GDPR Compliance
Last updated 28 May 2026
Introduction
ContractSign is designed from the ground up to support compliance with the EU General Data Protection Regulation (GDPR). This page describes our approach to data protection, the roles and responsibilities involved, and the technical and organizational measures we have implemented.
As a digital contract signing platform processing personal data on behalf of European businesses, GDPR compliance is fundamental to our operations and product design.
Roles & responsibilities
The GDPR distinguishes between data controllers and data processors. In the context of ContractSign:
Data controller
The customer (workspace owner) who creates contracts, uploads content, and invites signers. The controller determines the purposes and means of processing personal data within their contracts.
Data processor
ContractSign (Happenings Group A/S) acts as a data processor when storing, processing, and transmitting contract data and signer information on behalf of the customer.
For platform operational data (account management, billing, analytics), ContractSign acts as an independent data controller.
Data processing activities
The following categories of personal data may be processed through ContractSign:
- Identity data — names, email addresses, phone numbers of account holders and signers
- Contract content — any personal data contained within the contracts created by customers
- Signing evidence — IP addresses, user agents, timestamps, OTP verifications, MitID assertions
- Organizational data — company names, registration numbers, VAT numbers, addresses
- Communication data — email notifications, SMS messages sent during signing flows
Legal basis for processing
Processing activities are grounded in the following GDPR legal bases:
- Article 6(1)(b) — performance of a contract: processing necessary to provide the signing service
- Article 6(1)(c) — legal obligation: retention of audit trails and commercial records
- Article 6(1)(f) — legitimate interest: platform security, fraud prevention, and service improvement
- Article 6(1)(a) — consent: optional analytics and preference cookies
Technical measures
We have implemented the following technical measures to protect personal data:
- Encrypted transport — all data in transit is protected by TLS 1.2+
- Encrypted storage — database and file storage use encryption at rest
- Access control — role-based access control (RBAC) with organization-level data isolation
- Authentication — secure session management with CSRF protection; optional MitID for signing
- Password security — passwords are hashed using bcrypt with appropriate cost factors
- Audit logging — immutable audit trail records for all significant platform events
- API security — rate limiting, API key authentication, and request validation
- Infrastructure — hosted on Cloudflare Workers with automatic DDoS protection
Organizational measures
In addition to technical safeguards, we maintain organizational practices to support GDPR compliance:
- Privacy by design — data protection considerations are integrated into product development
- Data minimization — we collect only the data necessary for the stated purpose
- Access management — team access to production data is restricted and logged
- Vendor assessment — all sub-processors are evaluated for GDPR compliance before engagement
- Incident response — documented procedures for identifying, containing, and reporting data breaches
Sub-processors
ContractSign uses the following sub-processors to deliver the service. All are bound by data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, CDN, R2 storage, Workers | EU / Global |
| Neon | PostgreSQL database | EU |
| SendGrid (Twilio) | Email delivery | US (SCCs) |
| Twilio | SMS delivery | US (SCCs) |
| Stripe | Payment processing | US (SCCs) |
| Google Analytics | Web analytics | EU / US (SCCs) |
Data subject rights
ContractSign supports customers in fulfilling data subject rights requests. Workspace owners can:
- Export contracts and associated data
- Delete contracts, signers, and audit data (subject to legal retention requirements)
- Update signer information and organizational details
- Manage team member access and permissions
For requests that cannot be handled through the platform, contact privacy@contractsign.net and we will assist within 30 days.
Breach notification
In the event of a personal data breach, ContractSign will notify affected customers without undue delay and in any event within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Notifications will include the nature of the breach, the categories and approximate number of data subjects concerned, likely consequences, and measures taken to address the breach.
Data protection impact assessment
We have conducted a Data Protection Impact Assessment (DPIA) for ContractSign's core processing activities. The assessment concluded that appropriate technical and organizational measures are in place to mitigate risks to data subjects.
Customers may conduct their own DPIAs as data controllers and may request information from us to support their assessment.
Data Processing Agreement
ContractSign provides a Data Processing Agreement (DPA) to all customers on Professional plans and above. The DPA defines the scope of processing, security obligations, sub-processor usage, and breach notification procedures.
To request a copy of our DPA, contact legal@contractsign.net.
Contact
For GDPR-related inquiries, contact our data protection team at privacy@contractsign.net.
You may also contact the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk if you believe your rights under the GDPR have not been adequately addressed.
Happenings Group A/S, Klostergade 56B, St., 8000 Aarhus C, Denmark.