Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the agreement between Crul.Dev, trading as BuiltSign, registered with the Dutch Chamber of Commerce under number 97533114 ("Processor"), and the customer using the BuiltSign platform ("Controller").

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the document signing service, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

In the context of the service, the Processor processes the following categories of personal data:

• Signatory identification data: names, email addresses, and phone numbers.
• Signature data: electronic signatures, initials, and associated timestamps.
• Technical data: IP addresses, device information, and browser data of signatories.
• Document content: the content of documents uploaded by the Controller, to the extent they contain personal data.

Processing takes place exclusively for the following purposes: facilitating electronic signing, creating and maintaining audit trails, and providing verification capabilities in accordance with eIDAS.

The Processor processes personal data solely on documented instructions from the Controller, unless a legal obligation requires otherwise.

• Confidentiality: all personnel with access to personal data are bound by a duty of confidentiality.
• Purpose limitation: personal data is not processed for the Processor's own purposes or disclosed to third parties, unless expressly agreed.
• Instruction binding: the Processor follows only the written instructions of the Controller.

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk:

• Encryption at rest (AES-256) and in transit (TLS 1.3) for all personal data.
• Access controls based on the need-to-know principle; access to production data is restricted.
• Continuous monitoring of systems for security incidents and unauthorised access.
• Regular, encrypted backups stored within the European Economic Area.

The Controller grants the Processor general authorisation to engage sub-processors, provided the Processor: (a) maintains and publishes an up-to-date list of sub-processors, and (b) informs the Controller at least 30 days in advance of any intended changes.

The current list of sub-processors, including their data locations, is available at builtsign.com/legal/subprocessors.

→ /legal/subprocessors

The Controller may raise a reasoned objection within 30 days of notification. If no agreement is reached, the agreement may be terminated in writing without notice.

The Processor assists the Controller in fulfilling requests from data subjects to exercise their rights under the GDPR (access, rectification, erasure, restriction, portability, and objection).

Requests from data subjects received directly by the Processor will be forwarded to the Controller within 5 working days.

In the event of a (suspected) personal data breach, the Processor shall notify the Controller within 48 hours of becoming aware of the breach.

The notification shall contain at minimum: a description of the nature of the breach, the categories and estimated number of personal data records and data subjects affected, the likely consequences, and the measures taken or proposed.

Upon termination of the agreement, the Processor shall delete all personal data or return it to the Controller, at the Controller's choice, within 30 days, unless statutory retention obligations require otherwise.

Upon request, the Processor shall provide written confirmation of deletion.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR.

The Controller has the right to commission audits, provided they are announced in writing at least 30 days in advance, conducted no more than once per year, on business days during office hours.

This Data Processing Agreement is governed by Dutch law. Disputes shall be submitted to the competent court in Amsterdam.

In the event of conflict between this DPA and other agreements, this DPA shall prevail with respect to the processing of personal data.

Where processing involves a transfer of personal data to a country outside the European Economic Area (EEA), such transfer is governed by: (a) Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914; (b) an adequacy decision issued by the European Commission; or (c) another appropriate safeguard as listed in Article 46 GDPR.

An up-to-date overview of sub-processors and the applicable transfer mechanisms is published at builtsign.com/legal/subprocessors.

As required by Article 28(3) GDPR

• Subject matter: Electronic document signing and audit trail services provided by BuiltSign.
• Duration: For the term of the agreement between Controller and Processor, plus any applicable statutory retention periods.
• Nature of processing: Collection, storage, display, transmission, and deletion of personal data required to facilitate the signing of electronic documents and to generate legally admissible audit trails.
• Purpose: Providing the BuiltSign document signing service, including identity verification, audit trail generation, and eIDAS-compliant evidence creation.
• Types of personal data: Names, email addresses, phone numbers (optional), IP addresses, device and browser data, electronic signature images, document content (insofar as it contains personal data), and timestamps; and, where identity verification is enabled, identity verification results including document type and verified name (biometric images are not stored by BuiltSign).
• Categories of data subjects: Employees, contractors, clients, or other natural persons designated by the Controller as signatories or recipients in a document signing workflow.