Signicat Sign Privacy Statement

At Signicat, we value your privacy. The main section of this privacy statement describes which personal data Signicat collects from you, how Signicat process such personal data, and why Signicat collects the personal data in connection with Signicat's provision of products.

Signicat is an electronic identity services provider who enables connection and interaction between organisations and their customers through verified digital identities. Signicat is a private company registered in Norway with organisation number 989 584 022 and its registered main office at Gryta 2A, 7010 Trondheim Norway. Please direct any questions or requests to privacy@signicat.com or the channels provided for at www.signicat.com.

Please refer to the product-specific descriptions below that sets out any deviations from these main principles or further details on our processing or collection of personal data for each product.

Please note that Signicat acts as a processor for most of the personal data we process, whereas Signicat's customer is the controller. Signicat has entered into data processing agreements with all such customers that secures your privacy. In cases where you as an end user have questions about processing personal data, the controller must be contacted.

This privacy statement only describes the collection and processing of personal data that Signicat is the controller for, meaning the personal data that Signicat determine why and how we process. The description of the processing of personal data for which Signicat's customers acts as controller can be found in their respective privacy policies.

 

Signicat Sign

Signicat Sign family of products consists of the following products: Signicat Signature (B2C), Signicat Business Signature (B2B), Signicat Consent Signature, Signicat Seal, Signicat Sign for Salesforce, Signicat Sign for Microsoft 365 and Signicat Preserve. 

In all sign related products, Signicat act as a data processor on behalf of our customer (company). End users are managed by the merchant company that acts as a data controller. Signicat does not store any user data permanently including the documents to be signed. GDPR related information is kept during the sign session and then deleted. One exception to this is if customer as an option want to store the signed document in Signicat Archive. Signicat Archive is an encrypted storage of documents with key per customer and controlled completely by data controller through API.

Necessary logs/audit for a signing session will be kept according to delete policy to be able to show evidence for a signing order and also to resolve issues that can come up after the sign order is completed.

Purpose and processing

The controllers and responsible entities for such content are Signicat's respective customers. As the data processor, Signicat signs a data processor agreement with the client as data controller. The data processor agreement establishes the frameworks for Signicat`s personal data processing activities. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement.

The purpose of a signing request is to generate a secured document (*aDES) binding the document content to the signers ID and include necessary evidence in the sealed document. The final result will be downloaded by customer  and document and processing data will be deleted. Exception is if customer want to use Signicat Archive as a storage. A sign order will be kept default up to 37 days (30+7) but can be set to shorter time by data controller. If a sign request is finalised before this timeout limit, data controller will have 7 days to download the document until deletion.

During the sign process some data subjects related to signers ID will be processed to be able to bind users ID to the document(s).

The following data subjects will be processed for end users of the controller:

  • Person name
  • National ID
  • Email address
  • Mobile phone number
  • Date of birth
  • Physical address
  • IP address
  • Client meta information
  • Digital certificate number
  • Nationality

3rd party eID providers offer different sets of end users data and the subject list above will differ somewhat between eID vendors provided data. From the list of subjects mentioned, email address and phone number mainly is used for ability to send signer notifications related to a signing order. 

The document(s) to be signed is needed by Signicat as a processor to be able to show the documents to the signers (read consent) and to be able to package the documents together with signer ID verification elements into a final signed document. Signicat will not do any processing or extraction of document content during the sign processing.

The documents sent to Signicat from data controller may contain privacy data, like insurance documents that may contain health data, photos etc.. Some examples of person data in documents for signing can be:

  • Person name
  • National ID
  • Email address
  • Mobile phone number
  • Date of birth
  • Physical address
  • Insurance number
  • Registration number
  • Handwritten signature
  • Mortage on housing
  • Account number
  • Place of birth
  • Tax ID
  • Sex
  • Role
  • Employer
  • Phone number
  • Position
  • User pattern
  • User agent
  • User ID
  • Nationality
  • User meta information
  • Client meta information
  • Health information
  • Photo

Get in touch

Want to talk to us about what we do, or need some additional information? Don’t hesitate to get in touch.