Full Color Firma logo with purple, cyan, and yellow
United Kingdom Flag

EN

Login

Signup

Full Color Firma logo with purple, cyan, and yellow

Home

Documentation

Insights

Pricing

Comparison

Login

Signup

Full Color Firma logo with purple, cyan, and yellow

Home

Documentation

Insights

Pricing

Comparison

Login

Signup

Data Processing Agreement

Data Processing Agreement

GDPR-compliant Data Processing Agreement for Firma.dev customers. EU data residency, sub-processor list, and technical security measures.

GDPR-compliant Data Processing Agreement for Firma.dev customers. EU data residency, sub-processor list, and technical security measures.

Last updated at Jan 31, 2026

Last updated at Jan 31, 2026

Between:

Firma (1600 Holdings LLC) ("Processor" or "Firma.dev")

And:

The entity agreeing to Firma.dev's Terms & Conditions ("Controller" or "Customer")

Effective Date: Upon Customer's acceptance of Firma.dev's Terms & Conditions

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by Firma.dev on behalf of Customer through the Service.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Processing" means any operation performed on Personal Data, whether automated or manual, including collection, storage, retrieval, use, disclosure, and deletion.

"Sub-processor" means any third party engaged by Firma.dev to process Personal Data on behalf of Customer.

"Service" means Firma.dev's e-signature API and related services as described in the Terms & Conditions.

"SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission.

"GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).

2. Scope and Roles

2.1 This DPA applies when Firma.dev processes Personal Data on behalf of Customer in connection with the Service.

2.2 Customer acts as the Controller. Customer determines the purposes and means of processing Personal Data.

2.3 Firma.dev acts as the Processor. Firma.dev processes Personal Data only on documented instructions from Customer, as described in this DPA and the Terms & Conditions.

3. Data Processing Details

3.1 Categories of Data Subjects

  • Customer's employees, contractors, and authorized users

  • End-user signers who interact with documents sent through the Service

3.2 Types of Personal Data

  • Names and email addresses

  • Signature data (drawn, typed, or uploaded signatures)

  • IP addresses and timestamps

  • Document content (to the extent it contains Personal Data)

  • Audit trail information

3.3 Processing Activities

  • Storing and rendering documents for signature

  • Capturing and applying electronic signatures

  • Generating audit trails and certificates of completion

  • Sending signature request notifications

  • Providing API access and webhooks

3.4 Duration of Processing

Firma.dev will process Personal Data for the duration of the agreement and as required for legal compliance, as specified in the Privacy Policy.

4. Obligations of Firma.dev

Firma.dev shall:

4.1 Process Personal Data only on documented instructions from Customer, including transfers to third countries, unless required by EU or Member State law. Firma.dev will inform Customer of any such legal requirement before processing, unless prohibited by law.

4.2 Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Implement appropriate technical and organizational measures as described in Annex 1 (Technical and Organizational Measures).

4.4 Respect the conditions for engaging Sub-processors as described in Section 6.

4.5 Assist Customer, taking into account the nature of processing, with appropriate technical and organizational measures for the fulfillment of Customer's obligations to respond to Data Subject requests.

4.6 Assist Customer in ensuring compliance with obligations under GDPR Articles 32-36, taking into account the nature of processing and information available to Firma.dev.

4.7 At Customer's choice, delete or return all Personal Data upon termination of the Service, except where retention is required by applicable law.

4.8 Make available to Customer all information necessary to demonstrate compliance with the obligations in GDPR Article 28, and allow for and contribute to audits as described in Section 10.

5. Obligations of Customer

Customer shall:

5.1 Ensure that Personal Data is collected and processed in compliance with applicable data protection laws, including obtaining any necessary consents or providing required notices to Data Subjects.

5.2 Provide documented instructions to Firma.dev regarding the processing of Personal Data.

5.3 Ensure that Customer's use of the Service complies with all applicable laws and regulations.

6. Sub-processors

6.1 Customer authorizes Firma.dev to engage the Sub-processors listed in Annex 2 (Sub-processor List).

6.2 Firma.dev will inform Customer of any intended changes to Sub-processors by updating the Sub-processor List. Customer may object to such changes within 30 days of notification. If Customer objects and Firma.dev cannot reasonably accommodate the objection, Customer may terminate the affected Service.

6.3 Firma.dev will enter into written agreements with each Sub-processor imposing data protection obligations no less protective than those in this DPA.

6.4 Firma.dev remains fully liable for the performance of its Sub-processors.

7. International Transfers

7.1 EU Data Residency: Customer Personal Data is stored and processed within the European Union. Firma.dev's primary infrastructure is located in AWS eu-west-3 (Paris, France), with CDN services in AWS eu-north-1 (Stockholm, Sweden).

7.2 If Firma.dev transfers Personal Data outside the European Economic Area, Firma.dev will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

7.3 Upon request, Firma.dev will execute SCCs with Customer for any transfers to third countries that lack an adequacy decision.

8. Data Subject Requests

8.1 Firma.dev will promptly notify Customer if it receives a request from a Data Subject to exercise rights under GDPR (access, rectification, erasure, portability, restriction, or objection).

8.2 Firma.dev will not respond directly to Data Subject requests unless authorized by Customer or required by law.

8.3 Firma.dev will provide reasonable assistance to Customer in responding to such requests, taking into account the nature of processing.

9. Security Incidents

9.1 Firma.dev will notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting Customer's data.

9.2 The notification will include, to the extent known:

  • The nature of the breach, including categories and approximate number of Data Subjects affected

  • The likely consequences of the breach

  • Measures taken or proposed to address the breach

9.3 Firma.dev will cooperate with Customer and take reasonable steps to assist in the investigation and mitigation of each breach.

10. Audits

10.1 Firma.dev will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. This obligation will be satisfied by providing:

  • Security documentation and policies

  • Third-party security assessments when available

  • Completed security questionnaires

10.2 Firma.dev does not permit on-site audits. All audit requests will be addressed through documentation, written responses, and remote verification methods at Firma.dev's discretion.

10.3 Audit requests beyond standard documentation (such as custom security questionnaires, detailed technical reviews, or calls with security personnel) will be subject to a fee of €500 per request, payable in advance.

10.4 Nothing in this Section 10 requires Firma.dev to disclose information that would compromise the security of its systems, violate confidentiality obligations to other customers, or breach applicable law.

11. Term and Termination

11.1 This DPA takes effect upon Customer's acceptance of the Terms & Conditions and remains in effect for the duration of Firma.dev's processing of Personal Data on behalf of Customer.

11.2 Upon termination of the Service, Firma.dev will delete or return Personal Data as specified in Section 4.7, subject to legal retention requirements.

12. Governing Law

This DPA is governed by the laws specified in the Terms & Conditions. For matters relating to GDPR compliance, the provisions of GDPR and applicable Member State law shall apply.

Annex 1: Technical and Organizational Measures

Firma.dev implements the following measures to protect Personal Data:

Access Control

  • Unique API keys per Customer with configurable permissions

  • Customer Workspaces provide logical isolation between Customer data sets

Encryption

  • TLS 1.2 or higher for all data in transit

  • AES-256 encryption for data at rest

  • Encrypted database connections

Infrastructure Security

  • Hosted on AWS with EU data residency (eu-west-3 Paris)

  • Network segmentation and firewall protection

  • Regular security patching and updates

  • DDoS protection via AWS CloudFront

Monitoring and Logging

  • Comprehensive audit trails for all signature events

  • Automated alerting for anomalous activity

  • Log retention for security analysis

Data Integrity

  • Tamper-evident audit trails with cryptographic seals

  • Document hash verification

  • Automated backups with point-in-time recovery

Incident Response

  • Documented incident response procedures

  • 72-hour breach notification commitment

Personnel Security

  • Confidentiality agreements for all personnel

Business Continuity

  • Redundant infrastructure within EU regions

  • Regular backup testing

Annex 2: Sub-processor List

Sub-processor

Purpose

Location

Amazon Web Services (AWS)

Cloud infrastructure, compute, storage, CDN

EU (Paris, France - eu-west-3; Stockholm, Sweden - eu-north-1)

Supabase

Database services (hosted on AWS)

EU (Paris, France - eu-west-3)

Last updated: January 2026

Customer will be notified of changes to this list via email to the account administrator or through the Firma.dev dashboard.

Annex 3: Standard Contractual Clauses

For transfers of Personal Data to countries outside the European Economic Area that do not benefit from an adequacy decision, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by European Commission Implementing Decision (EU) 2021/914 shall apply and are incorporated by reference.

The SCCs shall be deemed completed as follows:

  • Clause 7 (Docking clause): Not used

  • Clause 9 (Use of sub-processors): Option 2 (General written authorization) applies

  • Clause 11 (Redress): Optional language not used

  • Clause 17 (Governing law): Laws of Ireland

  • Clause 18 (Choice of forum): Courts of Ireland

Contact for Data Protection Inquiries:

Firma.dev (1600 Holdings LLC) Email: Via support form at firma.dev/contact

By using Firma.dev's Service, Customer acknowledges and agrees to the terms of this Data Processing Agreement.