Trusted by teams across the EU — integrates with your existing stack
Zignature processes personal data from e-signatures in full compliance with the EU General Data Protection Regulation. Standard DPA included. eIDAS Simple and Qualified Electronic Signatures supported.
DPA available on request · eIDAS SES & QES supported · GDPR Article 28 compliant
Trusted by teams across the EU — integrates with your existing stack
GDPR applies to how personal data is processed during signing — name, email, IP address, and timestamps. Here's exactly how Zignature handles each requirement.
Zignature acts as a Data Processor under GDPR Article 28. We provide a standard DPA that documents how signer personal data is processed, retained, and protected on your behalf.
Signer personal data is processed under "contract performance" (Article 6(1)(b)) — the same lawful basis you rely on when sending a contract. No separate consent mechanism is required for standard signing.
When a signer exercises their GDPR right to erasure, Zignature supports deletion of personal data from audit logs while maintaining the integrity of the cryptographic signature record — balancing privacy rights with legal evidence requirements.
Zignature operates on infrastructure that supports GDPR-compliant international data transfers with appropriate safeguards. Sub-processors are documented in the DPA with Standard Contractual Clauses where applicable.
Zignature's signing experience can display your privacy notice to signers before they sign, supporting GDPR transparency obligations and documenting that notice was provided as part of the audit trail.
For documents requiring the highest level of legal certainty in the EU — real estate, financial, notarial — Zignature offers Qualified Electronic Signatures (QES) via eIDEasy, meeting eIDAS Article 26 requirements.
eIDAS governs whether a signature is legally valid in the EU (SES, AdES, or QES level). GDPR governs how personal data collected during signing is processed and protected. Both apply to e-signature workflows in the EU — and Zignature is built to comply with both simultaneously.
Standard e-signature — click to sign with email verification. Legally valid across the EU for most commercial contracts. Zignature's default signing mode.
Uniquely linked to the signer with identity verification. Adds Stripe Identity verification to the signing workflow. Higher legal certainty for regulated sectors.
Highest legal equivalence to a handwritten signature under EU law. Required for specific document types. Zignature supports QES via eIDEasy integration.
Understanding which GDPR articles apply to your e-signature workflow — and how Zignature addresses each one.
You must have a lawful basis for processing signers' personal data. For e-signature workflows, the most applicable bases are contract performance (Article 6(1)(b) — processing is necessary to execute the contract being signed) or legitimate interests (Article 6(1)(f) — maintaining a tamper-proof audit trail). Zignature's DPA documents the lawful basis your organization relies on.
Signers must be informed how their personal data is processed before or at the time of collection. Zignature supports embedding a link to your Privacy Policy on the signing page — signers see it before completing their signature. You can also add a consent checkbox to the signing flow for marketing communications or other optional processing activities.
Data subjects can request deletion of their personal data. For signed contracts, there's a legal tension: the GDPR right to erasure must be balanced against the legal necessity of retaining signed documents as evidence of a binding agreement. Zignature supports selective deletion of non-essential personal data from audit logs while preserving the cryptographic integrity of the signed document itself.
When you use Zignature, you are the data controller and Zignature is the data processor. GDPR Article 28 requires a written Data Processing Agreement (DPA) between controller and processor. Zignature provides a compliant DPA to all customers — available from the security settings page or by contacting the compliance team. Enterprise customers can negotiate custom DPA terms.
If personal data flows outside the EU/EEA (e.g., to a US-based e-signature provider), GDPR requires appropriate safeguards — Standard Contractual Clauses (SCCs), Binding Corporate Rules, or adequacy decisions. Zignature processes data in compliance with applicable transfer mechanisms and documents these in the DPA. EU customers can request data residency information for compliance audits.
Different sectors face different GDPR obligations when collecting e-signatures. Here's how Zignature addresses sector-specific requirements.
Employment contracts, offer letters, and policy acknowledgments signed under GDPR require clear consent or a contract performance basis. Zignature supports embedding HR-specific privacy notices and data retention policies into the signing flow. Auto-delete signed documents after your defined retention period to comply with minimization obligations.
Patient consent forms and clinical trial agreements under GDPR are subject to both Article 9 (special category data) and eIDAS requirements. Zignature's HIPAA BAA and data processing controls support healthcare organizations. QES via eIDEasy meets the higher authentication standards many EU clinical trial regulators require.
Banks, fintechs, and insurance companies must comply with both GDPR and sector-specific regulations (MiFID II, PSD2, DORA). Customer onboarding agreements, KYC documents, and loan contracts require AdES or QES level signatures in many EU jurisdictions. Zignature supports all three eIDAS signature tiers with complete audit documentation.
Law firms and consultancies operating across EU borders must maintain legally defensible signed documents with GDPR-compliant personal data handling. Zignature's detailed audit certificate — signer identity, IP, timestamp, browser fingerprint — provides the evidence trail required for cross-border enforcement of signed agreements.
B2B SaaS companies selling into the EU need GDPR-compliant customer MSAs, DPAs, and order forms. Zignature's embeddable signing widget lets you collect signatures inside your product — with a GDPR-compliant data processing flow that your customers' compliance teams will approve without friction.
Lease agreements, purchase contracts, and agency mandates in EU member states require legally valid signatures with documented personal data processing. Many EU countries (Germany, France, Netherlands) require QES for real estate transactions above certain values — Zignature's QES integration via eIDEasy covers these requirements.
Every Zignature signing workflow is designed to satisfy GDPR requirements out of the box.
Email contains a privacy notice link explaining what data is collected and why. Processing is documented in your DPA as contract performance or legitimate interests.
The signing page displays your privacy policy link. Optional: a consent checkbox for marketing. Signer sees exactly what they're signing before proceeding.
Only data necessary for a valid audit trail is captured: name, email, IP, timestamp, browser. No unnecessary tracking. Data minimization principle satisfied.
Set automatic document deletion schedules aligned with your retention policy. Process DSARs and erasure requests through the admin panel. Full audit log of data actions maintained.
Yes — when the platform processes personal data lawfully with a valid legal basis, provides transparency to signers, and has signed a Data Processing Agreement with you. Zignature addresses all three requirements. The signature's legal validity is governed by eIDAS; how the personal data collected during signing is handled is governed by GDPR. Both frameworks apply simultaneously to EU e-signature workflows.
Yes. A standard DPA covering GDPR Article 28 requirements is available to all Zignature customers. It documents the categories of personal data processed, the purpose and legal basis, sub-processor details, data transfer mechanisms, and security measures. Enterprise customers can request a signed copy or negotiate custom DPA terms by contacting the compliance team.
Yes. The eIDAS Regulation (EU 910/2014) establishes that electronic signatures are legally valid across all EU member states. Simple Electronic Signatures (SES) — Zignature's standard mode — are valid for the vast majority of commercial, employment, and service contracts. Advanced (AdES) and Qualified (QES) levels are available for documents requiring higher assurance — real estate transactions, regulated financial products, and certain government filings.
Zignature collects the minimum data necessary for a legally valid audit trail: signer name, email address, IP address, signing timestamp, and device/browser fingerprint. This data is documented in the DPA as required for contract performance or legitimate interests. Signers can optionally be shown a privacy notice and consent checkbox before signing — configurable per workflow.
Yes, with nuance. Zignature supports deletion of non-essential personal data from audit logs where legally permissible. However, the legal necessity of maintaining evidence of a signed contract (to enforce it in court) typically overrides the right to erasure for the minimum data in the audit certificate itself — this is documented in GDPR Recital 65. Zignature's admin panel lets you process DSAR requests and document the legal justification for any retained data.
Yes. The UK retained GDPR as "UK GDPR" after Brexit, with essentially the same requirements as EU GDPR for data processing. Organizations that process personal data of both EU and UK data subjects must comply with both frameworks — which have minor but growing differences as UK law evolves post-Brexit. Zignature's DPA covers both UK GDPR and EU GDPR obligations.
For most commercial contracts (service agreements, NDAs, employment contracts, sales orders), Simple Electronic Signatures (SES) are legally valid and GDPR-compliant. Advanced Electronic Signatures (AdES) are appropriate when you need stronger identity verification — regulated sectors, high-value contracts, or counter-party requirements. Qualified Electronic Signatures (QES) are legally equivalent to handwritten signatures and required by a small number of document types under EU law (e.g., some real estate deeds, notarial acts). Zignature supports all three levels.
Where personal data is transferred outside the EU/EEA, Zignature relies on Standard Contractual Clauses (SCCs) or other appropriate transfer mechanisms as documented in the DPA. EU customers can request data transfer impact assessment documentation for their own compliance records. The DPA specifies sub-processors and their locations, giving you full visibility into the data processing chain.
Yes. Zignature allows you to embed a link to your privacy policy on the signing page — ensuring signers are informed of their data rights under GDPR Article 13 before they complete signing. You can also configure a mandatory privacy consent checkbox for workflows where explicit consent is your legal basis (e.g., marketing communications consent collected alongside a signature).
Free plan, DPA available on request, eIDAS SES and QES supported. No compliance gaps.