Our Role Under GDPR
Under Articles 4(7) and 4(8) of the GDPR, we play two distinct roles:
- Controller (for our direct customers): we determine the purposes and means of processing your account, login, and billing data. This page, together with our Privacy Notice, is our Art. 13 transparency disclosure.
- Processor (for your firm's end-client data): when you upload documents containing third-party personal data, we process that data strictly on your documented instructions. Our obligations are set out in the DPA.
Legal Basis for Processing
| Processing activity | Legal basis | GDPR article |
|---|---|---|
| Providing the Service to your firm | Performance of a contract | 6(1)(b) |
| Verifying professional credentials | Legitimate interest · fraud prevention | 6(1)(f) |
| Identity verification for seal authority | Legal obligation & contract | 6(1)(b) & 6(1)(c) |
| Transactional email — receipts, seal confirmations | Performance of a contract | 6(1)(b) |
| Product announcement email | Opt-in consent | 6(1)(a) |
| Security logs & audit trail | Legal obligation & legitimate interest | 6(1)(c) & 6(1)(f) |
| Aggregated usage analytics | Legitimate interest | 6(1)(f) |
| Responding to regulators & legal process | Legal obligation | 6(1)(c) |
Special category data (Art. 9) is not processed by default. If your firm's workflow involves health, biometric, or other special category data, contact us before onboarding — we'll scope the basis and controls in writing.
Data Processing Agreement (Art. 28)
For Art. 28 processor obligations, contact [email protected].
Sub-processor Registry
| Sub-processor | Purpose | Location | Transfer |
|---|---|---|---|
| Fly.io | Application hosting & compute | US · EU (Frankfurt optional) | SCCs · DPF |
| PostgreSQL | Managed database | US · EU (Frankfurt) | SCCs · DPF |
| Cloudflare | CDN, DNS, DDoS, WAF | Global edge | SCCs · DPF |
| AWS KMS | Enterprise key management | Customer-chosen region | SCCs · DPF |
| Stripe | Payment processing | US · EU (Ireland) | SCCs · DPF |
| Resend | Transactional email | EU · US | SCCs · DPF |
| Sentry | Error monitoring (stack-trace PII) | US | SCCs · DPF |
| KYC vendor — disclosed at verification | Identity verification | EU-first routing where applicable | SCCs |
International Transfers
Data Residency & Regional Deployment
Today, primary processing occurs in a single US region. Enterprise customers with strict residency requirements should contact us before contracting.
Sealed records and document versions are immutable at the
database layer. A BEFORE UPDATE trigger on the
seals and document_versions tables rejects any
modification to integrity fields (document hash, verification code, sealed
timestamp, signing credential, owning user). The trigger blocks ordinary
UPDATE paths: direct SQL, application code, ORM bulk updates, and the psql
CLI. The trigger is part of the schema; it is installed by an Ecto migration
that runs on every environment we deploy to.
Data Subject Rights
Under Articles 12 through 22, every data subject has the following rights. We honor them regardless of where the data subject is located — not just in the EU.
- Art. 15 — Access: a full machine-readable copy of personal data we hold.
- Art. 16 — Rectification: update any inaccuracy yourself, or ask us to.
- Art. 17 — Erasure ("right to be forgotten"): subject to legal and audit retention.
- Art. 18 — Restriction of processing: freeze processing while a dispute is resolved.
- Art. 20 — Portability: export in JSON.
- Art. 21 — Objection: opt out of legitimate-interest processing.
- Art. 22 — No solely automated decisions: we don't make legally significant decisions about you via ML alone.
If you're a data subject whose personal data is in our platform because your engineering firm put it there: please contact that firm first (they are the controller). If they don't respond, write to [email protected] and we'll route the request.
Breach Notification
Privacy Contact
DPIA Assistance
Audit Rights
- SOC 2: SOC 2 Type 1 readiness is in progress on a self-policed basis. No external attestation report has been issued.
- Customer-initiated audit: on 30 days' notice, at your cost, no more than once per 12 months, with reasonable scope and limited to processing activities involving your data.
- Regulator inspection: on request from any competent supervisory authority, we cooperate fully and directly.
Global Coverage & Other Jurisdictions
| Jurisdiction | Framework | Our posture |
|---|---|---|
| European Economic Area | GDPR | Primary compliance baseline · DPA available on request |
| United Kingdom | UK GDPR · Data Protection Act 2018 | Subject to applicable transfer mechanisms |
| Switzerland | revFADP | Subject to applicable transfer mechanisms |
| California, USA | CCPA · CPRA | Full consumer rights · no sale of personal information |
| Other US states | CPA (CO), VCDPA (VA), CTDPA (CT), UCPA (UT), TDPSA (TX), OCPA (OR) | Unified rights portal |
| Canada | PIPEDA · Quebec Law 25 | Bilingual disclosures · Quebec-specific addendum |
| Brazil | LGPD | Portuguese-language rights portal · ANPD coordination |
| Japan | APPI | Cross-border transfer notices · PPC coordination |
| South Korea | PIPA | Korean-language rights portal · KISA coordination |
| Australia | Privacy Act 1988 · APPs | OAIC reporting & breach notification |
| Singapore | PDPA | PDPC coordination · DNC Registry integration where applicable |
| India | DPDPA 2023 | Indian resident rights portal · DPDP Board coordination |