Signority Privacy Overview
Ensuring customer data privacy and compliance
Overview
We understand the tremendous importance of protecting our customer’s business and personal information entrusted to us.
When it comes to privacy, first and foremost we ensure that Signority Inc. remains compliant with the federal Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities.
We also ensure, through appropriate people, process, and technology safeguards, that we support our customers in remaining compliant with their own federal, provincial, and state level data protection laws and health information protection laws, when using our eSignature Platform.
Our Privacy commitment
- Your data always belongs to you. You control it and we process it on your behalf for the purpose of eSignature services.
- We will use contractual methods, such as Data Processing Agreements (DPAs), with our enterprise customers, to clearly articulate the technical and organizational data protection methods that we will use in the delivery of our services.
- We will abide by our defined privacy principles.
- We will only use and share your data in ways that you have agreed to, in contract.
- We will not share your data with advertising services, nor will we data mine it for marketing research or advertising.
- We will be transparent where your data is stored.
- You can ask us questions about our privacy measures at any time.
Privacy Principles
Accountability: We will remain responsible for customer personal information entrusted to us and will designate individuals, including our Chief Privacy Officer (CPO), who are accountable for our compliance with our privacy principles and practices.
Open, Transparent and Fair: We will be open, transparent, and fair, in support of providing information to and assisting customers with their needs. There may be instances where we will not be able to divulge particular information, such as detailed and confidential safeguard information, in order to protect our eSignature platform.
Signority Legislative, regulatory and Industry Standards Compliance: Signority Inc. will at all times comply with any applicable data protection laws, and industry standards.
Customer Legislative, Regulatory and Industry Standards Compliance Support: We will assist and support our enterprise customers in complying with their obligations with applicable data protection legislation and industry standards, using commercially reasonable efforts, when processing personal information.
Information Lifecycle: The purposes for which Signority collects personal information will be identified at or before the time the information is collected. The collection of personal information will be limited to that which is strictly necessary for those identified purposes. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The knowledge and consent of individuals is required for the collection, use, disclosure and deletion of personal information, except when inappropriate. We will minimize the long-term collection and storage of information to that which is strictly necessary for the purpose(s) for which the information was initially collected.
Individual Access: Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Processing Specific Purpose(s): We will only process information on behalf of our customers in accordance with written agreements. This includes our Terms of Reference as well as more formal contracts and data processing agreements (DPAs) with our Enterprise customers.
Data Access, Accuracy, and Minimization: We will assist our customers in keeping their personal information accurate and up to date. We, and any participating subprocessors, will help retrieve, provide, update, correct, or delete information as requested.
Security Protection: We will protect customer sensitive business and personal data with a high standard of due care.
Use of Subprocessors: We will only share customer information with subprocessors with prior written agreement with the customer.
Security incident reporting: We will notify customers in a timely fashion if we become aware of any situation that puts customer information at risk from a security, privacy, compliance or availability perspective.
Privacy Statement: We will maintain a detailed privacy statement that details how we collect and use customer personal information. It can be found at www.signority.com/privacy/privacy-statement
We use European Union (EU) best practice and globally adopted Data Processing Agreements (DPAs) to define our data processing responsibilities within enterprise customer contracts
Infrastructure Provider
Signority uses Amazon Web Services (AWS) data center services to host the Signority eSignature Platform. More specifically, Signority uses Amazon Canada Central Region data centers in the Montreal, Québec area. Our platform operates across a minimum of 3 distinct data centers to provide high availability and fault tolerance with an expected uptime of 99.99%.
AWS has ISO 27001, ISO 27017, ISO 27018, HIPAA, SOC 1/ISAE 3402, SOC 2, SOC 3, CSA Star Level 1, 2 and 3, FISMA, DIACAP, and FedRAMP security certifications.
Data Subprocessors
Signority uses several platform subprocessors to provide optional services to our customers.
Subprocessor | Description |
---|---|
Sendgrid | Based in the USA, for optional email services. Only high-level customer data such as name and email address is shared. Signority recommends using the customer’s own email service through simple mail transport protocol (SMTP) integration where possible. SendGrid is SOC 2 Type 2 security certified. |
Twilio | Based in the USA, for optional texting (SMS) services. Custom integration can be undertaken when API documentation from the service provider is available. Only high-level customer data such as name and mobile phone number is shared. Twilio is ISO 27001 security certified. |
GlobalSign DSS | Based in Canada, for optional digital signatures. No customer data is provided. GlobalSign is ISO 27001 security certified. |
Stripe | Based in the USA, for payment gateway services. No customer payment data is captured by Signority, but rather is provided securely to Stripe for payment authorization. Both Signority and Stripe are PCI DSS compliant. |