Skip to content
Signeto
EE RU EN

Data Processing Agreement (DPA)

Last updated: 8 May 2026

This Data Processing Agreement ("DPA") forms part of the Signeto Terms of Service and governs the processing of personal data within the Signeto service in accordance with Regulation (EU) 2016/679 (GDPR).

1. Parties

  • Controller: the Signeto customer (the company or individual using the service).
  • Processor: Relond Grupp OÜ, registry code 12197858, Kooli 10, Jõhvi, 41532, Estonia.

2. Subject Matter and Purpose of Processing

Relond Grupp OÜ processes personal data solely in order to provide the Signeto service in accordance with the Terms of Service. Processing encompasses the creation, signing, storage, and delivery of digital work completion acts.

3. Nature and Purpose of Processing

  • Collection and storage of data within the platform.
  • Document processing and PDF generation.
  • Applying and validating electronic signatures.
  • Transmitting data to the controller and its authorised personnel.

4. Categories of Personal Data Processed

  • Contact details: name, email address, phone number, job title.
  • Signature data: signatory identity data, timestamps, IP addresses.
  • Document content: information entered into work acts (e.g. task descriptions, quantities, prices).
  • Technical metadata: device information, login times, usage logs.

5. Categories of Data Subjects

Employees, contractors, and clients of the controller whose data is processed in Signeto work acts.

6. Duration of Processing

This DPA remains in force for as long as the controller uses the Signeto service. Upon termination of the main agreement, personal data will be handled in accordance with Section 11 of this DPA.

7. Processor Obligations (GDPR Article 28)

Relond Grupp OÜ undertakes to:

  • process personal data only on documented instructions from the controller;
  • ensure that persons authorised to process personal data are bound by confidentiality obligations;
  • implement appropriate technical and organisational security measures pursuant to GDPR Article 32;
  • not engage new sub-processors without the controller's prior written consent;
  • assist the controller in fulfilling data subject rights requests;
  • assist the controller in meeting obligations under GDPR Articles 32–36;
  • delete or return all personal data upon termination of services;
  • make available to the controller all information necessary to demonstrate compliance.

8. Sub-Processors

Current approved sub-processors:

  • Hetzner GmbH (Germany, registered in Gunzenhausen) — cloud infrastructure; servers located in Helsinki, Finland (EU). Purpose: data storage and service hosting.

We will notify the controller at least 14 days before engaging any new sub-processor. The controller has the right to raise a reasoned objection within 14 days.

9. Security Measures

We implement the following measures:

  • Encryption in transit: TLS 1.3 for all connections.
  • Encryption at rest: AES-256 at the database and file storage level.
  • Access control: role-based access, multi-factor authentication (MFA) for administrators.
  • Backups: automated daily backups with a 30-day retention period.
  • Security testing: regular vulnerability assessments and penetration tests.
  • Access logs: all data access is logged and retained for 12 months.

10. Data Breach Notification

Upon discovering a personal data breach, we will notify the controller in writing within 72 hours (GDPR Article 33). The notification will include: a description of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

11. Return and Deletion of Data

Upon termination of the contractual relationship:

  • the controller has 30 days to export data in a machine-readable format;
  • after the 30-day period, all personal data will be irreversibly deleted (unless legislation requires longer retention);
  • upon the controller's request, we will provide written confirmation of deletion.

12. Audit Rights

The controller has the right to conduct audits and inspections to verify compliance with this DPA. Audit requests must be submitted in writing at least 30 days in advance. Audits are conducted by mutual agreement and must not disrupt service operations or compromise the confidentiality of other customers' data. Relond Grupp OÜ may provide a certified auditor's report in lieu of a direct inspection.

13. International Data Transfers

Data is processed exclusively within the EU/EEA. Hetzner GmbH's Helsinki data centres are located in Finland (EU), so no additional transfer safeguards are required for third-country transfers.

14. Contact

For DPA-related enquiries: info@signeto.eu
Relond Grupp OÜ, Kooli 10, Jõhvi, 41532, Estonia.