Skip to main content

Draft — not legal advice. This document is published in good faith as Seald's working draft. It has not yet been reviewed by counsel and may change before becoming binding. If you are reviewing this on behalf of a customer, please contact legal@seald.nromomentum.com for the countersigned production version.

Version: dpa_v0.1 · Last updated: 2026-04-30

Data Processing Agreement

This Data Processing Agreement (the "DPA") supplements and is incorporated into the Seald Terms of Service (the "Agreement") between Seald, Inc. ("Seald", "Processor") and the customer accepting the Agreement ("Customer", "Controller"). It applies whenever Seald processes Personal Data on behalf of the Customer in connection with the Service. Capitalized terms not defined here have the meaning given in the Agreement or in Article 4 GDPR.

1. Definitions

"Applicable Data Protection Law"
Regulation (EU) 2016/679 ("GDPR"), the UK GDPR and the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other privacy or data-protection laws applicable to Seald's processing on behalf of the Customer.
"EU SCCs"
The Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914.
"UK Addendum"
The International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.
"UK IDTA"
The International Data Transfer Agreement issued by the UK Information Commissioner.
"Personal Data"
Personal information processed by Seald on behalf of the Customer in connection with the Service, as described in Annex I.
"Sub-processor"
Any processor engaged by Seald to process Personal Data on behalf of the Customer.

2. Roles and scope

For Personal Data processed in connection with the Service, the Customer is the controller (or processor on behalf of its own customer), and Seald is the processor (or sub-processor). This DPA implements the controller-processor obligations of GDPR Article 28(3), the equivalent UK GDPR provisions, and the service-provider obligations of CCPA § 1798.140(ag) and § 1798.105(c). Seald is a "service provider" within the meaning of CCPA § 1798.140(ag) and not a "third party" or "contractor".

3. Processor obligations (GDPR Art. 28(3))

  1. Documented instructions. Seald processes Personal Data only on the documented instructions of the Customer, as set out in the Agreement, this DPA, and any further written instructions the Customer gives within the scope of the Service. Seald will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
  2. Confidentiality. Personnel authorized to process Personal Data are subject to a duty of confidentiality, whether by contract or by statute.
  3. Security. Seald implements appropriate technical and organizational measures (Art. 32 GDPR) to protect Personal Data, as described in Annex II.
  4. Sub-processors. See Section 4 below. Seald flows down obligations equivalent to those in this DPA.
  5. Data-subject requests. Seald assists the Customer (taking into account the nature of the processing) in responding to requests from data subjects under GDPR Articles 15–22, including by providing in-product export and deletion functionality and by forwarding requests received directly by Seald.
  6. Breach assistance, DPIAs, prior consultation. Seald notifies the Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides reasonable assistance with the Customer's obligations under Articles 32 to 36 GDPR.
  7. Return or deletion. On termination of the Agreement, Seald deletes or returns all Personal Data, at the Customer's choice, subject to the retention windows set out in our Privacy Policy and Section 6 of the Agreement, and except where Applicable Data Protection Law requires retention.
  8. Audit. Seald makes available to the Customer the information necessary to demonstrate compliance with this DPA. The Customer may, on reasonable prior written notice (not more than once per calendar year unless triggered by an incident), exercise an audit right limited to information requests, and where strictly necessary an on-site audit conducted by an independent auditor under reasonable confidentiality and security constraints, at the Customer's expense.

4. Sub-processors

The Customer authorizes Seald to engage Sub-processors to process Personal Data, subject to the following conditions:

  • Seald maintains a current list of Sub-processors at /legal/sub-processors, including each Sub-processor's name, processing role, location, and applicable transfer mechanism.
  • Before adding or replacing a Sub-processor, Seald gives at least thirty (30) days' advance notice by updating the public list and by emailing subscribers to subscribe-subprocessors@seald.nromomentum.com.
  • The Customer may object on reasonable data-protection grounds within the thirty-day window. If the parties cannot agree on a resolution, the Customer may terminate the affected portion of the Service for the disputed Sub-processor as its sole and exclusive remedy.
  • Seald imposes on each Sub-processor data-protection obligations equivalent in substance to those in this DPA and remains liable for the acts and omissions of its Sub-processors.

5. International transfers

Where Personal Data originating in the EEA, the UK, or Switzerland is transferred to a country that is not the subject of an adequacy decision, the parties rely on transfer mechanisms in the following priority order:

  1. EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. Framework) where the recipient is certified.
  2. EU SCCs Module 2 (controller-to-processor) or Module 3 (processor-to-processor), which the parties hereby execute and incorporate by reference. Specific Module 2 selections: Clause 7 (docking) is included; Clause 9(a) Option 2 (general written authorization) governs Sub-processors with the thirty-day notice in Section 4 above; Clause 11(a) optional language on independent dispute resolution is omitted; Clause 17 governing law is the law of Ireland; Clause 18 forum and jurisdiction is the courts of Ireland; Annexes I.A, I.B, I.C, and II are completed by reference to Annex I and Annex II of this DPA.
  3. For UK-origin transfers, the UK Addendum to the EU SCCs (or, where the parties prefer, the UK IDTA) is incorporated and completed using the same Annex information.

Seald has performed a Transfer Impact Assessment ("TIA"), available on request, that documents the supplementary technical and organizational measures (encryption at rest with AES-256 in customer-controllable key contexts, TLS 1.3 in transit, U.S. surveillance-law assessment, government-request transparency).

6. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law (for example, statutory data-subject claims).

7. Precedence and changes

If there is a conflict between this DPA and the Agreement, this DPA prevails on data-protection matters. If a conflict exists between this DPA and the EU SCCs or the UK Addendum/IDTA, the SCCs/Addendum/IDTA prevail. Seald may amend this DPA from time to time to reflect changes in Applicable Data Protection Law; material amendments are notified at least thirty (30) days in advance.

Annex I — Description of processing

I.A Parties

Data exporter: the Customer (controller). Data importer: Seald, Inc. (processor), 1209 Orange Street, Wilmington, Delaware 19801, United States {{TODO: confirm registered address upon entity formation}}, contact privacy@seald.nromomentum.com.

I.B Description

  • Categories of data subjects: Customer's authorized users, Customer's signers and recipients, third parties named in Customer documents.
  • Categories of Personal Data: name, email, optional phone, IP address, user agent, drawn or typed signature image, document content provided by the Customer, audit-event metadata.
  • Sensitive data: none collected by Seald; any Sensitive Personal Information present in Customer-uploaded documents is incidental and processed only as part of the document content.
  • Frequency: continuous for the duration of the Agreement.
  • Nature of processing: hosting, transmission, signing, sealing (PAdES-LT), audit-trail capture, retention, deletion.
  • Purpose: providing the Service.
  • Retention: as set out in our Privacy Policy; default seven (7) years for completed envelopes.

I.C Competent supervisory authority

The Irish Data Protection Commission acts as competent supervisory authority for EU SCC purposes; the UK Information Commissioner's Office for UK Addendum/IDTA purposes.

Annex II — Technical and organizational measures

  • Encryption. AES-256 at rest for object storage and database backups; TLS 1.3 for all client and inter-service traffic.
  • Cryptographic key management. Document-sealing keys are held in AWS Key Management Service (KMS) in us-east-2; private key material is non-exportable from KMS.
  • Document integrity. Sealed PDFs use the PAdES long-term-validation profile (ETSI EN 319 142) with timestamps from RFC 3161 Time-Stamp Authorities.
  • Audit chain. Each audit event includes a SHA-256 hash of the prior event, surfacing tampering.
  • Access control. Role-based access; multi-factor authentication for personnel access to production; least-privilege defaults.
  • Logging and monitoring. Authentication and access logs retained for eighteen (18) months.
  • Backup and recovery. Encrypted backups retained for thirty-five (35) days.
  • Vendor management. Sub-processors are vetted for data-protection compliance and bound to equivalent obligations.
  • Personnel. Confidentiality obligations and security training.

Seald has not obtained SOC 2 Type II, ISO 27001, or any qualified-trust-service-provider recognition. The measures above are described as verifiable controls only.