Data Processing Addendum
Effective date: 12 June 2026 | Version: 1.0
This Data Processing Addendum ("DPA") forms part of the Terms of Service between the customer ("Customer", "you") and Angular Minds Private Limited, the company behind Document eSign ("Document eSign", "we", "us"). It applies where we process personal data on your behalf in providing the Service and where data protection law (such as the EU GDPR, UK GDPR, or India's Digital Personal Data Protection Act 2023) applies.
If you are a Business or Enterprise customer and need a countersigned copy, email [email protected].
1. Roles
For personal data contained in the documents you upload and the recipients you send them to ("Customer Personal Data"), you are the controller and we are the processor. You are responsible for the lawfulness of that data and for having the rights and consents needed to process it. We process Customer Personal Data only to provide the Service and only as described in this DPA and your instructions.
For data we collect to run our business and the Service generally (such as your account and billing information), we act as a controller under our Privacy Policy.
2. Our processing obligations
We will:
- Process on your instructions. Process Customer Personal Data only to provide and support the Service, as set out in this DPA and the Terms, or as required by law (and if law requires more, we will tell you unless prohibited).
- Keep it confidential. Ensure people authorized to process Customer Personal Data are bound by confidentiality.
- Secure it. Maintain appropriate technical and organizational measures (Annex 2), including encryption in transit and at rest, access controls, and monitoring.
- Use sub-processors responsibly. Use only the sub-processors in Annex 1 or others we notify you of, under contracts with data-protection terms no less protective than this DPA. We remain responsible for their performance.
- Help with data-subject rights. Provide reasonable assistance, taking into account the nature of the processing, so you can respond to requests from individuals to access, correct, delete, or port their data.
- Help with compliance. Provide reasonable assistance with your data protection impact assessments and consultations with regulators, and make available information needed to show compliance with this DPA.
- Report breaches. Notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with the information you reasonably need to meet your own notification duties.
- Return or delete. On termination, delete or return Customer Personal Data in line with the retention periods in our Privacy Policy and Cancellation Policy, unless law requires us to keep it.
- Allow audits. Make available the information needed to demonstrate compliance and allow for audits, including inspections, conducted by you or an auditor you appoint, on reasonable notice, subject to confidentiality and not unreasonably disrupting our operations. We may satisfy audit requests by providing relevant third-party reports where available.
3. Sub-processors
You authorize us to engage the sub-processors listed in Annex 1. We will give reasonable notice before adding or replacing a sub-processor (for example by updating Annex 1 and, where you subscribe to notifications, emailing you). If you reasonably object on data-protection grounds, we will work with you in good faith to address it; if we cannot, you may terminate the affected part of the Service.
4. International transfers
Customer Personal Data may be processed in countries other than your own. Where we transfer personal data across borders, we put in place a lawful transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where relevant) or another approved safeguard, which is incorporated into this DPA by reference where required.
5. General
This DPA supplements the Terms of Service. If there is a conflict on the subject of data processing, this DPA prevails. It is governed by the same law and jurisdiction as the Terms (India, courts of Pune), except where data protection law requires otherwise.
Annex 1: Sub-processors
The following third parties process Customer Personal Data to help us provide the Service.
| Sub-processor | Purpose | Data processed |
|---|---|---|
| Stripe | Payment processing and subscription billing | Billing contact, subscription and invoice data, payment metadata (card data is handled by Stripe; we do not store it) |
| Amazon Web Services (S3) | Document and file storage | Uploaded documents, signed PDFs, signatures, attachments, audit PDFs |
| Amazon Web Services (SES) | Transactional email delivery | Recipient email address, sender and message content for signature requests, reminders, completion and account emails |
| Supabase | Managed database hosting | All application data (accounts, workspaces, documents, recipients, audit trail, subscriptions) |
| DigitalOcean | Application hosting and compute | Data in transit and in processing while the Service runs |
| Sentry (Functional Software) | Error and performance monitoring | Diagnostic data, which may include account or workspace identifiers and limited request context |
| Google (reCAPTCHA) | Bot and abuse prevention on auth pages | Device and usage signals, IP address; no document content |
Customer-directed integrations (not our sub-processors). If you connect a cloud storage account, data is exchanged with that provider under your control and their terms, using access you grant and can revoke: Google Drive, Dropbox, Microsoft OneDrive, and Box.
Annex 2: Security measures (summary)
- Encryption of data in transit (TLS) and at rest.
- Role-based access controls within the application; least-privilege internal access to systems.
- Two-factor authentication available to all users and enforceable per workspace; IP allowlisting on eligible plans.
- Tamper-evident audit trails and PAdES digital sealing of completed PDFs.
- Logging, error monitoring, and alerting.
- Soft-delete with a recovery window before permanent deletion, and backups.
- Secrets management and restricted production access.
Annex 3: Processing details
- Subject matter: provision of the Document eSign electronic-signature Service.
- Duration: for the term of the Terms of Service and the retention periods described in the Privacy Policy and Cancellation Policy.
- Nature and purpose: hosting, storing, transmitting, and processing documents and signer data to enable electronic signing, tracking, audit trails, and completion certificates.
- Categories of data subjects: Customer's users and workspace members, and the recipients/signers of Customer's documents.
- Categories of personal data: names, email addresses, phone numbers, job titles, profile and signature images, document contents provided by the Customer, and signing metadata including IP address, browser user agent, approximate location, and timestamps.
- Special category data: not intended; the Customer must not submit special category data except under an applicable Enterprise arrangement.
Contact
- Legal and DPA requests: [email protected]
- Data protection: [email protected]
- Angular Minds Private Limited, 501, Sai Shilp Business Center, Baner, Pune 411045, Maharashtra, India