This privacy policy defines the information collection and use practices which SigningHub (as data controller) implements to ensure security of its client’s data. This policy applies to all SigningHub websites and apps including desktop site, mobile site, Android/iOS mobile apps and connectors for third party business apps. Consent against this privacy policy is taken at your account creation time in SigningHub and also when website forms are completed on www.signinghub.com. It is important that you read this privacy policy. In case of any confusion you may also contact us. If you do not agree with this privacy policy then you should either not register with SigningHub, not complete any website forms on www.signinghub.com OR if you are already using SigningHub then remove your account as mentioned in this privacy policy - see section Account Deletion below.

This privacy policy explains:

User Rights
Information we collect, how it is collected and purpose
Information storage and security
Information sharing
Cookies and Analytics
Accessing your information
Email and Direct Marketing Choices
Data Retention
Account Deletion, Restrict Processing
Data Portability
Protection Guarantees
Children’s Privacy
Changes to this Privacy Policy
Contact us, need more info or complaints

User Rights

Right to be informed - This Privacy Policy details how SigningHub processes, stores and shares your personal information. You will be informed of any changes to this privacy policy. If we change any information related to your service plan or configurations we will notify you of those changes accordingly
Right of access - You can access all of the information of your account from the SigningHub portal. Any information shared with service providers (processors) will be held securely and not used other than what is explained in this privacy policy. In case you want more information you can contact us – see contact us section at the end
Right to rectification - You can edit any information from the SigningHub portal. Certain information can't be rectified as mentioned in this privacy policy
Right to erasure - You can request us to remove your account. Details are mentioned in 'Account Deletion'
Right to restrict processing - You can request us to restrict processing for your account. See 'Account Deletion, Restrict Processing'
Right to data portability - You can request your data in portable form. See section 'Data Portability'
Right to object - See section 'Need more info or complaints'
Rights related to automated decision making including profiling - We don't do automated decision making or profiling

Information we collect, how it is collected and purpose

To provide you the document approval and sign-off services, SigningHub requires you to provide personal identifiable information. Some of the information is provided at registration time and some later. At all times the information mentioned below can be viewed and updated from your SigningHub account. Some of this information is mandatory for the basic processing of your account while some is optional. If you are not a registered SigningHub user but have submitted a website form, your information can be removed by opting out of emails which will result in your contact record being deleted.

Name (mandatory)

Used in notification emails to identify you to the document recipient(s). This information is also used within our marketing and email sending platform. This allows us to inform you about updates to our SigningHub cloud services and informational blogs and newsletters. Your name is also registered as the “Common Name” within your digital certificate (x.509) issued and managed server-side. You can opt out of our marketing emails by using the unsubscribe link.

Email (mandatory)

This acts as your unique account ID and is required for login to your SigningHub account. This information can’t be changed later other than by deleting your account and creating a new account with a different email address. Your email is used when sending email notifications to your document workflow recipients. Your email address information is also shared with our marketing and email sending platform. You can opt out of our marketing emails by using the unsubscribe link.

Phone (optional) Your phone number is required if your SigningHub service plan requires One Time Password (OTP) based authentication at time of login or at time of signing. The OTP is sent to your registered phone via. We may use your phone number to contact you if you have requested a quotation or demo of SigningHub by submitting a website form on www.signinghub.com. If entered, you Phone information is also shared with our marketing platform. You can opt out of our marketing emails by using the unsubscribe link.

Job Title (optional)

This helps us know more about you which in returns allows us to provide better service e.g. if you are a business user then we will provide you with higher level business/industry level information related to our service on the other hand if your job role is more technical we may provide you more detailed technical descriptions of our service. If entered, your Job Title information is also shared with our marketing platform. You can opt out of our marketing emails by using the unsubscribe link.

Company Name (optional)

This information is used in the context of Enterprise based plans on SigningHub to identify your organisation. It also helps us understand and support you better if we can associate you with a particular organisation. If entered, your Company Name information is also shared with our marketing platform. You can opt out of our marketing emails by using the unsubscribe link.

Security Question / Answer - (mandatory)

In case you forget your login password the security question and answer can help you reset your password.

Password/Confirm Password (mandatory)

This allows you to be authenticated before allowing access to your SigningHub account. We never store your password in its original clear text form, instead it is held in a one-way encrypted form which is only useful for comparison purposes later.

Profile Picture

You can set this as your digital avatar. This picture is sent in the notifications emails to recipients hence helps recipients relate to the person in a more user-friendly way. You can set any picture, i.e. not necessarily your own photo. Also it’s not mandatory to set this and is only aimed at improving the user experience.

Delegate Signing

This setting allows you to configure a contact to whom you are delegating all your signing actions for a specified period of time.

Documents

You can upload/manage your documents for signing, approving, or editing (i.e. form-filling). Depending on your use case requirements these documents may contain your personal data. All of the documents are stored encrypted using powerful AES-256 encryption algorithms.

The processed documents can also be optionally uploaded to your configured cloud storage drives e.g. OneDrive, Google Drive, Dropbox, etc. It is your duty to ensure that you have configured your cloud drives correctly.

Documents that are unused for 90 days will be automatically deleted from SigningHub. A notification email will be sent before the document is deleted so that you can take any necessary action. If enabled in your plan, the document will be sent via email to the document owner immediately before deletion.

Billing Info

When purchasing a paid service plan, your billing address is provided to our payment gateway which is eventually provided to us and hence shown in the invoices we create for you. The SigningHub billing module provides your complete details of the process i.e. the buyer’s name, email, mobile number, service plan purchased, date, price, billing address, VAT information, transaction ID and payment schedule. Our payment gateway service providers are PCI/DSS compliant.

https://stripe.com/docs/security http://www.worldpay.com/us/products/security-compliance/pci-compliance

For calculation of VAT we use services from Taxamo. Note that SigningHub doesn't store your payment card data instead this is only held by our payment gateway service providers (Stripe and Worldpay). Payment card data includes your card numbers and CVC code information.

Miscellaneous Data

As a part of the SigningHub service, you may configure different sets of data based on your business needs. This may include:

Contacts with whom documents are shared (Name, Email)
Your hand signature image, company logo image, and Initials image. If selected by you then this information is embedded inside your signed document(s)
Your reason for signing a document, your location at the time of signing, and your contact information. If selected by you then this information is embedded inside your signed document(s)
Mobile Device ID – used to authenticate your mobile device when performing secure remote signing
Group Name e.g. Sales, Account, Marketing with whom you may share documents for group signatures
SigningHub Document Libraries - Centrally held documents made available to you by your enterprise administrator or you have uploaded yourself
Any legal notices configured by the enterprise administrator or directly by you, to be shown at the time of signing to your document signers
Digital certificate filters defined by your administrator to help select the correct certificate at the time of local signing (e.g. when signing using a smartcard or USB token)
Password strength policies
Document-specific access permissions and passcodes set by you to further restrict recipient access to your shared documents
Custom email content set by you (or your administrator) to notify recipients. Note that the sole purpose of email contents is to give reminders at different events. At SigningHub we don’t expect or require you to enter sensitive data inside the email contents configured in your profile and we will not be responsible for its safety hence customers must avoid providing such info in email contents.
Any comments you add for your document recipients
Any form field data you enter into a document i.e. text fields, radio buttons, checkboxes, signature fields (e-signature, digital signature, in-person signature), etc.

For certain authentication services, the user has to provide an email address to SigningHub before initiating the login process. These authentication services include:

Entrust IdentityGuard
AET Consent ID
Verisec, Freja

SigningHub can retrieve certain information like Name, Job Title, and Company if allowed by the authentication service.

Conversely, SigningHub Cloud service also allows certain authentication services including social accounts where the user initiates login directly with these authentication methods and is then redirected to our cloud service. Once authenticated, SigningHub will get the authenticated user's email address. More information like Name, Job Title, and Company may also be retrieved if allowed by the authentication service. These authentication services include:

Salesforce
UBISecure
Google
LinkedIn
MSOffice 365

Other SigningHub Apps (Apps)

SigningHub provides apps which runs inside 3^rd party applications. These 3^rd party application are: Microsoft SharePoint, Microsoft Dynamics CRM, Salesforce and Microsoft Word app. Here we define which personal information is shared from these external applications using our app and vice versa.

SharePoint / Dynamics CRM / Salesforce:

Documents can be pushed to SigningHub and updated documents can be updated back
Your contacts or users information (name, email) can be pushed to SigningHub as contacts. This is also true for SigningHub for Word app
Following personal information can be seen from inside the apps: Document owner email, next signer name

Dynamics CRM / Salesforce:

Personal data present inside the respected entities can be sent to SigningHub where these are filled inside the form fields and the updated form fields can be update back inside these external applications. For more details see:
http://manuals.ascertia.com/signinghub-salesforce

http://manuals.ascertia.com/signinghub-DynamicsCRM

Security Keys

SigningHub can use Basic Electronic Signatures, Advanced Electronic Signatures and/or Qualified Electronic Signatures – the choice will depend on your configured service plan. When using advanced and qualified signatures each user has their own digital signature key and X.509 certificate. These can be stored locally by you on a smartcard/USB token (local signing) or securely by SigningHub e.g. in a HSM. When held remotely by SigningHub your access to your signing key is controlled through a secure Signature Activation Protocol (SAP) using your registered mobile device.

Contact Us form

You can contact us for sales, support, partnership requests or general feedback. In the contact us form you need to provide basic mandatory information such as your Name, Email, Job Title, Company Name and how you came to know about the SigningHub service. Optionally you can also provide your Phone details and any specific project requirements or systems used, which will help us respond to you in the most efficient way. If submitted, this information is also shared with our marketing and CRM platforms to enable our sales team to contact you accordingly and deal with your request. You can opt out of our marketing emails by using the unsubscribe link.

Following is the list of information gathered automatically by SigningHub:

IP Address (system identified)

This is identified automatically (when your browser communicates with our cloud servers). SigningHub later processes the IP address to guide the user if their physical location has changed and hence prompts the user to automatically switch the country and time zone information. Change of time zone helps our users to view the dates shown inside the product using the user's time zone hence avoiding any confusion. This may also be used by our billing system to identify your country to let you enter your VAT information.

User Agent (system identified)

This information identifies the user's browser details i.e. browser vendor, version, and layout engine used. This also guide us whether the user is using a desktop PC or a mobile. This is useful meta-information about the signing process for audit purposes.

Usage Data

Information related to the ways in which you interacted with our services, such as: referring and exit pages and URLs, platform type, the number of clicks, domain names, landing pages, pages and content viewed, the amount of time spent on particular pages, the date and time you used the services, the frequency of your use of the services, and other similar information. See Information Sharing for more details

Transactional Data

This includes Activity logs, Workflow history and Workflow evidence report. Activity log contains user initiated activities like login/logout, update to profiles, settings etc. Workflow history contains activities performed on a document. Workflow evidence report provides a detailed auditable report in PDF (digitally signed) on the activities performed on a document.

Country / Location

This is used at the time of signing and set inside the signature if a specific signature appearance was selected which shows country information. This helps the recipients to know from which location the user has signed the document.

Logs

SigningHub generates server-side logs which helps administrators to review any usage issues. Logs are kept for 30 days. Mobile app logs are also kept for 30 days.

Note: Workflow users' Name, Email, Mobile Phone Number, User Agent, IP Address are also retained in the workflow evidence PDF report information which is then visible to the document owner. If the OTP option is not used then the signer’s Mobile Phone Number is not recorded in the audit logs. The same information is also recorded in the workflow history XML data.

Information storage and security

All of your personal data is stored in our database and system logs in secure manner within the Microsoft Azure data centers running in the EU region. Back up of your data is also done within the EU region. All of your information is transferred from your machine to our servers over TLS hence providing end-to-end confidentiality and data integrity protection ensuring the information you sent to us is not intercepted by anyone in transit and it arrives at the server accurately. This is true also for any personal data moving from our servers to any 3^rd party service providers. We use modern and secure versions of the TLS and hence SSL v2 and 3 are blocked. All user documents are encrypted with AES 256 bit encryption before being stored in the SigningHub database. There is still some set of personal data which our service provides (processors) keep outside of EU region. See section Information Sharing below for more details.

Information Sharing

We do not sell your information to anyone. We do not share your information within anyone other than the third parties as described in this section of the Privacy Policy. Sharing can be a different nature; you can share your information yourself, information can be shared with your enterprise administrator or we share your information with service providers as part of providing you a complete service. To be clear, when we share, the only purpose of sharing information is to assist you to perform the activities, giving you the best user experience and to fulfill your document signing needs.

We ensure that we only engage with reputable organisations offering suitable guarantees to ensure the security of your personal data. We ensure that all of service providers mentioned in this privacy policy have signed proper contracts with us to ensure they have proper privacy policies and abide by GDPR.

You Sharing with Other Users

As part of your business requirements to have documents signed, you can share documents with other users as you desire.

In addition, you can also invite users to join your SigningHub enterprise account as your enterprise users. Such users will then be able to view any shared templates, documents held in the enterprise library, enterprise contacts etc. as per the role you configure for them.

If you are using an enterprise account as a user then only the following information can be viewed by your enterprise administrator(s) provided that they hold sufficient system rights: Name, Email, Role, Phone, Job Title, and Company Name. Enterprise admins can only change your Role. Also enterprise users can also see the enterprise owner's email address and mobile number to help in cases where they need to communicate on any rights/roles related concerns.

Similarly, an enterprise administrator can also look at your action history which contains details about your login/logout and settings which were updated i.e. delegate settings, contact, signature method, templates and legal notice. Note that Enterprise admin will not be able to see the actual values changed rather only information that certain setting were updated. Also note that your password, security question/answer is never shown to administrators. Similarly, if your document is signed then action history will also record information like: User Agent, IP of the machine from where the signing action was initiated, the actual legal notice shown, mobile number used for sending OTP for login or document viewing, document access permissions set on the document, document name, signing reason, signing location, signing contact information, signature authorisation type/Device ID and hand signature image used.

Sharing with Service Providers

We work with various service provider companies that help us run SigningHub as an effective business service. These companies provide services such as processing card payments, sending marketing emails on our behalf relating to our products/services only and sending SMS with OTP codes. In some cases, these companies have access to some of your personal information in order to provide services to you on our behalf. It is important to note that they are not permitted to use your information for their own purposes that is they only act as data processors.

The following set of information is shared with different 3^rd parties to ensure you get the best possible service:

HubSpot and Salesforce - Information is sent to our marketing platform (HubSpot) and CRM platform (Salesforce) to allow us to communicate with you more effectively regarding our products and services updates and to provide you informative blogs, newsletters and information relating to the e-signature industry. This help you improve your understanding of SigningHub and our solutions generally. Our marketing platform (HubSpot) is accessible to our authorised partner BambooPR, who are responsible for creating and reviewing content pieces including blog posts and newsletters. Information which HubSpot and Salesforce manages on our behalf includes:
- Your Name, Email, Company, Phone, and Job Title.
- The information you provide us in any website form including “contact us”

Both of these organisations are ISO 27001 certified service providers. The information is stored inside their USA/EU held datacentres and is not shared with other clients. HubSpot and Salesforce both have the EU-US privacy shield certificates.

Maxmind - IP addresses are sent to Maxmind for IP to country conversion. We ensure that Maxmind don't share this information with anyone else. The information is stored inside their USA held servers and has the EU-US privacy shield certificate.
Microsoft OneDrive, Google Drive, Dropbox – User held documents can be pulled and pushed back to the respective cloud drives. All of these service providers have ISO 27001 certification. It is your choice on whether to use these cloud providers as part of the SigningHub service.
Microsoft Azure – User data and documents are stored using Azure data centres inside the EU region. All backups are also done in the same EU region using Azure.
Google Crashlytics – Provides debugging of mobile app issues for both Android and iOS. This help us know how the application was used and hence fix any application bugs proactively. Contains only SigningHub application related information with no device related information but can contain personal information such as your name and email. The information is only kept for 90 days and cleared. The information is stored inside their USA held servers but is not shared with other clients. Google also has the EU-US privacy shield certificate.
Worldpay, Stripe – Some of the user information is sent to our trusted e-commerce gateways which help you pay the SigningHub subscription charges. Information sent to these service providers include name, email, plan information, Job Title, company name, mobile number, plan pricing information.
- Stripe is a PCI-DSS compliant company and have EU-US privacy shield certificate
- Worldpay is a PCI-DSS compliant company and also certified as ISO 27001. Your personal information is only kept in the European region.
Taxamo – Provides reliable VAT calculation based on the source of the user. Note that Taxamo does not store any card related information rather other non-sensitive personal information e.g. name, email, mobile, company name etc. This information may be transfer outside of the EEA region but will comply with the GDPR.
SendGrid – This provides reliable email routing functionality. We provide your name, email address and the email content and SendGrid sends the email to you. The information is stored inside their USA held servers but is not shared with other clients. SendGrid also has the EU-US privacy shield certificate.

Depending upon your service plan, following vendors are also sent the following information:

Twilio, Clickatell - For user authentication at login or mobile device registration time. Both providers store mobile number information inside USA held servers but may share it with other countries as per the respected telephony provider. Twilio is an ISO 27001 certified service provider and has the EU-US privacy shield certificate.
GlobalSign - In case customer's account is configured with GlobalSign EPKI services, user’s name and email is also sent to GlobalSign for AATL based certificate generation. The information is stored inside USA held servers.
Google Push Notification Service (Firebase) – Using this users can get push notifications on their android and iOS devices. This include the message text and a unique mobile ID assigned to the user’s mobile to whom the push notification is to be generated. Push notification is only sent if the user has agreed to receive such push notification. Once sent the message is cleared from the service provider servers. Firebase is ISO 27001 certified service provider.
Microsoft Azure Key Vault – User keys which are used to create digital signatures are created in Azure Key Vault. User keys are stored in the EU region. Microsoft Azure is ISO 27001 certified.

For more details about privacy capability of these services and in particular GDPR see the following links:

Sharing with law enforcement agencies

We may share your information when we have to comply with legal process (e.g. a subpoena). All of this will be done in good faith and done to investigate possible illegal activities. We may also share your information in circumstances involving potential threats to the safety of Ascertia, our employees, users, or the public. We may share if we find violations of this privacy policy or our terms of agreements. This may involve the sharing of your information with law enforcement, government agencies, courts, and/or other organisations.

Consent

We may share your information in other ways if you have consented to such sharing. For example, we publish customer testimonials on our website.

By using the services, you acknowledge that some of your information may be transferred outside of EU if you are sharing your data yourself to non-EU users or to different service providers as described in this privacy policy.

Merger or Acquisition

If we merge with or are acquired by another company or if all or a substantial portion of our assets are acquired by another company, in those cases your information will likely be one of those assets that is transferred.

Cookies and Analytics

Cookies are small text files that are placed by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. As a responsible Service Provider, SigningHub informs visitors that our website places cookies in your computer web browser. SigningHub uses cookies in following scenarios:

Certificate Identifier Cookie - This cookie is only used if digitally signing using locally held certificates. In this case the cookie stores your selected certificate identifier so that you don’t need to select this manually each time
Session Cookie - This cookie is used to maintain your session on SigningHub, allowing you to access different pages without logging in each time

The above cookies are required for SigningHub to operate and you will not be able to use the site if you refuse to accept these cookies. To help us understand how users use our SigningHub website we engage different service providers to track the user activity whilst on our website, thereby helping us to provide the best user experience and content. This tracking is done via cookies and are provided by Google, Bing and HubSpot. Note that all tracking is done anonymously other than the tracking done by HubSpot which is securely held in HubSpot.

To prevent service providers using your information for analytics purposes, you may:

Opt out from Google Analytics – click here
Opt out from Google Adwords – click here
Opt out from Bing by clicking - click here
Opt out from HubSpot tracking - click here

Note SigningHub does not store advertising cookies of any type.

Accessing Your Information

We provide users to access and change all of your account information which includes your profile information, documents, activity logs, workflow history, evidence reports, notifications, billing information and settings. You cannot change information which is automatically system-created like your notifications, activity logs, workflow history, evidence reports or actions on documents performed by user to whom the document is shared or similarly settings which your Enterprise admin has set for you, as these are governed centrally. Contact your Enterprise admin in case you want changes in the information controlled by the Enterprise which includes Enterprise Templates, Enterprise Library, Enterprise Contacts, and Roles etc.

In case you are failing to modify any information, contact us using the contact information below. We will review and respond within 3 working days on how to modify any inaccurate or incomplete information as per the laws. Note that your user ID (email) cannot be changed once an account is created as this is your unique link to your account. In case you want to change this, you will need to create a new account with a different email address. You can then move your documents and configure the settings accordingly. Once done you can contact us to delete the previous account.

Email and Direct Marketing Choices.

We provide opt-out information in all marketing email messages we send via an “unsubscribe” link which is set in the bottom of the emails. If initiated, it may take a day to opt out. You do not have the ability to opt-out of certain transactional messages related to the document signing service (e.g. signing notifications or account notifications) that the SigningHub system will send if you are a registered user of our services or if you have engaged in transactions with us. If you also want to opt out from these transaction messages, then the only way is to stop using the SigningHub system.

Data Retention

SigningHub will retain system transaction logs for 90 days to enable reporting on Enterprise, Operator, User, and Document related activities. All log records older than 90 days will be moved out of the SigningHub system to archive storage. Information in archive storage older than 12 months will be permanently deleted. Users have the right at any time to request that their account and associated data is deleted. Even after account deletion, we may keep certain information including name and email which is required by other users of the system while viewing documents that you may have shared with them in the past or that others have shared with you. We may keep some information in the system logs which is automatically cleared in 30 days. If you were a paid customer, then relevant information will be kept for accounting purposes. Document deletion only occurs within the SigningHub system and does not affect any information stored in your own cloud drive(s). Documents that you have shared with other SigningHub users or business applications via APIs or connectors such as SigningHub for SharePoint/ Salesforce/ Dynamics CRM etc. will not be deleted automatically. Any SigningHub apps you have installed on your mobile device or within business applications must be deleted manually when no longer required.

Account Deletion, Restrict Processing

Any account deletion requests will be processed within 7 days. As per your request, we will delete all of your account information including your billing, documents, and activity logs. You will no longer receive any marketing or commercial emails. Any requests to restrict-processing will be processed within 3 days.

For account deletion or restricting processing of your information, a formal request is required from you. You must send an email using the same email account which is configured in SigningHub or in future (when supported) could perform this task from SigningHub portal as well. You will be informed once your data is deleted.

Data Portability

If you need a copy of your personal information in machine ready format then you must send an email using the email account which is configured in SigningHub. We will process your request in 14 days and return the information in CSV format where possible. Certain data may still be in other formats e.g. XML.

Protection Guarantees

We employ physical, logical, and administrative measures to help prevent unauthorised access to your information. Each measure is applied based on the nature and sensitivity of the information. As a responsible entity we work on all the possible areas which could impact user’s privacy. We closely monitor the GDPR standard and ensure our product and services abide by all the rules set forward. Having said that, we cannot 100% guarantee you that information we collect or store will be protected from all unauthorised access and thereby used in a manner that is inconsistent with this privacy policy.

In case we find a breach which impacts your personal data then we will investigate and inform you within 72 hours of us becoming aware of it. We will inform you about the issue and the details via your email.

Children Privacy

We only provide service to you if at least 18 years of age (or, as applicable, the age of majority in the state or province in which you reside), and that you possess the legal right and ability to enter into this Agreement.

Changes to this Privacy Policy

We reserve the right to amend this privacy policy as we add more features and to comply with laws or to give better user protection. Kindly regularly check this page for any new changes. If we make any changes to this policy, we will post the changes here and will notify you by email once the changes take effect. Please review changes carefully. If you are continually using our service post the email sent regarding the changes to this privacy policy, this will mean you consent to those changes.

Contact us, need more info or complaints

If you have any queries, suggestions regarding our privacy policy or complaints, you may contact us at privacy@ascertia.com. We aim to respond to your complaints within 7 working days. You also have the right to lodge a complaint with a supervisory authority. You can also contact us by writing us at: Surrey Research Park, 40 Occam Road, Guildford, GU2 7YG, United Kingdom. In case you want to be in touch with our Data Protection Officer then you can write to privacy@ascertia.com.