detecting, responding to and reporting personal-data breaches, supporting the notification commitment in Section 8.

SalesSign is currently undergoing Salesforce’s AppExchange Security Review. Current certification posture is set out at SOC 2 and ISO 27001 in progress (targeted for January 2027); currently undergoing Salesforce’s AppExchange Security Review.

Execution

This DPA takes effect on the effective date of the Principal Agreement and is incorporated into it. Where the Customer requires a counter-signed copy, the parties may execute this DPA as a standalone document.

How to put this DPA in place — This DPA forms part of your subscription agreement and is accepted when you accept those terms; a counter-signed copy is available on request to admin@salessign.io

This DPA references the maintained sub-processor list and our Trust Centre, and forms part of our wider Legal Centre documentation.

Questions about this policy? If your procurement, security or legal team needs a copy for review, a counter-signed DPA, or clarification on any clause, please contact us or speak to us when you book a demo.