Data Processing Agreement
This DPA outlines how MamaSign processes personal data on behalf of our customers in compliance with the General Data Protection Regulation (GDPR).
Last updated: March 22, 2026
1. Parties & Scope
Agreement Parties
This Data Processing Agreement ("DPA") is entered into between MamaSign ("Processor") and the customer using MamaSign services ("Controller"). This DPA forms part of the Terms of Service and applies to all processing of personal data by MamaSign on behalf of the Controller.
Scope of Processing
MamaSign processes personal data solely to provide its electronic signature, document management, and invoicing services. Processing includes storage, retrieval, transmission, and deletion of personal data as instructed by the Controller through use of the platform.
2. Data Processed
Categories of Data
Personal data processed includes: names, email addresses, IP addresses, device information, signatures (drawn/typed/uploaded), document contents uploaded by the Controller, invoice details (business names, addresses, amounts), and authentication data.
Data Subjects
Data subjects include the Controller's employees, clients, contractors, and any third-party recipients of documents or invoices sent through MamaSign.
Purpose Limitation
MamaSign processes personal data only for the purposes of providing the services as described in the Terms of Service. We do not process personal data for any other purpose, including advertising or selling data to third parties.
3. Processor Obligations
Confidentiality
MamaSign ensures that all personnel authorized to process personal data have committed to confidentiality or are under appropriate statutory obligation of confidentiality.
Processing Instructions
MamaSign processes personal data only on documented instructions from the Controller. If MamaSign is required by law to process data beyond the Controller's instructions, we will inform the Controller of that legal requirement before processing (unless prohibited by law).
Assistance with Data Subject Rights
MamaSign provides tools for Controllers to fulfill data subject rights including: data access (via data export), data deletion (via account deletion), data rectification (via profile/settings editing), and data portability (via JSON export). Controllers can exercise these through Settings > Data & Privacy.
4. Security Measures
Technical Measures
MamaSign implements appropriate technical measures including: TLS 1.2+ encryption for data in transit, AES-256 encryption for data at rest, secure authentication via Clerk, role-based access controls, and tamper-evident audit trails with SHA-256 hashing.
Organizational Measures
Organizational measures include: access limited to authorized personnel only, regular security reviews, secure development practices, and incident response procedures.
5. Sub-Processors
Authorized Sub-Processors
MamaSign uses the following sub-processors to deliver its services:
List of Sub-Processors
- Clerk (Authentication & User Management) - USA - Supabase (Database & File Storage) - Self-hosted - Resend (Transactional Email Delivery) - USA - Stripe (Payment Processing) - USA/EU - Vercel / Dokploy (Application Hosting) - Self-hosted MamaSign will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
6. International Data Transfers
Transfer Mechanisms
Where personal data is transferred outside the European Economic Area (EEA), MamaSign ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
Data Residency
MamaSign's primary infrastructure is self-hosted. Controllers requiring specific data residency arrangements should contact us at hello@mamasign.com.
7. Data Breach Notification
Notification Timeline
In the event of a personal data breach, MamaSign will notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.
Notification Contents
The notification will include: the nature of the breach including categories and approximate number of data subjects affected, contact details for further information, a description of likely consequences, and a description of measures taken or proposed to address the breach.
8. Data Retention & Deletion
Retention Period
MamaSign retains personal data for as long as necessary to provide the services and as required by applicable law. Upon termination of the service agreement, MamaSign will delete or return all personal data within 30 days, unless retention is required by law.
Deletion on Request
Controllers can request deletion of all their data at any time through Settings > Data & Privacy > Delete All My Data. MamaSign will process such requests within 30 days.
9. Audit Rights
Controller Audit Rights
MamaSign makes available to the Controller all information necessary to demonstrate compliance with GDPR obligations. Controllers may conduct audits or inspections, either directly or through a mandated auditor, upon reasonable notice. Contact hello@mamasign.com to arrange an audit.
10. Term & Termination
Duration
This DPA remains in effect for the duration of the Controller's use of MamaSign services. Upon termination, MamaSign will cease processing personal data and delete all personal data within 30 days, subject to legal retention requirements.
Governing Law
This DPA is governed by and construed in accordance with the laws applicable to the main Terms of Service. For EU data subjects, the provisions of GDPR take precedence over any conflicting terms.
Questions About This DPA?
Contact our Data Protection team for any questions regarding this agreement.
hello@mamasign.com