GDPR, Brexit, & Data Transfers

The EU General Data Protection Regulation (GDPR) is the most comprehensive EU data privacy law in decades, and went into effect on May 25, 2018. The GDPR replaced the Data Protection Directive 95/46/EC and applies to all organizations that have EU citizens as customers. It was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data protection. In this blog post, we explain the steps that SignRequest has taken to ensure we meet our data protection obligations under GDPR. With fluctuating data protection regulations in the region, we've also made updates to our Data Processing Addendum, Terms of Service and Privacy Notice that are further detailed below.

SignRequest GDPR Measures

SignRequest is committed to meeting our data protection obligations under GDPR. As a processor, some of the measures that SignRequest has implemented include:

  • Privacy by Design and Privacy by Default principles
  • Support for cross-border data transfers
  • Transparency into how we collect, retain, use, disclose, and transfer personal data
  • Data security measures and certifications

Privacy by Design/Default

The GDPR requires businesses to integrate data protection concerns into every aspect of processing activities. Privacy by Design/Default focuses on accountability and demonstrates how a business is complying with data protection requirements. As a result, SignRequest performs Data Privacy Impact Assessments (DPIAs) to meet our accountability obligations under GDPR and to ensure our processing complies with the data protection principles.

Updated Privacy Notice

We recently updated our Privacy Notice and Terms of Service to ensure our customers understand how their personal information is collected, retained, used, disclosed, and transferred when using the SignRequest service. Our updated Privacy Notice also provides additional information surrounding our use of cookies and provides details regarding the choices our customers have with regard to their personal information.

Please view our updated Privacy Notice and Terms of Service for additional information.

Updated Data Processing Addendum & Cross-Border Data Transfers

SignRequest is committed to protecting the privacy of personal data. No matter the changing landscape, including the Court of Justice of the European Union’s (CJEU) Schrems II decision to invalidate Privacy Shield, the United Kingdom’s departure from the European Union (Brexit) or the issuance of updated Standard Contractual Clauses (SCCs) by the European Commission, we’ve made it easy for our customers to maintain a lawful data transfer mechanism. To offer the most flexible options to customers when it comes to transfers of personal data our Data Processing Addendum (DPA) now includes the European Commission’s Implementing Decision 2121/914 of  4  June  2021  on  Standard  Contractual  Clauses (EU SCCs) and the UK Addendum to the EU SCCs as issued by the Information Commissioner’s Office and approved 21 March 2022 (collectively SCCs). By creating a new SignRequest account and agreeing to our Terms of Service and Privacy Policy, you have also agreed to the updated DPA and no further action is needed. Should an existing SignRequest customer continue to utilize the SignRequest service one week of after receiving notice of the updatedPrivacy Notice , you would have consented to the updated DPA (andits terms thereafter apply). For users in the E.U. you may exercise your data subject rights (i.e. the right to object) by emailing Similarly, all other queries may be submitted to

Data Security Measures & Certifications

Protecting the information of SignRequest users is extremely important to us and we've taken necessary actions to ensure the safety of your data. Our data security measures include, but are not limited to, the following:

  • Encryption of digital files containing personal data at-rest and in-transit
  • Security of the network connection with Secure Socket Layer (SSL) technology or a similar technology
  • Restriction of access to user personal data to authorised employees

SignRequest has also received the internationally recognized security certification for ISO 27001 (information security management) and passed the extensive Salesforce Security Review, which is based on the OWASP top 10 list. For additional information about the security measures that we take to protect your personal information, please visit SignRequest Security.

SignRequest also offers additional security features for users that require an extra level of safety:

  • Two-Factor Verification: Users can now add a two-factor verification to their SignRequest account. For more information on how to enable this feature, please visit the Two-Factor Verification help page.
  • Set a Signer Password: Users can now add a separate password per signer to their SignRequests. This means the signer can only view (and sign) the document after entering a separate password. Users will need to send this password to signers through a separate channel, for example by phone or text message.

To learn more about SignRequest, or if you have any questions about SignRequest's privacy practices, please contact

Please also note that as of February 3 2021, SignRequest was acquired by Box, Inc. To learn more about Box's security and privacy practices, please visit the Box Privacy Notice.