The EU General Data Protection Regulation (GDPR) is the most comprehensive EU data privacy law in decades, and went into effect on May 25, 2018. The GDPR replaced the Data Protection Directive 95/46/EC and applies to all organizations that have EU citizens as customers. It was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data protection. In this blog post, we explain the steps that SignRequest takes to ensure we meet our data protection obligations under GDPR.

SignRequest GDPR Measures

SignRequest is committed to meeting our data protection obligations under GDPR. As a processor, some of the measures that SignRequest has implemented include: 

  • Privacy by Design and Privacy by Default principles
  • Support for cross-border data transfers
  • Transparency into how we collect, retain, use, disclose, and transfer personal data 
  • Data security measures and certifications

Privacy by Design/Default

The GDPR requires businesses to integrate data protection concerns into every aspect of processing activities. Privacy by Design/Default focuses on accountability and demonstrates how a business is complying with data protection requirements. As a result, SignRequest performs Data Privacy Impact Assessments (DPIAs) to meet our accountability obligations under GDPR and to ensure our processing complies with the data protection principles.

Updated Data Processing Addendum & Cross-Border Data Transfers

In light of Brexit and the Court of Justice of the European Union's (CJEU) Schrems II decision to invalidate Privacy Shield as a valid cross-border data transfer mechanism, we updated our Data Processing Addendum (DPA). Specifically, our updated DPA reflects compliance with UK and EU data protection laws and provides our users with Standard Contractual Clauses (SCCs) to ensure users, and SignRequest, maintain a valid legal mechanism for data transfers outside of the UK and EU. 

Our updated Data Processing Addendum and SCCs are available to all SignRequest users here. If you have any questions or for additional information, please email us a

Updated Privacy Notice

SignRequest is committed to protecting your privacy and personal information. We recently updated our Privacy Notice and Terms of Service to ensure our customers understand how their personal information is collected, retained, used, disclosed, and transferred when using the SignRequest service. Our updated Privacy Notice also provides additional information surrounding our use of cookies and provides details regarding the choices our customers have with regard to their personal information. 

Please view our updated Privacy Notice and Terms of Service for additional information.

Data Security Measures & Certifications

Protecting the information of SignRequest users is extremely important to us and we've taken necessary actions to ensure the safety of your data. Our data security measures include, but are not limited to, the following:

  • Encryption of digital files containing personal data at-rest and in-transit
  • Security of the network connection with Secure Socket Layer (SSL) technology or a similar technology
  • Restriction of access to user personal data to authorised employees

SignRequest has also received the internationally recognized security certification for ISO 27001 (information security management) and passed the extensive Salesforce Security Review, which is based on the OWASP top 10 list. For additional information about the security measures that we take to protect your personal information, please visit SignRequest Security

SignRequest also offers additional security features for users that require an extra level of safety:

  • Two-Factor Verification: Users can now add a two-factor verification to their SignRequest account. For more information on how to enable this feature, please visit the Two-Factor Verification help page. 
  • Set a Signer Password: Users can now add a separate password per signer to their SignRequests. This means the signer can only view (and sign) the document after entering a separate password. Users will need to send this password to signers through a separate channel, for example by phone or text message.

To learn more about SignRequest, or if you have any questions about SignRequest's privacy practices, please contact 

Please also note that as of February 3 2021, SignRequest was acquired by Box, Inc. To learn more about Box's security and privacy practices, please visit the Box Privacy Notice.

Liked this article? Share it with your friends!