Skip to main content

Data Processing Addendum

Effective date: April 28, 2026

Permissio, Inc.


This Data Processing Addendum ("DPA") is between Permissio, Inc. ("Permissio" or "Processor") and the customer identified in the applicable account or order form ("Customer" or "Controller"). This DPA is incorporated into and forms part of the Terms of Service or other agreement between the parties for use of the Permissio Services ("Principal Agreement"). In the event of a conflict between this DPA and the Principal Agreement regarding processing of Customer Personal Data, this DPA controls solely for that conflict.


1. Definitions

"Customer Personal Data" means personal data, personal information, or equivalent terms under Applicable Data Protection Law that is included in Customer Content and processed by Permissio on behalf of Customer under the Principal Agreement.

"Processing" means any operation performed on Customer Personal Data, including collection, storage, use, disclosure, transfer, and deletion.

"Data Subject" means the individual to whom Customer Personal Data relates (e.g., a signer, recipient, or Authorized User).

"Applicable Data Protection Law" means any applicable law governing the Processing of Customer Personal Data, which may include the GDPR, UK GDPR, CCPA, and equivalent US state privacy laws.

"Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.


2. Roles of the Parties

Customer is the controller, business, or equivalent party that determines the purposes and means of Processing Customer Personal Data. Permissio is the processor, service provider, contractor, or equivalent party that Processes Customer Personal Data on behalf of Customer solely to provide the Services.

Where Customer acts as a processor for another controller, Customer appoints Permissio as a subprocessor, and Customer warrants that the underlying controller has authorized this appointment.


3. Processing Instructions

Permissio will Process Customer Personal Data only:

  • To provide the Services and perform its obligations under the Principal Agreement
  • In compliance with documented Customer instructions, including instructions given through account settings, API calls, workflow configuration, and support requests
  • As required to comply with applicable law (in which case Permissio will notify Customer before Processing unless prohibited by law)
  • As necessary to protect the Services, prevent abuse, and ensure security

Customer instructs Permissio to Process Customer Personal Data as described in this DPA and the Principal Agreement.


4. Details of Processing

ElementDescription
Subject matterHosted electronic signature, document workflow, API, signer, dashboard, webhook, audit, email, storage, and support services
DurationThe subscription term plus any applicable retention, backup, legal hold, or transition period
Nature and purposeHosting, storing, transmitting, rendering, stamping, signing, auditing, authenticating, notifying, logging, supporting, and securing Customer Content and related workflows
Data subjectsCustomer administrators, Authorized Users, signers, recipients, developers, support contacts, and individuals named in Customer Content
Data categoriesName, email, account identifiers, authentication records, IP address, user agent, signature data, envelope metadata, document contents, field values, audit events, webhook configuration, support data

5. Confidentiality

Permissio will ensure that personnel authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations.


6. Security Measures

Permissio will implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data against unauthorized access, disclosure, alteration, and destruction. The applicable security measures are described in the Data Protection and Security Addendum, which is incorporated as Annex 2 to this DPA.


7. Subprocessors

Permissio maintains a list of authorized subprocessors at /legal/subprocessors. Customer hereby grants general authorization for Permissio to engage those subprocessors. Permissio will notify Customer of material new subprocessors at least 30 days before the new subprocessor begins Processing Customer Personal Data. Customer may object on reasonable data protection grounds within that period; if the parties cannot resolve the objection, Customer may terminate the affected Services without penalty.

Permissio will impose on each subprocessor data protection obligations no less protective than those in this DPA.


8. Data Subject Requests

Taking into account the nature of the Processing, Permissio will provide reasonable assistance to Customer in fulfilling Data Subject requests. If Permissio receives a Data Subject request relating to Customer Personal Data, Permissio will refer the request to Customer without undue delay. Customer is responsible for responding to Data Subject requests under Applicable Data Protection Law.


9. Security Incidents

Permissio will notify Customer without undue delay — and in any event within 72 hours — after becoming aware of a Security Incident affecting Customer Personal Data. The notification will include, to the extent known: the nature of the incident; categories and approximate number of Data Subjects affected; categories and approximate volume of records affected; likely consequences; and measures taken or proposed to address the incident.


10. Assistance and Compliance

Permissio will assist Customer in meeting its obligations under Applicable Data Protection Law with respect to: security of Processing; Data Subject rights; data protection impact assessments; and prior consultation with supervisory authorities, taking into account the nature of Processing and the information available to Permissio.


11. Audit Rights

Permissio will make available to Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits or inspections, conducted by Customer or a mandated auditor, subject to:

  • Reasonable prior written notice (at least 30 days except in the event of a confirmed Security Incident)
  • Conduct during normal business hours
  • No more than once per calendar year unless required by a supervisory authority or following a confirmed Security Incident
  • Confidentiality restrictions and applicable security policies

Customer may satisfy audit rights through third-party certification or audit reports provided by Permissio where available.


12. Return and Deletion

Upon termination or expiration of the Services, Permissio will, at Customer's election, return or delete Customer Personal Data in accordance with the Principal Agreement and Retention and Deletion Policy. Permissio may retain Customer Personal Data where required by law, necessary to establish or defend legal claims, subject to legal hold, or stored in backup systems until overwritten under standard backup retention cycles.


13. International Transfers

Customer Personal Data processed by Permissio is stored in the United States. For transfers of Customer Personal Data from the European Economic Area, UK, or Switzerland to the United States or other countries not recognized as providing adequate data protection, the parties agree to use an appropriate lawful transfer mechanism.

Where the EU Standard Contractual Clauses (Commission Decision 2021/914) are required, the applicable module is incorporated by reference and completed by the annexes in this DPA. The parties will complete any required supplementary measures or transfer impact assessments as needed.


14. United States State Privacy Laws

To the extent Customer Personal Data is subject to US state privacy laws (including CCPA), Permissio will:

  • Process Customer Personal Data as a service provider, processor, or contractor solely for the business purpose of providing the Services
  • Not sell Customer Personal Data
  • Not share Customer Personal Data for cross-context behavioral advertising
  • Not retain, use, or disclose Customer Personal Data outside the business purpose of providing the Services
  • Not combine Customer Personal Data with personal information from other sources except as permitted by law

15. Liability

All liability arising under or related to this DPA is subject to the exclusions and limitations set out in the Principal Agreement. This DPA does not create a separate, additional, or uncapped liability pool. To the maximum extent permitted by law, Permissio's total aggregate liability for DPA, privacy, security, data breach, and Customer Personal Data claims will not exceed the liability cap stated in the Principal Agreement.


Annex 1 — Processing Description

The processing description in Section 4 of this DPA constitutes Annex 1.

Annex 2 — Technical and Organizational Security Measures

The Data Protection and Security Addendum constitutes Annex 2.

Annex 3 — Subprocessors

The current Subprocessor List constitutes Annex 3.


How to Execute This DPA

Partners who require a countersigned DPA for enterprise agreements should contact legal@permissio.us. We will prepare a signed copy within 5 business days.