Legal · Data processing
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement between Customer and ZiaSign Technologies Pvt. Ltd. and governs the Processing of Personal Data by ZiaSign in the course of providing the Service.
Version 2026.04 · Effective 23 April 2026
"Customer" means the entity that has entered into the Master Services Agreement ("MSA") with ZiaSign. "Customer Data" means any data uploaded, generated, or processed by Customer or its Authorized Users through the Service. "Personal Data," "Processing," "Data Controller," "Data Processor," and "Data Subject" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by ZiaSign to Process Personal Data on Customer's behalf.
Customer is the Data Controller (or, where applicable, an independent Processor acting on behalf of its own end-customer). ZiaSign acts as Data Processor when Processing Customer Personal Data in the course of providing the Service. Each party shall comply with its obligations under Applicable Data Protection Laws.
ZiaSign shall Process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by law. The MSA, this DPA, and Customer's authenticated use of the Service together constitute Customer's complete and final instructions to ZiaSign.
ZiaSign shall ensure that personnel authorized to Process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
ZiaSign implements and maintains the technical and organizational measures described in Annex II ("Security Measures") to ensure a level of security appropriate to the risk, including the measures referred to in Article 32 GDPR. Security measures include encryption at rest (AES-256), encryption in transit (TLS 1.3), tenant isolation, access logging, regular vulnerability scanning, annual penetration testing, and incident response procedures.
Customer provides general authorization to ZiaSign to engage Sub-processors. The current list is published at /legal/sub-processors. ZiaSign shall notify Customer of any intended changes (addition or replacement) at least thirty (30) days in advance via the Sub-processor Notification Mailing List. Customer may object on reasonable grounds within that thirty-day window; if the parties cannot agree, Customer may terminate the affected portion of the Service. ZiaSign shall impose data-protection terms on each Sub-processor that are no less protective than those of this DPA.
Taking into account the nature of the Processing, ZiaSign shall assist Customer through appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests for the exercise of Data Subject rights (access, rectification, erasure, restriction, portability, objection). Self-service tools are available in the Service.
ZiaSign shall notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall, to the extent possible, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
Where ZiaSign Processes Personal Data originating from the European Economic Area, United Kingdom, or Switzerland in a country that has not received an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as applicable, are incorporated by reference. The UK International Data Transfer Addendum and the Swiss FDPIC addendum are incorporated where relevant.
Where ZiaSign Processes Personal Data subject to the Digital Personal Data Protection Act 2023 (India), ZiaSign acts as a Data Processor for the Customer (Data Fiduciary). ZiaSign shall comply with applicable obligations including security safeguards, breach notification to Customer, and Sub-processor flow-down. Indian-region data residency is available for tenants requiring it.
For Personal Information subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act, ZiaSign acts as a "Service Provider" and shall not (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information outside of the direct business relationship with Customer; or (c) combine Personal Information with information received from another source, except as permitted by the CCPA.
ZiaSign shall make available to Customer all information necessary to demonstrate compliance with this DPA. ZiaSign shall provide, on request and subject to NDA, its most recent third-party audit reports (e.g. SOC 2). On reasonable prior written notice and no more than once per twelve-month period (unless required by a Supervisory Authority or following a breach), Customer may conduct an audit at its own expense, during business hours and in a manner that does not unreasonably interfere with the Service.
On termination or expiration of the MSA, ZiaSign shall, at Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless retention is required by Union or Member State law. The standard deletion window is thirty (30) days from termination, after which all Customer Personal Data is irreversibly deleted from active systems within ten (10) days and from backups in accordance with the backup-rotation schedule (maximum sixty days).
The liability of each party under this DPA shall be subject to the limitations and exclusions set out in the MSA. This DPA shall remain in effect for the duration of the MSA and for so long thereafter as ZiaSign Processes Customer Personal Data.
In the event of conflict between the MSA, this DPA, and the SCCs, the SCCs shall prevail in respect of Personal Data subject to the GDPR; otherwise, this DPA shall prevail over the MSA on data-protection matters; otherwise, the MSA shall prevail.
The current list of authorized Sub-processors is maintained at /legal/sub-processors and is incorporated into this DPA by reference. Subscribe to change-notifications by emailing privacy@ziasign.com.
This page is the canonical version of the ZiaSign DPA. A signed PDF and counter-signed instance for your organization are available on request from legal@ziasign.com.