Data Processing Agreement

Last updated: 2026-04-16

This Data Processing Agreement (DPA) supplements our Terms of Service and applies when we process personal data on your behalf.

Roles

You are the Data Controller. Scriflow acts as the Data Processor. We process personal data only on your documented instructions.

Scope of Processing

We process personal data contained in documents you upload, signer information (name, email, IP address), and account data necessary to provide the service.

Security Measures

We implement appropriate technical and organizational measures including encryption at rest and in transit, access controls, regular security assessments, and incident response procedures.

Sub-processors

We use third-party sub-processors for infrastructure (hosting), email delivery, and payment processing. A current list is available upon request. We will notify you of any changes to sub-processors.

International Transfers

Data may be transferred outside the EEA. We rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework for lawful transfers.

Data Breach Notification

We will notify you of any personal data breach without undue delay, and no later than 72 hours after becoming aware of it.

Data Subject Rights

We will assist you in fulfilling data subject requests (access, rectification, erasure, portability) within the required timeframes.