1. Data Controller details
Name of the Data Controller: Droposal Kft. (Ltd.) Registered office: 1021 Budapest, Labanc út 29. a. ép. földszint 2., Hungary Tax number: 29318588-2-41 Company registration number: 01-09-386947 Registration authority: Budapest-Capital Regional Court (Fővárosi Törvényszék) Email: [email protected] Website: https://droposal.com
Data protection contact: [email protected]
Hosting providers: Rackforest Kft. – Address: 1132 Budapest, Victor Hugo utca 18-22. 3. em. 3008., Hungary – Tax number: 14671858-2-41 Amazon Web Services EMEA SARL – Registered office: 38 Avenue John F. Kennedy, L-1855 Luxembourg – Data storage location: Frankfurt, Germany (eu-central-1)
2. Legal background
We carry out our data processing activities on the basis of the following legislation:
| Legislation | Title |
|---|---|
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data |
| Info Act | Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Hungary) |
| E-Commerce Act | Act CVIII of 2001 on certain issues of electronic commerce services (Hungary) |
| Advertising Act | Act XLVIII of 2008 on the basic conditions and certain limitations of commercial advertising activities (Hungary) |
| Consumer Protection Act | Act CLV of 1997 on Consumer Protection (Hungary) |
| Accounting Act | Act C of 2000 on Accounting (Hungary) |
| eIDAS | Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services |
3. Definitions
The terms used in this notice — in particular "personal data", "processing", "controller", "processor", "data subject" and "consent" — bear the meanings set out in Article 4 of the GDPR.
4. User categories and legal bases
When using the service, we apply the following user categories and legal bases:
| Type of user | Legal basis | Explanation |
|---|---|---|
| Consumer (private individual) | GDPR Article 6(1)(b) – contractual necessity | Necessary for the performance of the service contract |
| Sole trader / Private individual with tax number | GDPR Article 6(1)(b) – contractual necessity | Necessary for the performance of the service contract |
| Corporate representative (acting on behalf of a legal entity) | GDPR Article 6(1)(f) – legitimate interest | The Data Controller's legitimate interest in maintaining contractual contact; balancing test carried out |
Balancing of interests for corporate representatives: The Data Controller has a legitimate interest in maintaining effective contact with its contractual partners. A corporate representative can reasonably expect that, in the course of performing their job duties, their contact details will be processed by the contractual partners. The processing does not result in a disproportionate restriction of the data subject's rights and freedoms.
5. Processing of contact channels
5.1. Email contact
Purpose of processing: Receiving and responding to enquiries from interested parties.
Legal basis: The Data Controller's legitimate interest (GDPR Article 6(1)(f)) – responding to the enquiry and maintaining business contact. The data subject can reasonably expect to receive a response to their enquiry.
Data processed: Name, email address, content of the message.
Retention period: 1 month after the response, unless the exchange of messages leads to the conclusion of a contract.
5.2. Chat and Help Center (Intercom, Tawk.to)
Purpose of processing: Providing real-time customer support and a knowledge base.
Legal basis: The Data Controller's legitimate interest (GDPR Article 6(1)(f)) – providing real-time customer support. For registered users: contractual necessity (GDPR Article 6(1)(b)).
Data processed: Name (if provided), email address (if provided), content of chat messages, browser data.
Retention period: 3 years or until deletion of the account.
Processors:
- Intercom, Inc. (San Francisco, USA)
- Tawk.to Inc. (Las Vegas, USA)
5.3. Social media (Facebook, Instagram, LinkedIn)
Purpose of processing: Communication and information via social media.
Legal basis: The data subject's consent (GDPR Article 6(1)(a)) – by following / sending a message.
Data processed: Public profile data, content of messages.
Retention period: 1 month after the conclusion of the message exchange, unless it leads to the conclusion of a contract.
Joint controllers:
- Meta Platforms Ireland Limited (Facebook, Instagram)
- LinkedIn Ireland Unlimited Company
5.4. Online consultation (Google Meet)
Purpose of processing: Conducting sales or support consultations.
Legal basis: Performance of a contract or steps prior to entering into a contract (GDPR Article 6(1)(b)).
Data processed: Name, email address, time of the consultation.
Important: Audio and video material from consultations is NOT recorded, unless the data subject is informed in advance and gives separate consent.
Retention period: Consultation data is retained for 1 month, unless it leads to the conclusion of a contract.
6. Processing of registered user data
6.1. Account creation and management
Purpose of processing: Provision of the service, management of the user account.
Legal basis: Contractual necessity (GDPR Article 6(1)(b)).
Data processed:
| Data category | Data |
|---|---|
| Identification data | Name, email address, encrypted password, profile picture |
| Contact data | Phone number (optional, for 2FA / SMS authentication) |
| Billing data | Company name, registered office / residential address, tax number |
| Usage data | Logins, activity log |
Retention period: Until deletion of the account, or for 5 years after the termination of the contractual relationship (general civil law limitation period).
6.2. Storage of documents (quotes, contracts)
Purpose of processing: Management of documents created and stored by the Customer.
Legal basis: Contractual necessity (GDPR Article 6(1)(b)).
Data processed: All data contained in the documents (e.g. customer name, address, content of the contract).
Retention period: Unlimited for the duration of the subscription.
Important information:
- If the subscription is cancelled, the Customer has 30 days to download their documents.
- Following the 30-day grace period, the documents are permanently deleted.
- The Service Provider accepts no liability for documents that are not downloaded.
- It is the Customer's responsibility to save documents that are important to them in their own systems.
6.3. Management of templates
Purpose of processing: Storing and managing reusable document templates.
Legal basis: Contractual necessity (GDPR Article 6(1)(b)).
Data processed: Data contained in the templates.
Retention period: For the duration of the subscription, on the same terms as the documents.
Important: The Customer is solely responsible for the content of uploaded templates. The Service Provider does not review the content of templates.
7. Electronic signature and time-stamping
7.1. Signing process
Purpose of processing: Applying advanced electronic signatures (AdES) and qualified electronic time stamps (QTS) to electronic documents.
Legal basis: Contractual necessity (GDPR Article 6(1)(b)).
Data processed:
| Type of data | Details |
|---|---|
| Signer identification | Name, email address, phone number (in case of SMS authentication) |
| Signature image | Digital image of the drawn signature |
| Signature hash | Unique fingerprint generated using the SHA-256 algorithm |
| Metadata | Time of signing, IP address, browser/device data |
| Audit trail | Logging of every step of the signing process |
7.2. Time-stamp service provider
Provider: Microsec zrt. (1033 Budapest, Szentendrei út 89-93., Hungary)
Status: Qualified trust service provider under the eIDAS Regulation.
Data transmitted: Document hash (the content of the document is NOT transmitted).
7.3. Retention of signing data
Retention period: 10 years from the time of signing (in line with the general limitation rules of the Hungarian Civil Code and recommendations applicable to electronic signatures).
8. Billing and payment
8.1. Billing data
Purpose of processing: Issuing invoices and fulfilling accounting obligations.
Legal basis: Compliance with a legal obligation (GDPR Article 6(1)(c)) – Section 169 of the Hungarian Accounting Act.
Data processed: Name, billing address, tax number, invoice amount, payment date.
Retention period: 8 years (Hungarian Accounting Act).
8.2. Online payment (Stripe)
Purpose of processing: Processing secure online payments.
Processor: Stripe Payments Europe, Ltd. (Dublin, Ireland)
Legal basis for the transfer:
- Contractual necessity (GDPR Article 6(1)(b)) – processing the payment
- Stripe's legitimate interest (GDPR Article 6(1)(f)) – fraud prevention
Data transmitted: Name, email address, billing address, transaction amount.
Important: Bank card data (card number, expiry, CVC) is sent DIRECTLY to Stripe. It is NOT stored on the Service Provider's servers, and the Service Provider does NOT have access to it.
9. Newsletter and marketing
Purpose of processing: Regular information about products, services and updates.
Legal basis: The data subject's prior, explicit consent (GDPR Article 6(1)(a); Section 6 of the Hungarian Advertising Act).
Data processed: Email address, name (optional), date of subscription, activity data (opens, clicks).
Retention period: Until consent is withdrawn (unsubscription), but no longer than 3 years from the last activity.
Methods of unsubscription:
- Clicking the "Unsubscribe" link at the bottom of the newsletter
- By email to [email protected]
- In the account settings
Processor: MailerLite Limited (Dublin, Ireland)
10. Cookies and web analytics
10.1. Use of cookies
The Service Provider uses cookies for the operation of the website and the application. Cookies are small text files stored by the browser on the user's device.
10.2. Cookie categories
| Category | Purpose | Legal basis | Consent required? |
|---|---|---|---|
| Necessary | Basic operation, login, security | Legitimate interest | No |
| Functional | Remembering settings, language | Consent | Yes |
| Analytical | Traffic measurement, user behaviour | Consent | Yes |
| Marketing | Targeted advertising, remarketing | Consent | Yes |
10.3. Cookies used
| Provider | Type | Purpose | Lifetime |
|---|---|---|---|
| Droposal | Necessary | Session, login | Session – 1 year |
| Google Analytics | Analytical | Traffic statistics | 2 years |
| Google Firebase | Analytical | App analytics | 2 years |
| Hotjar | Analytical | Heatmaps, user behaviour analysis | 1 year |
| Mixpanel | Analytical | Product analytics | 1 year |
| Intercom | Functional | Chat, customer support | 1 year |
| Tawk.to | Functional | Chat, Help Center | 1 year |
| Meta Pixel | Marketing | Advertising measurement, remarketing | 90 days |
| Nolt | Functional | Feedback management | Session |
| FirstPromoter | Marketing | Affiliate (referral) programme tracking | 90 days |
| Cookiebot (CookieConsent) | Necessary | Recording and storing your cookie consent | 1 year |
| Google Tag Manager | Necessary | Central management of measurement tags (does not set marketing cookies on its own) | Session |
| Google Ads (_gcl_au, _gcl_aw) | Marketing | Ad click attribution and conversion measurement | 90 days |
| Cloudflare Turnstile (cf_chl_*) | Necessary | Form CAPTCHA / bot protection | Session |
10.4. Managing cookies
Cookie consent: When the website is first visited, a cookie management banner is displayed where the data subject can enable or disable cookies by category.
Changing settings:
- At any time by clicking the "Cookie settings" link on the website
- In the browser settings
Consequences: If necessary cookies are disabled, the service will not function properly.
10.5. Analytics opt-out
Analytical tracking can be disabled:
- By disabling the "Analytical" category in the cookie settings
- Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout
- Hotjar opt-out: https://www.hotjar.com/policies/do-not-track/
10.6. Cookiebot consent manager, Google Tag Manager and Consent Mode v2
Cookiebot (cookie banner): The website uses the Cookiebot consent management service (operator: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark). The banner records your cookie consent choice (accept / reject / per-category) and stores it in a first-party CookieConsent cookie for 1 year. You may change your choice at any time via the "Cookie settings" link in the footer.
Google Tag Manager (GTM-NXSBKBX): All measurement and marketing scripts (GA4, Google Ads, Meta Pixel, Hotjar, Intercom, MailerLite, FirstPromoter) are loaded centrally through Google Tag Manager, only after you have granted the corresponding consent category. GTM itself does not place marketing cookies; it only activates the listed services once Cookiebot reports the relevant category as "granted".
Google Consent Mode v2: The site also implements Google's Consent Mode v2. In practice this means:
- Default state (before you consent): every marketing and analytics signal is set to "denied". In this state Google does not set cookies — only anonymous, aggregated pings are collected.
ads_data_redactionis enabled: without consent, ad-related data points are anonymised.- As soon as you accept marketing / analytics cookies in the Cookiebot banner, Consent Mode automatically flips to "granted" and full functionality becomes available.
url_passthroughis enabled: ad click identifiers (e.g.gclid) can be forwarded to related subdomains (e.g. app.droposal.com) as URL parameters without cookies — so ad performance can be measured without personal identification even before consent.
11. Summary of retention periods
| Data category | Retention period | Legal basis |
|---|---|---|
| Contact messages (non-contractual) | Response + 1 month | Legitimate interest |
| Registration data | Until account deletion + 5 years | Contract, legitimate interest |
| Contractual documents | Termination of contract + 5 years | Legitimate interest (limitation) |
| Electronic signature data | Signature + 10 years | Contract, legitimate interest |
| Accounting documents | Issue + 8 years | Legal obligation |
| Newsletter data | Until unsubscription, max. 3 years inactivity | Consent |
| Chat / customer support | 3 years | Legitimate interest |
| Cookie data | Max. 2 years | Consent / legitimate interest |
12. Processors
The Data Controller uses the following processors:
12.1. Infrastructure and hosting
| Provider | Purpose | Registered office |
|---|---|---|
| Rackforest Kft. | Server hosting | Budapest, Hungary |
| Amazon Web Services EMEA SARL | Cloud infrastructure | Luxembourg (data storage: Frankfurt, eu-central-1) |
12.2. Payment and billing
| Provider | Purpose | Registered office |
|---|---|---|
| Stripe Payments Europe, Ltd. | Online payment | Dublin, Ireland |
| Billingo Technologies Zrt. | Invoicing | Budapest, Hungary |
12.3. Communication and customer support
| Provider | Purpose | Registered office |
|---|---|---|
| Intercom, Inc. | Chat, customer support | San Francisco, USA |
| Tawk.to Inc. | Chat, customer support, Help Center | Las Vegas, USA |
| MailerLite Limited | Newsletter delivery | Dublin, Ireland |
| Wildbit LLC (Postmark) | Transactional email delivery | Philadelphia, USA |
| Nolt Software OÜ | Feedback and feature suggestions | Tallinn, Estonia |
12.4. Analytics and development
| Provider | Purpose | Registered office |
|---|---|---|
| Google Ireland Limited | Analytics, Firebase | Dublin, Ireland |
| Hotjar Ltd. | UX analytics | Malta |
| Mixpanel, Inc. | Product analytics | San Francisco, USA |
| Sentry (Functional Software, Inc.) | Error tracking | San Francisco, USA |
| Google Ireland Limited (Google Ads) | Ad management, conversion measurement, remarketing | Dublin, Ireland |
| Meta Platforms Ireland Limited (Meta Pixel, CAPI) | Ad management and conversion measurement across Facebook / Instagram | Dublin, Ireland |
12.5. Internal operations
| Provider | Purpose | Registered office |
|---|---|---|
| Notion Labs, Inc. | CRM, project management | San Francisco, USA |
| Slack Technologies, LLC | Internal communication | San Francisco, USA |
| Inflex Studio Kft. | Development | Budapest, Hungary |
| FirstPromoter (Starter Story, Inc.) | Affiliate / partner programme | Wilmington, USA |
12.6. Artificial intelligence
| Provider | Purpose | Registered office |
|---|---|---|
| OpenAI, L.L.C. | AI Assistant (GPT) | San Francisco, USA |
| Anthropic, PBC | AI Assistant (Claude) | San Francisco, USA |
| Google Ireland Limited | AI Assistant (Gemini) | Dublin, Ireland |
Important: Processing restrictions applicable to AI providers are set out in section 21.2.
12.7. Trust service
| Provider | Purpose | Registered office |
|---|---|---|
| Microsec zrt. | Electronic time-stamping | Budapest, Hungary |
12.8. Consent management and security services
| Provider | Purpose | Registered office |
|---|---|---|
| Cybot A/S (Cookiebot) | Cookie consent banner, consent log storage | Copenhagen, Denmark (EU) |
| Google Ireland Limited (Tag Manager, Consent Mode v2) | Central tag management, consent-gated script activation | Dublin, Ireland |
| Cloudflare, Inc. (Turnstile CAPTCHA) | Form bot protection, automated attack filtering | San Francisco, USA |
Legal basis: Cookiebot and Google Tag Manager are classified as "Necessary" services, essential for the lawful operation of the website (consent management, GDPR compliance) — legal basis: GDPR Article 6(1)(f), legitimate interest. Cloudflare Turnstile serves the security of the website (anti-spam / anti-bot), also on legitimate interest grounds. The US data transfer relating to Cloudflare is covered by the EU-US Data Privacy Framework detailed in section 13.1.
13. Transfers to third countries
13.1. Transfers to the USA
The following providers operate in the United States. Legal basis for the transfer:
EU-US Data Privacy Framework (DPF): Pursuant to the European Commission's adequacy decision of 10 July 2023, US companies certified under the DPF provide an adequate level of protection.
DPF-certified providers:
- Google LLC
- OpenAI, L.L.C.
- Anthropic, PBC
- Stripe, Inc.
- Intercom, Inc.
- Tawk.to Inc.
- Wildbit LLC (Postmark)
- Mixpanel, Inc.
- Functional Software, Inc. (Sentry)
- Notion Labs, Inc.
- Salesforce, Inc. (Slack)
- Starter Story, Inc. (FirstPromoter)
- Meta Platforms, Inc.
- Cloudflare, Inc.
EU-based providers:
- MailerLite Limited (Dublin, Ireland)
- Nolt Software OÜ (Tallinn, Estonia)
- Hotjar Ltd. (St Julian's, Malta)
- Billingo Technologies Zrt. (Budapest, Hungary)
- Cybot A/S (Cookiebot, Copenhagen, Denmark)
13.2. Standard Contractual Clauses (SCCs)
Where a provider does not hold a DPF certification, the transfer is carried out on the basis of the Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021.
13.3. Data subject rights
The data subject is entitled to:
- Request information about the details of the transfer
- Receive a copy of the safeguards applied (DPF certification, SCCs)
Requests can be sent to [email protected].
14. Data security
The Data Controller applies appropriate technical and organisational measures to protect personal data. The full list of measures is set out in section 21.8 (DPA Annex 1).
14.1. Handling of personal data breaches
In the event of a personal data breach, the Data Controller:
- Notifies the breach to the NAIH within 72 hours, where it is likely to result in a risk to the rights of the data subjects
- Without undue delay, informs the data subjects, where the breach is likely to result in a high risk
- Documents the breach and the measures taken
15. Data subject rights
15.1. Summary of rights
| Right | Description | Response time |
|---|---|---|
| Information | Information about processing | Immediate (this notice) |
| Access | Copy of processed data | 1 month |
| Rectification | Correction of inaccurate data | 1 month |
| Erasure | Deletion of data ("right to be forgotten") | 1 month |
| Restriction | Suspension of processing | 1 month |
| Portability | Data in a machine-readable format | 1 month |
| Objection | Against processing based on legitimate interest | 1 month |
| Withdrawal | Withdrawal of consent | Immediate |
15.2. Right of access
The data subject is entitled to obtain confirmation as to whether their personal data is being processed and, if so, is entitled to:
- a copy of the data being processed
- information on the purposes, legal basis and duration of the processing
- information on the recipients of any data transfers
15.3. Right to erasure
The data subject may request the erasure of their data if:
- the data is no longer needed
- they withdraw their consent and there is no other legal basis
- they object and there are no overriding legitimate grounds
- the data has been processed unlawfully
- erasure is required by a legal obligation
Erasure CANNOT be requested where processing is necessary for:
- compliance with a legal obligation (e.g. accounting retention)
- the establishment, exercise or defence of legal claims
15.4. Data portability
The data subject may request their data in a machine-readable format (JSON, CSV). This right applies only to data processed by automated means based on consent or a contract.
15.5. Automated decision-making
The Data Controller does NOT apply solely automated decision-making which would have legal effects concerning the data subject. The Data Controller does not carry out profiling based on data collected by analytical tools (Google Analytics, Mixpanel, Hotjar) for decision-making or marketing segmentation purposes.
15.6. Exercising rights
The data subject can exercise their rights as follows:
- Email: [email protected]
- Postal mail: 1021 Budapest, Labanc út 29. a. ép. földszint 2., Hungary
The Data Controller will fulfil the request after verifying the identity of the data subject.
16. User obligations and limitation of liability
The data subject is obliged to:
- Provide accurate data – If false data is provided, the Data Controller is not liable for the consequences
- Keep their data up to date – Notify any changes without delay
- Treat their access credentials confidentially – Keep their password secret and not share it with others
- Use the service in accordance with its intended purpose – Not infringe the rights of third parties
- Process the data of third parties lawfully – The Customer is responsible for the data entered into the documents
Limitation of liability: The Data Controller is jointly liable with the processors under the GDPR for any unlawful processing by the processors, and takes all measures to engage only processors offering appropriate safeguards. The service may contain links to third-party websites; the Data Controller is not responsible for the data processing practices of those websites. With respect to personal data entered by the Customer into the service (e.g. data contained in contracts or quotes), the Customer qualifies as the data controller and is responsible for processing such data lawfully.
17. Protection of children and amendments to this notice
The service is not directed at persons under the age of 16. The Data Controller does not knowingly collect personal data from persons under the age of 16. If it comes to the Data Controller's attention that the data of a person under 16 is being processed without parental/guardian consent, the data will be deleted without delay.
The Data Controller reserves the right to amend this notice. Data subjects will be notified of any amendment as follows:
- For material changes: Email notification to registered users at least 15 days before the entry into force
- For minor changes: Publication on the website
The amended notice enters into force on the day of publication, unless the notice specifies a different effective date.
By continuing to use the service after the amendment, the data subject accepts the amended notice.
18. Complaint handling, legal remedies and governing law
18.1. Contacting the Data Controller
For any question, request or complaint regarding data processing:
Email: [email protected] Postal address: 1021 Budapest, Labanc út 29. a. ép. földszint 2., Hungary
The Data Controller will respond to enquiries within 1 month. For complex requests, this period may be extended by a further 2 months.
18.2. Supervisory authority
Complaints can be lodged with the Hungarian National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH) Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary Mailing address: 1363 Budapest, Pf.: 9. Phone: +36-1-391-1400 Email: [email protected] Website: https://naih.hu
18.3. Judicial remedy
In the event of an infringement of their rights, the data subject may bring an action before a court. At the data subject's choice, the action may be initiated:
- before the court having jurisdiction over the registered office of the Data Controller
- before the regional court (törvényszék) having jurisdiction over the data subject's place of residence or stay
18.4. Governing law
This notice and the processing are governed by Hungarian law, in particular the GDPR, Act CXII of 2011 (Info Act) and Act V of 2013 (Hungarian Civil Code).
19. Data residency
The Service Provider stores customer data exclusively in data centres located within the European Union (detailed list: section 12.1). Documents, contracts, templates and signing data created by the Customer are stored and processed exclusively on EU-based servers; this data is not transferred to countries outside the EU. Some supporting services (analytics, customer support, newsletter) also use US-based providers under the safeguards detailed in section 13, but these do not have access to customer documents, contracts or signing data.
20. For data subjects in the United Kingdom (UK)
20.1. Applicable regulation
For data subjects located in the United Kingdom, references to the "GDPR" in this notice also apply to the following legislation:
- UK GDPR (the EU GDPR as amended by the Data Protection Act 2018)
- Data Protection Act 2018
20.2. Legal basis for the transfer
Pursuant to the European Commission's adequacy decision of 28 June 2021, the United Kingdom provides an adequate level of data protection, and therefore the transfer does not require additional safeguards.
20.3. Supervisory authority
UK data subjects may also lodge their complaint with the following authority:
Information Commissioner's Office (ICO) Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom Phone: +44 303 123 1113 Website: https://ico.org.uk
21. Data Processing Agreement (DPA)
Data Processing Agreement — processor agreement under Article 28 GDPR
This chapter regulates, on the basis of Article 28 GDPR, the data processing relationship between the Customer (controller) and the Service Provider (processor) when the Customer uses the Droposal service to process the personal data of third parties.
The DPA enters into force automatically upon activation of the subscription and remains valid until termination of the service relationship. The DPA forms an integral part of the Service Agreement (Terms of Service).
Hierarchy of documents — In case of conflict, the following order applies:
- This DPA (section 21)
- Terms of Service
- Other provisions of the Privacy Notice
21.1. Details of the processing
Subject of processing
Through the Droposal platform, the Service Provider processes the personal data contained in documents (quotes, contracts, templates) uploaded and created by the Customer.
Nature and purpose of processing
| Nature | Purpose |
|---|---|
| Storage | Secure storage of documents on cloud infrastructure |
| Display | Display of documents to the Customer and recipients |
| Transmission | Sending documents by email to recipients |
| Signing | Conducting the electronic signing process |
| Time-stamping | Application of qualified electronic time stamps |
| Archiving | Retention of signed documents |
Types of personal data
| Category | Examples |
|---|---|
| Identification data | Name, date of birth, mother's name, ID card number |
| Contact data | Email address, phone number, postal address |
| Financial data | Bank account number, tax number |
| Employment data | Employer name, position, employment details |
| Contract data | Subject, value and terms of the contract |
| Signing data | Signature image, time of signing, IP address |
Important: The Service Provider does not review the content of the data uploaded. The Customer is responsible for uploading only data that they are entitled to process.
Categories of data subjects
Based on the Customer's decision, data of persons in the following categories may be processed:
- The Customer's customers and prospects
- The Customer's business partners and suppliers
- The Customer's employees and subcontractors
- Other persons designated by the Customer
21.2. Obligations of the Service Provider
Following instructions
The Service Provider processes personal data exclusively on the basis of the documented instructions of the Customer. The following qualify as instructions:
- Use of the service in accordance with its intended purpose
- Operations performed by the Customer in the user interface
- Written (email) instructions from the Customer
If the Service Provider considers that the Customer's instruction is unlawful, it will inform the Customer without delay.
Confidentiality
The Service Provider ensures that persons authorised to process personal data are bound by a duty of confidentiality. This obligation remains in force after the termination of the service relationship.
Security
The Service Provider applies appropriate technical and organisational measures. The details of the measures are set out in DPA Annex 1 (see section 21.8).
Sub-processors
The Service Provider engages sub-processors to provide the service. The current list is set out in section 12 of this notice and in DPA Annex 2 (see section 21.9).
Notification: The Service Provider notifies the Customer by email at least 30 days in advance of the engagement of a new sub-processor or the replacement of an existing one.
Objection: The Customer may object in writing within 14 days of the notification. In case of a justified objection, the Service Provider will look for an alternative solution or allow the Customer to terminate the contract with immediate effect.
Liability: The Service Provider is fully liable for the activities of the sub-processors.
Supporting data subject rights
The Service Provider assists the Customer in ensuring data subject rights through appropriate technical and organisational measures. If a data subject contacts the Service Provider directly, the Service Provider will forward the request to the Customer without delay.
The Service Provider will inform the Customer of any data subject access requests (DSARs) within 5 working days of becoming aware of them.
Obligation to cooperate
The Service Provider assists the Customer in fulfilling the following obligations:
- Data security measures (Article 32 GDPR)
- Notification of personal data breaches (Articles 33-34 GDPR)
- Data Protection Impact Assessment (Article 35 GDPR)
- Prior consultation (Article 36 GDPR)
Artificial intelligence restrictions
The Service Provider declares that:
- The Customer's data is NOT used for training, fine-tuning or developing artificial intelligence models
- The AI Assistant feature processes data only within the Customer's current session
- The processed data is not aggregated with the data of other customers
- Third-party AI providers are subject to the same restrictions
Business continuity
| Indicator | Value | Explanation |
|---|---|---|
| RTO | 48 hours | Maximum service recovery time |
| RPO | 24 hours | Maximum data loss in the event of a disaster |
| Backup | Daily | Full database backup |
| Retention | 30 days | Restore window |
| Geo-redundancy | Yes | Geographically separated, within the EU |
Data segregation
The Service Provider uses a multi-tenant architecture:
- Each Customer has a unique tenant identifier
- Database queries are filtered at the tenant level
- Cross-tenant data access is technically excluded
Audit logs
| Log type | Retention period |
|---|---|
| Access logs | 90 days |
| Security events | 1 year |
| Signing audit trail | 5 years |
| System logs | 30 days |
21.3. Obligations of the Customer
The Customer warrants that:
- It is entitled to process the personal data uploaded to the service
- It has the appropriate legal basis
- It has fulfilled its obligation to inform the data subjects
- It does not upload special categories of data (Article 9 GDPR), unless explicitly entitled to do so
Special categories of data: If the Customer wishes to process special categories of data (health, biometric, religious, etc.), it is required to inform the Service Provider in writing in advance and to evidence the appropriate legal basis. The Service Provider reserves the right to refuse the processing of special categories of data.
21.4. Handling of personal data breaches
The Service Provider notifies the Customer of any personal data breach without undue delay after becoming aware of it, and in any event within 48 hours.
The notification includes:
- A description of the nature of the breach
- The categories and approximate number of data records concerned
- The categories and approximate number of data subjects concerned
- The likely consequences of the breach
- The measures taken or planned
- Contact details of the contact person
21.5. Audit and inspection
The Customer is entitled to verify the Service Provider's compliance.
Forms of audit:
| Form | Description |
|---|---|
| Self-assessment | Questionnaire or certification completed by the Service Provider |
| Documentation | Sharing of security documentation and certifications |
| On-site audit | By prior arrangement, at the Customer's expense |
| Third party | Inspection carried out by an independent auditor |
Conditions:
- The Customer notifies its audit request in writing at least 30 days in advance
- The audit must not disrupt the operation of the service
- The cost of an on-site audit is borne by the Customer
21.6. Deletion and return of data
Upon termination of the service relationship, at the Customer's choice:
a) Return:
- Upon the Customer's request, in a machine-readable format (JSON, PDF)
- The return must take place within 30 days
b) Deletion:
- Automatically after the expiry of the 30-day grace period
- Or upon the Customer's express request
At the Customer's request, the Service Provider issues written confirmation of the deletion.
Retention obligation: Deletion does not apply to data retention required by law (e.g. accounting data for 8 years, signing data for 10 years).
21.7. Liability and amendment
Allocation of liability (Article 82 GDPR)
- The Controller (Customer) is responsible for the lawfulness of the processing
- The Processor (Service Provider) is responsible for compliance with the provisions of the DPA and the GDPR applicable to processors
If both parties are liable for the damage, they are jointly and severally liable to the data subject.
Amendment of the DPA
The Service Provider is entitled to amend the DPA in the event of changes in legislation or in the service. It will notify the Customer at least 30 days in advance of any amendment. The Customer is entitled to terminate the contract if it does not agree with the amendment.
21.8. DPA Annex 1: Technical and organisational measures
Technical measures
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.3 protocol for all data transmission |
| Encryption at rest | AES-256 encryption for stored data |
| Password management | Bcrypt hash algorithm, minimum password requirements |
| Access management | Role-based access control (RBAC) |
| Two-factor authentication | Optional 2FA for user accounts |
| Logging | Logging of every access and operation |
| Backup | Daily automated backup, geographically separated storage |
| Firewall | Web Application Firewall (WAF) and network firewall |
| DDoS protection | Automatic DDoS attack detection and mitigation |
| Intrusion detection | Operation of IDS/IPS systems |
| Vulnerability management | Regular vulnerability scanning and remediation |
Organisational measures
| Measure | Description |
|---|---|
| Access restriction | Need-to-know principle, minimum privileges |
| Confidentiality obligation | Signed by all employees and subcontractors |
| Data protection training | Regular training for staff |
| Incident response plan | Documented procedure for handling incidents |
| Vendor management | Processor agreements with all partners |
| Physical security | Physical protection of data centres, access control |
Data centre security
| Provider | Certifications |
|---|---|
| Amazon Web Services (Frankfurt, eu-central-1) | ISO 27001, SOC 2 Type II, CSA STAR |
| Rackforest Kft. (Budapest) | ISO 27001 |
21.9. DPA Annex 2: List of sub-processors
Last updated: 25 February 2026.
The full list of sub-processors is set out in detail in section 12 of this notice.
Summary:
| Category | Providers |
|---|---|
| Infrastructure | Rackforest Kft. (EU), AWS (EU - Frankfurt) |
| Payment and billing | Stripe (EU/DPF), Billingo (HU) |
| Communication | Intercom (DPF), Tawk.to (DPF), MailerLite (EU), Postmark (DPF), Nolt (EU) |
| Analytics | Google Analytics (DPF), Hotjar (EU), Mixpanel (DPF), Sentry (DPF) |
| AI providers | OpenAI (DPF), Anthropic (DPF), Google Gemini (DPF) |
| Trust service | Microsec zrt. (EU) |
Note: Detailed restrictions applicable to AI providers are set out in section 21.2.
21.10. UK GDPR addendum
For Customers established in the United Kingdom, this DPA is supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum).
Where the UK Addendum applies:
- The supervisory authority is the Information Commissioner's Office (ICO)
- English law governs the interpretation of the DPA
- The applicable data protection legislation is the UK GDPR and the Data Protection Act 2018
Budapest, 25 February 2026.