Data Processing Agreement

You are the data controller of the personal data contained in the documents you upload and the recipient details you enter. NibSign acts as a data processor and processes that personal data only on your documented instructions, which are reflected in this DPA, our Terms, and our Privacy Policy.

• Account data — names, email addresses, hashed passwords of NibSign users
• Recipient data — names and email addresses of signers and approvers you add
• Document data — the content of any document you upload for signature
• Audit data — IP addresses, user agents, timestamps, and event descriptions associated with viewing, consenting, and signing

NibSign engages a small set of subprocessors to provide hosting, database, email delivery, and AI services. We require each subprocessor to commit to data protection obligations no less protective than this DPA. Current subprocessors include managed cloud hosting, Supabase (database and storage), transactional email infrastructure on the notify.nibsign.com domain, and the Lovable AI Gateway for opt-in AI features.

• Encryption in transit (HTTPS/TLS) for all traffic to NibSign
• Encryption at rest for documents and database content via our hosting providers
• Row-level security on every multi-tenant table so accounts can only access their own data
• Unique, signer-specific signing URLs that cannot be reused across signers
• Server-side capture of IP and user agent for consent and signing events
• SHA-256 hashing of original and signed PDFs to support tamper-evidence
• Role-based access control for the internal admin area and audit logs of admin actions

NibSign and its subprocessors may process data in the United States and the European Union. Where required, transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses or equivalent mechanisms offered by the subprocessor.

NibSign will assist you in responding to requests from data subjects (e.g. access, rectification, deletion). Most actions can be performed directly from your dashboard. Where assistance is required, contact hello@nibsign.com.

Documents and audit data are retained for as long as the originating account is active. You can delete documents at any time from your dashboard. On account closure, content is deleted within a commercially reasonable period, subject to limited retention required to maintain the integrity of completed signing records or to comply with legal obligations.

NibSign will notify you without undue delay after becoming aware of a personal data breach affecting your data, and will provide the information reasonably necessary for you to meet your own notification obligations.

On reasonable request, NibSign will make available the information necessary to demonstrate compliance with this DPA, including responses to written security questionnaires.

NibSign is designed to support ESIGN and UETA compliant electronic signature workflows. Some document types may require additional formalities. Please consult a legal professional for specific legal advice.