Data Processing Agreement

1. Definitions

• "GDPR" means Regulation (EU) 2016/679, as supplemented by the Norwegian Personal Data Act.
• "Customer Personal Data" means personal data processed by Sigill on behalf of the Customer in the course of providing the Service.
• "Customer", "Sigill", "Service" have the meanings given in the Terms of Service.
• "Sub-processor" means any third party engaged by Sigill to process Customer Personal Data, as listed at /trust-center/sub-processors.
• "Controller", "Processor", "Data Subject", "Personal Data Breach", "Processing", "Special Categories" have the meanings given in Article 4 of the GDPR.

2. Roles of the parties

With respect to Customer Personal Data, the Customer is the Controller and Sigill is the Processor. The Customer is responsible for determining the purposes and means of processing, for the lawfulness of its own processing, and for ensuring it has a valid legal basis under Article 6 of the GDPR (and, where Special Categories are involved, an additional basis under Article 9) before submitting any data to the Service.

Sigill may also process some personal data as a Controller in its own right — for example, account credentials, billing information, and security logs. Those processing activities are governed by the Privacy Policy and not by this DPA.

3. Subject matter, nature, and purpose of processing

Sigill processes Customer Personal Data to deliver the Service described in section 2 of the Terms — relaying RFC 3161 timestamp requests, producing PAdES and CAdES seals, storing the resulting evidence metadata (file hashes, labels, algorithm and certificate identifiers, success or failure), optionally storing the RFC 3161 timestamp token and the CAdES detached .p7s signature where the Customer has left the corresponding per-tenant settings on, returning those records on later request, and verifying proofs on request. Sigill does not store Customer files: the unsigned input and the sealed output of every sealing request are processed in memory and streamed back in the HTTP response; the verify endpoint is fully stateless. The single narrow exception is the Model Context Protocol (MCP) integration described in section 11 and Annex II. The duration of processing is the duration of the Customer's subscription, plus any retention period required for legal obligations or expressly agreed export period after termination (see section 9).

Sigill does not seek out, mine, or commercialise the content of Customer Personal Data and does not use it for any purpose other than delivering the Service.

4. Categories of Data Subjects and Personal Data

The categories below describe the typical scope of processing. The Customer determines what content it submits and is responsible for ensuring that the scope is appropriate.

Sigill.ai is not designed for processing Special Categories of personal data (Article 9 GDPR) and the Customer must not submit such data to the Service unless its own use case warrants it and it has a valid legal basis under Article 9. Where Special Categories are nonetheless processed, the controls described in this DPA apply.

5. Sigill's obligations as Processor

Sigill shall:

• Process on documented instructions. Process Customer Personal Data only on the Customer's documented instructions, which include the Terms, this DPA, and configuration choices made by the Customer through the Service. Sigill will notify the Customer if, in its opinion, an instruction infringes the GDPR.
• Confidentiality. Ensure that personnel authorised to process Customer Personal Data are subject to confidentiality obligations.
• Security. Implement and maintain the technical and organisational measures set out in Annex II.
• Sub-processors. Engage sub-processors only as set out in section 7.
• Assist with rights requests. Provide the Customer with reasonable assistance, taking into account the nature of processing, in responding to Data Subject rights requests under Chapter III of the GDPR. Where a Data Subject contacts Sigill directly, Sigill will refer them to the Customer.
• Assist with compliance. Provide reasonable assistance to the Customer in meeting its obligations under Articles 32 to 36 of the GDPR (security, breach notification, Data Protection Impact Assessments, prior consultation), taking into account the nature of processing and the information available to Sigill.
• Return or delete. On termination, return or delete Customer Personal Data as set out in section 9.
• Audit. Make available to the Customer the information necessary to demonstrate compliance with Article 28 of the GDPR, and contribute to audits as set out in section 8.

6. Customer's obligations as Controller

The Customer shall:

• Ensure that it has a valid legal basis under Article 6 (and, where relevant, Article 9) of the GDPR for the processing it instructs Sigill to perform.
• Provide Data Subjects with all required information under Articles 13 and 14 of the GDPR, including the existence of Sigill as a Processor and the categories of recipient sub-processors.
• Be responsible for the security of credentials and API keys issued to the Customer, and for any processing carried out under those credentials.
• Configure the Service in a way that meets the Customer's own retention, access-control, and minimisation obligations.
• Respond to Data Subject rights requests within statutory deadlines, with Sigill's reasonable assistance as set out above.

7. Sub-processors

The Customer grants Sigill general written authorisation to engage Sub-processors to deliver the Service. The current list of Sub-processors, their purpose, the categories of data they receive, and their region is published at /trust-center/sub-processors and forms Annex III of this DPA. Sigill shall:

• Impose on each Sub-processor data protection obligations no less protective than those in this DPA, by written contract.
• Remain fully liable to the Customer for the performance of any Sub-processor it engages.
• Notify the Customer at least 30 days before introducing a materially new Sub-processor, by email to the billing contact for each active paid tenant.
• Give the Customer a reasonable opportunity to object to a new Sub-processor on documented and reasonable data-protection grounds. Where an objection cannot be resolved within 30 days of notice, the Customer's exclusive remedy is to terminate the affected portion of the Service without further charge for the unused remainder of the prepaid period.

Routine regional capacity changes within an existing Sub-processor — for example, AWS adding an availability zone inside eu-north-1 — do not require a fresh notice.

8. Audit rights

Sigill will, on no less than 30 days' written notice and not more often than once in any twelve-month period (and at any time after a confirmed Personal Data Breach), provide the Customer with information reasonably necessary to demonstrate compliance with this DPA. In the first instance this is satisfied by the Customer's review of the published Trust Center, the sub-processor list, the responses to a reasonable written security questionnaire, and any third-party attestation reports Sigill holds at the time of the request.

Where the foregoing does not reasonably satisfy a Customer with regulatory obligations that require on-site verification, the parties will arrange an audit at a mutually agreed time, conducted by the Customer or a qualified independent auditor bound by confidentiality. The audit must be conducted in a way that does not unreasonably disrupt Sigill's business or compromise the confidentiality of other customers' data. Each party bears its own costs unless the audit reveals a material breach of this DPA, in which case Sigill bears its own costs and reasonable costs incurred by the Customer.

9. Return and deletion of Customer Personal Data

Sigill does not store Customer files at any time, so there is no file payload to return or delete on termination. What Sigill holds on the Customer's behalf is the evidence metadata described in section 3 and (where the Customer has left the relevant per-tenant settings on) the RFC 3161 timestamp tokens and CAdES .p7s signatures.

On termination of the Service, Sigill will, at the Customer's choice expressed in writing within 30 days of termination, either (a) export that material in a machine-readable form for retrieval by the Customer, or (b) delete it. After 30 days from termination without instruction, Sigill may delete it. Temporary MCP upload and download slots (see Annex II) expire on their own one-hour schedule independent of termination.

Sigill may retain Customer Personal Data after termination only to the extent and for the period required by applicable law (for example, invoice metadata retained for ten years under Norwegian bookkeeping rules, as described in the Privacy Policy), in which case the security and confidentiality obligations of this DPA continue to apply.

10. Personal Data Breach notification

Sigill will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known at the time and progressively updated:

• The nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records affected.
• The name and contact details of the security contact at Sigill.
• The likely consequences of the breach.
• The measures taken or proposed to address it and to mitigate its possible adverse effects.

Sigill's notification is not, by itself, an acknowledgement of fault or liability. Where Sigill confirms a breach of Article 32 attributable to it, Sigill will take appropriate remedial action at no additional cost to the Customer.

11. International transfers

Sigill's primary application data plane operates inside the EU (eu-north-1, Stockholm). Where a Sub-processor operates outside the European Economic Area or in a country not subject to an EU Commission adequacy decision, the transfer relies on the EU Commission's Standard Contractual Clauses (SCCs), Module Two (Controller to Processor) or Module Three (Processor to Processor) as applicable, and — where the counterparty is established in the United States — the EU-US Data Privacy Framework. The SCCs are incorporated by reference and prevail over any conflicting term of this DPA in the event of a transfer they govern.

Sigill conducts and documents a transfer impact assessment for each such relationship, consistent with the European Data Protection Board's Schrems II guidance, and shares a summary on request as part of section 8.

12. Liability and order of precedence

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. In the event of a conflict between the Terms and this DPA in relation to the processing of Customer Personal Data, this DPA prevails. In the event of a conflict between this DPA and the Standard Contractual Clauses incorporated under section 11, the SCCs prevail.

13. Term and termination

This DPA takes effect on the date the Customer accepts the Terms or, if later, begins using the Service on a paid plan, and continues for as long as Sigill processes Customer Personal Data. The sections relating to security, confidentiality, return and deletion, audit, breach notification, and liability survive termination for as long as Sigill holds any Customer Personal Data.

14. Governing law

This DPA is governed by the laws of Norway, in line with the Terms of Service. Nothing in this DPA limits the supervisory authority of the Norwegian Data Protection Authority (Datatilsynet) or the rights of Data Subjects under the GDPR.

Contact

DPA queries, Data Subject access requests routed through the Controller, and breach notifications: contact@sigill.ai. Suspected security incidents: security@sigill.ai.