Skip to main content

Signicat Electronic Signing Privacy Statement

At Signicat, we value your privacy. The main section of this privacy statement describes which personal data Signicat collects from you, how Signicat processes such personal data, and why Signicat collects the personal data in connection with Signicat's provision of products.

Signicat is an electronic identity services provider who enables connection and interaction between organizations and their customers through verified digital identities. Signicat is a private company registered in Norway with organization number 989 584 022 and its registered main office located at Beddingen 16, 7042 Trondheim, Norway. Please direct any questions or requests to privacy@signicat.com or the channels provided at www.signicat.com.

Please refer to the product-specific descriptions below that set out any deviations from these main principles or for further details on our processing or collection of personal data for each product.

Please note that Signicat acts as a processor for most of the personal data we process, whereas Signicat's customer is the controller. Signicat has signed data processing agreements with customers acting as controllers to secure your privacy. In cases where you, as an end user, have questions about how personal data is processed, the controller must be contacted.

Signicat Electronic Signing

The Signicat Electronic Signing product family consists of the following products: Signicat Signature (B2C), Signicat Business Signature (B2B), Signicat Consent Signature, Signicat Seal, Signicat Sign for Salesforce, Signicat Sign for Microsoft and Signicat Preserve.

In all Electronic Signing-related products, Signicat acts as a data processor on behalf of our customer (company). End users are managed by the merchant company that acts as a data controller. Signicat does not store any user data permanently including the documents to be signed. GDPR-related information is kept during the signature session and then deleted. One exception to this is if the customer optionally wants to store the signed document in Signicat Archive. Signicat Archive provides encrypted storage of documents with a key per customer and is controlled completely by the data controller through an API.

Necessary logs/audit information for a signature session will be kept according to retention policies, in order to be able to show evidence for a signing order and also to resolve issues that can arise after the signing order is completed.

Purpose and processing

The controllers and responsible entities for such content are Signicat's respective customers. As the data processor, Signicat signs a data processor agreement with the client as data controller. The data processor agreement establishes the framework for Signicat’s personal data processing activities. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement.

The purpose of a signing request in the context of Signicat Electronic Signing is to generate a secured document (*aDES) that binds the document content to the signer’s ID, and to include necessary evidence in the sealed document. The final result will be downloaded by the customer. The document and associated processing data will be deleted. The exception is if the customer wants to use Signicat Archive as a storage. A signing order will by default be kept for up to 37 days (30+7), but this can be set to a shorter time by the data controller. If a signature request is finalised before this timeout limit, the data controller will have 7 days to download the document before deletion.

During the signature process, some data subjects related to the signer’s ID will be processed to be able to bind the user’s ID to the document(s).

The following data subjects will be processed for end users of the controller:

  • Person name
  • National ID
  • Email address
  • Mobile phone number
  • Date of birth
  • Physical address
  • IP address
  • Client meta information
  • Digital certificate number
  • Nationality

3rd party eID providers offer different sets of end user data, and the subject list above will differ somewhat between eID vendors’ provided data. From the list of subjects mentioned, email address and phone number are the main data subjects used for the ability to send notifications to the signer related to a signing order.

The document(s) to be signed are needed by Signicat as a processor to be able to show the documents to the signers (read consent) and to be able to package the documents, along with signer ID verification elements, into a final signed document. Signicat will not do any processing or extraction of document content during the signature processing.

The documents sent to Signicat from the data controller may contain privacy data, such as in the case of insurance documents that may contain health data, photos, etc. Some examples of personal data in documents for signing may be:

  • Person name
  • National ID
  • Email address
  • Mobile phone number
  • Date of birth
  • Physical address
  • Insurance number
  • Registration number
  • Handwritten signature
  • Mortgage on housing
  • Account number
  • Place of birth
  • Tax ID
  • Sex
  • Role
  • Employer
  • Phone number
  • Position
  • User pattern
  • User agent
  • User ID
  • Nationality
  • User meta information
  • Client meta information
  • Health information
  • Photo