Effective date: March 23, 2026 · Last updated: March 23, 2026
Effective date: March 23, 2026 · Version 1.0
ZERODOCS GDPR & Data Protection Compliance Reference for Enterprise Customers Effective: March 23, 2026 | Version 1.0 |
Who This Document Is For This document is the primary GDPR and data protection compliance reference for enterprise customers, legal teams, procurement, and Data Protection Officers conducting vendor due diligence on ZeroDocs. It covers: our controller/processor framework, legal bases for processing, sub-processor register, Technical and Organisational Measures (TOMs), Data Processing Agreement terms, data subject rights fulfilment, breach notification procedures, and international transfer mechanisms. For individual user privacy rights, see our Privacy Notice at zerodocs.xyz/privacy. |
1. Regulatory Scope and Applicable Frameworks
2. Controller and Processor Roles
3. Legal Bases for Processing
4. Data Processing Agreement (DPA)
5. Sub-Processor Register
6. International Data Transfers
7. Technical and Organisational Measures (TOMs)
8. Data Subject Rights — Fulfilment Procedures
9. Personal Data Breach Notification
10. Data Protection Impact Assessments (DPIAs)
11. Records of Processing Activities (RoPA)
12. Data Protection Officer (DPO) and EU Representative
13. Retention, Deletion, and Return of Data
14. Audit Rights
15. Contact and Escalation
ZeroDocs is committed to processing personal data in compliance with all applicable data protection laws. This document addresses our obligations and commitments under the following frameworks:
Framework | Jurisdiction | Our Role | Status |
|---|---|---|---|
GDPR (Regulation (EU) 2016/679) | EU / EEA | Data Processor (for Customer Data); Data Controller (for account/billing data) | Compliant |
UK GDPR + Data Protection Act 2018 | United Kingdom | Data Processor / Data Controller | Compliant |
Digital Personal Data Protection Act 2023 (DPDP) | India | Data Fiduciary (Controller equivalent) | Compliant |
CCPA / CPRA | California, USA | Service Provider (Processor equivalent) | Compliant |
LGPD (Lei nº 13.709/2018) | Brazil | Operador (Processor) / Controlador (Controller) | Compliant |
PDPA 2012 (as amended 2020) | Singapore | Data Intermediary (Processor) / Organisation (Controller) | Compliant |
Privacy Act 1988 (as amended) | Australia | APP Entity | Compliant |
PIPEDA + Quebec Law 25 | Canada | Organisation | Compliant |
This document focuses primarily on GDPR and UK GDPR obligations, as these are most frequently required for enterprise vendor due diligence. For obligations under other frameworks, see our Global Privacy Notice at zerodocs.xyz/privacy.
2.1 When ZeroDocs Acts as a Data Processor
When you (the Customer) use ZeroDocs to create, distribute, and execute electronic documents and signatures, you are the Data Controller. You determine: the categories of personal data included in documents; the identity and contact details of signers and recipients; the purpose of the transaction; and the duration for which documents remain active.
In this capacity ZeroDocs acts as your Data Processor. We process personal data — including signer names, email addresses, IP addresses, device information, and signing timestamps — strictly on your instructions and solely for the purpose of providing the Services. We do not process this data for our own purposes.
2.2 When ZeroDocs Acts as a Data Controller
ZeroDocs independently determines the purposes and means of processing for the following activities and therefore acts as Data Controller:
2.3 Joint Controller Scenarios
In limited circumstances — for example, where we jointly operate a referral programme or integration marketplace with a third party — we may act as joint controllers. We will identify and document any joint controller arrangements and provide you with details of the arrangement on request.
Practical implication for your compliance programme As the Data Controller for document transactions, you are responsible for: (1) having a lawful basis to collect and process the personal data of your signers; (2) providing privacy notices to your signers in accordance with GDPR Articles 13/14; (3) responding to data subject rights requests from your signers; (4) executing a DPA with ZeroDocs before processing EU/UK personal data through our platform. ZeroDocs will assist you in fulfilling data subject rights requests relating to data we hold as processor, as described in Section 8. |
3.1 Processing as Data Controller (ZeroDocs’ Own Processing)
The table below sets out the legal bases under GDPR Article 6 on which we rely for our controller-mode processing activities.
Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
Account creation and service delivery | Performance of a contract | Art. 6(1)(b) |
Electronic signature audit trail generation | Contract performance; Legal obligation (IT Act, eIDAS) | Art. 6(1)(b), (c) |
Payment processing and billing | Contract performance; Legal obligation | Art. 6(1)(b), (c) |
Platform security and fraud prevention | Legitimate interests of ZeroDocs and its customers | Art. 6(1)(f) |
Product analytics and improvement | Legitimate interests (pseudonymised data only) | Art. 6(1)(f) |
Marketing to existing customers | Legitimate interests (soft opt-in) | Art. 6(1)(f); Recital 47 |
Marketing to new contacts | Consent | Art. 6(1)(a) |
AI model training on customer data | Explicit consent (separate opt-in required) | Art. 6(1)(a); Art. 9(2)(a) |
Legal compliance and regulatory obligations | Legal obligation | Art. 6(1)(c) |
Establishing or defending legal claims | Legitimate interests | Art. 6(1)(f) |
3.2 Processing as Data Processor (Customer Instruction)
When processing personal data on your behalf as a Data Processor, ZeroDocs does not independently determine a legal basis — that responsibility rests with you as the Data Controller. You must ensure that your processing of signer and transaction data has a valid GDPR legal basis (typically contract performance under Art. 6(1)(b) or legitimate interests under Art. 6(1)(f)). Our DPA includes warranties from you to this effect.
3.3 Special Category Data
ZeroDocs does not intentionally collect or process special category data (Art. 9 GDPR) as part of its standard service. If your documents contain special category data — for example, health data in a medical consent form — you must ensure you have an appropriate Art. 9 condition for processing before submitting such data to our platform. Our DPA addresses this scenario and requires you to notify us if special category data will be regularly processed through your account.
4.1 DPA Availability
ZeroDocs provides a standard Data Processing Agreement that incorporates the EU Standard Contractual Clauses (Module 2: Controller to Processor) as required by the European Commission’s June 2021 implementing decision. The DPA also includes UK IDTA addendum provisions for UK data transfers.
The standard DPA is available at zerodocs.xyz/legal/dpa and is incorporated by reference into our Terms of Service for all customers who process EU/UK personal data through the platform. You do not need to separately countersign the standard DPA to be covered by its terms — your acceptance of our Terms of Service constitutes acceptance of the DPA.
4.2 Custom DPA for Enterprise Customers
Enterprise customers requiring a bespoke or countersigned DPA — for example, where your procurement policy requires bilateral execution or your DPA template includes additional clauses — may contact privacy@zerodocs.xyz to initiate the process. We will review and negotiate custom DPAs within 10 business days of receipt.
4.3 Key DPA Provisions
DPA Provision | Our Commitment |
|---|---|
Processing only on documented instructions | We will not process Customer Data beyond your instructions or as required by applicable law. Any legally required deviations will be notified to you unless prohibited by law. |
Confidentiality of processing personnel | All personnel authorised to process Customer Data are bound by contractual confidentiality obligations or professional secrecy obligations. |
Sub-processor management | We will notify you at least 30 days before engaging a new sub-processor. You have the right to object. See Section 5 for our current sub-processor register. |
Data subject rights assistance | We will provide reasonable assistance to help you fulfil data subject rights requests. See Section 8 for procedures. |
Security measures | We implement and maintain the TOMs described in Section 7. We will notify you of any material reduction in security measures. |
DPIA assistance | We will provide reasonable assistance with DPIAs relating to our processing activities, including providing information about our TOMs and processing activities. |
Deletion and return | Upon termination, we will delete or return all Customer Data within 30 days, subject to legal retention obligations. See Section 13. |
Audit rights | We will make available information demonstrating compliance and permit audits as described in Section 14. |
International transfers | All transfers outside the EEA/UK are governed by appropriate transfer mechanisms as described in Section 6. |
We rely on the following sub-processors to deliver the Services. All sub-processors are engaged under written agreements that impose data protection obligations equivalent to those in our DPA. This register is reviewed quarterly. Last updated: March 23, 2026.
Sub-Processor | Location | Processing Activity | Transfer Mechanism |
|---|---|---|---|
Amazon Web Services (AWS) | USA, EU, India (data residency configurable) | Cloud infrastructure, database hosting, object storage, CDN | EU SCCs (Module 2); AWS DPA |
Stripe, Inc. | USA | Payment processing, subscription management, fraud detection | EU SCCs (Module 2); Stripe DPA |
Paddle.com Market Ltd. | United Kingdom | Merchant of record, payment processing, tax compliance | UK IDTA; Paddle DPA |
PostHog, Inc. | USA / EU (EU cloud available) | Product analytics, session recording (pseudonymised) | EU SCCs (Module 2); PostHog DPA |
Google LLC | USA / EU | Email delivery (Google Workspace), Google OAuth | EU SCCs (Module 2); Google DPA |
Cloudflare, Inc. | USA / EU | CDN, DDoS protection, DNS, WAF | EU SCCs (Module 2); Cloudflare DPA |
Sub-processor change notification We will provide at least 30 days’ prior written notice (via email to your account contact and via zerodocs.xyz/legal/subprocessors) before engaging a new sub-processor or making material changes to an existing sub-processor relationship. You have the right to object to a new sub-processor within the notice period on reasonable grounds related to data protection. If we cannot accommodate your objection, you may terminate the relevant Services without penalty. |
6.1 Transfer Overview
BoringDollars Private Limited is incorporated in India. Our primary infrastructure is hosted on AWS with data centres in India, the EU (Frankfurt), and the United States. Personal data of EU/EEA and UK residents may be transferred to India and the United States in the course of providing the Services.
6.2 Transfer Mechanisms
Data Origin | Destination | Mechanism | Reference |
|---|---|---|---|
EU / EEA | India | EU Standard Contractual Clauses — Module 2 (Controller to Processor) 2021 Commission Implementing Decision | Available at zerodocs.xyz/legal/dpa |
EU / EEA | USA (AWS, Stripe, PostHog) | EU SCCs with sub-processors under Module 2/3 | Included in sub-processor DPAs |
United Kingdom | India | UK International Data Transfer Agreement (IDTA) ICO template (March 2022) | Available at zerodocs.xyz/legal/dpa |
United Kingdom | USA | UK Addendum to EU SCCs (IDTA Annex 1) | Included in sub-processor DPAs |
India | USA / EU | DPDP Act cross-border transfer provisions; contractual safeguards | DPA terms |
6.3 Data Residency Options
Customers with data residency requirements may request that their Customer Data be stored exclusively within the EU (AWS Frankfurt) or India (AWS Mumbai) regions. Data residency configurations are available on Enterprise plans. Contact support@zerodocs.xyz for details.
6.4 Transfer Impact Assessments
We have conducted Transfer Impact Assessments (TIAs) for transfers of EU/UK personal data to India and the United States. These assessments conclude that the SCCs and IDTA, combined with our TOMs (Section 7), provide an essentially equivalent level of protection to that guaranteed within the EEA. TIA summaries are available to enterprise customers on request.
The following TOMs are implemented and maintained by ZeroDocs to ensure a level of security appropriate to the risk, as required by GDPR Article 32. These measures apply to all processing of personal data, including Customer Data processed as a Data Processor.
Data State | Measure | Standard |
|---|---|---|
In transit | All data transmitted between client and server is encrypted. | TLS 1.2 minimum; TLS 1.3 preferred |
At rest | All Customer Data and audit trail records stored in our databases and object storage are encrypted. | AES-256 |
Backups | Database backups are encrypted before writing to storage. | AES-256 |
Encryption key management | Encryption keys are managed using AWS KMS with per-customer key isolation on Enterprise plans. | AWS KMS; FIPS 140-2 |
Document signing hashes | Each signed document is cryptographically hashed to ensure tamper-evidence of the audit trail. | SHA-256 |
Control | Description |
|---|---|
Role-based access control (RBAC) | Access to Customer Data is restricted to personnel with a verified business need. Roles are defined and enforced at the infrastructure level. |
Multi-factor authentication (MFA) | MFA is enforced for all ZeroDocs staff access to production systems, administrative consoles, and Customer Data environments. |
Principle of least privilege | Staff are granted the minimum permissions necessary to perform their role. Permissions are reviewed quarterly. |
Privileged access management | Privileged access (e.g., database administrator access) is time-limited, requires approval, and is fully logged. |
Customer data segregation | Each customer’s data is logically isolated. Multi-tenant architecture prevents cross-customer data access. |
Third-party access | Sub-processors and third-party integrations are granted only the minimum permissions required to deliver their contracted service, under written agreements. |
Control | Description |
|---|---|
Immutable audit trails | All document signing events capture: timestamp (UTC), signer IP address, user agent, authentication method, and document hash. Audit trail records cannot be modified or deleted by any user, including ZeroDocs staff. |
Infrastructure logging | All access to production infrastructure, databases, and Customer Data environments is logged with tamper-evident audit logs retained for 13 months. |
Security event monitoring | Real-time monitoring for anomalous access patterns, brute-force attempts, and unusual API activity using automated alerting. |
Log integrity | Production logs are written to a separate, write-once environment to prevent tampering in the event of a system compromise. |
Control | Description |
|---|---|
Web Application Firewall (WAF) | Cloudflare WAF deployed in front of all public-facing endpoints. Rules updated continuously. |
DDoS protection | Cloudflare DDoS mitigation at network and application layers. |
VPC isolation | Production infrastructure is deployed in isolated Virtual Private Clouds (VPCs) with no direct public internet access to databases or internal services. |
Intrusion detection | Network intrusion detection system (IDS) monitors for anomalous traffic patterns within production VPCs. |
Vulnerability scanning | Automated weekly vulnerability scanning of all internet-facing endpoints and dependencies. |
Penetration testing | Annual third-party penetration testing of production infrastructure and application layer. Summaries available to enterprise customers under NDA. |
Dependency management | Automated scanning of software dependencies for known CVEs (GitHub Dependabot / Snyk). Critical vulnerabilities patched within 48 hours. |
Control | Description |
|---|---|
Privacy by design | Data protection considerations are embedded into the product development lifecycle. New features involving personal data processing undergo privacy review before deployment. |
Staff training | All staff with access to personal data complete mandatory data protection training on joining and annually thereafter. |
Confidentiality obligations | All staff and contractors are bound by contractual confidentiality obligations covering Customer Data. |
Background checks | Staff with access to Customer Data undergo background verification checks in accordance with applicable law. |
Incident response plan | A documented and tested incident response plan is in place covering detection, containment, eradication, recovery, and notification. Reviewed annually. |
Business continuity | Recovery time objective (RTO): 4 hours. Recovery point objective (RPO): 1 hour. Tested semi-annually. |
Vendor risk management | All sub-processors and material vendors undergo security assessment before engagement and annually thereafter. |
As Data Controller for your document transactions, you are the primary point of contact for data subject rights requests from your signers and counterparties. ZeroDocs will assist you in fulfilling these requests as required by GDPR Article 28(3)(e).
Right | Your Responsibility (as Controller) | ZeroDocs Assistance (as Processor) |
|---|---|---|
Access (Art. 15) | Respond to the data subject within 1 month. | On written request from you, we will provide a data export of all personal data held for the identified data subject within 10 business days. |
Rectification (Art. 16) | Correct inaccurate data and notify processors. | We will update or correct data fields in our systems upon your written instruction. |
Erasure (Art. 17) | Assess whether erasure is required or restricted by legal obligation. | On written instruction from you, we will delete identified personal data from active systems within 30 days, subject to legal retention obligations (audit trail integrity requirements may apply). |
Restriction (Art. 18) | Notify processors to restrict processing. | We will flag and restrict processing of identified data upon your written instruction, within 5 business days. |
Portability (Art. 20) | Provide data in structured, machine-readable format. | We will provide a JSON or CSV export of relevant data upon your written request within 10 business days. |
Objection (Art. 21) | Assess and respond to the objection. | We will assist with information needed to assess the objection, upon request. |
Automated decision-making (Art. 22) | Ensure no solely automated decisions with significant effects are made without human review. | ZeroDocs does not make automated decisions with significant legal effects on individuals. Human review is applied to any automated flags. |
How to submit a data subject rights assistance request to ZeroDocs Email: privacy@zerodocs.xyz Subject line: “DSR Assistance Request — <Your Company Name>” Include: Data subject identifier (email address), right being exercised, and your account ID. We will acknowledge within 2 business days and fulfil within 10 business days. |
Where ZeroDocs receives a data subject rights request directly from an individual regarding data processed on your behalf (processor mode), we will forward the request to you within 3 business days and will not respond directly to the data subject unless you instruct us to do so.
9.1 Internal Detection and Response
ZeroDocs operates a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. All security events are triaged within 1 hour of detection. Events confirmed as personal data breaches are escalated immediately to our DPO and senior management.
9.2 Notification to You (as Data Controller)
In the event of a personal data breach affecting Customer Data processed on your behalf, ZeroDocs will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. Our notification will include, to the extent known at the time:
Where not all information is available within 72 hours, we will provide available information promptly and supply further information in phases as it becomes available, without undue further delay.
9.3 Your Notification Obligations
Following our notification, you as Data Controller are responsible for assessing whether the breach requires notification to your supervisory authority (within 72 hours of your becoming aware) and/or communication to affected data subjects, in accordance with GDPR Articles 33 and 34. We will provide all reasonable assistance you require for these notifications.
9.4 Notification Timelines by Jurisdiction
Jurisdiction | Notification to Supervisory Authority | Notification to Data Subjects |
|---|---|---|
EU / EEA (GDPR Art. 33/34) | Within 72 hours of awareness (if likely to result in risk) | Without undue delay (if likely to result in high risk) |
UK (UK GDPR) | Within 72 hours of awareness | Without undue delay (if high risk) |
India (DPDP Act) | As per rules notified by CERT-In / Data Protection Board (currently within 6 hours for significant breaches under IT Act) | As directed by Data Protection Board |
USA — California (CCPA) | No specific timeline but “expedient” | Without unreasonable delay |
Brazil (LGPD) | Within a reasonable timeframe (ANPD guidance: within 2 working days for significant risk) | Without undue delay (if significant risk) |
Singapore (PDPA) | Within 3 calendar days of assessing notifiability | Without undue delay (if significant harm) |
Australia (Privacy Act) | As soon as practicable after becoming aware | As soon as practicable |
10.1 ZeroDocs’ Own DPIAs
We conduct DPIAs for all new processing activities that are likely to result in a high risk to individuals, in accordance with GDPR Article 35. DPIA triggers include: large-scale processing of personal data, use of new AI or machine learning features, systematic monitoring, and processing of special category data. DPIA summaries for our core processing activities are available to enterprise customers on request from privacy@zerodocs.xyz.
10.2 Assistance with Your DPIAs
Where you are required to conduct a DPIA for processing activities involving ZeroDocs as a sub-processor or tool, we will provide reasonable assistance including:
To request DPIA assistance, contact privacy@zerodocs.xyz with subject line “DPIA Assistance Request”.
ZeroDocs maintains Records of Processing Activities in accordance with GDPR Article 30 for all processing activities carried out as both Data Controller and Data Processor. Our RoPA includes:
Our RoPA is available for inspection by competent supervisory authorities on request. Enterprise customers may request a summary extract of processor-mode RoPA entries relevant to their account by contacting privacy@zerodocs.xyz.
12.1 Data Protection Officer
Detail | Information |
|---|---|
DPO contact | dpo@zerodocs.xyz |
Scope | GDPR, UK GDPR, LGPD (Brazil), PDPA (Singapore) |
Independence | The DPO operates independently and reports directly to senior leadership. The DPO cannot be dismissed or penalised for performing their tasks. |
Tasks | Monitoring compliance; advising on DPIAs; acting as contact point for supervisory authorities and data subjects; staff training. |
12.2 EU Representative (Article 27 GDPR)
As a non-EEA controller processing personal data of EEA residents, ZeroDocs is evaluating the requirement to appoint an EU Representative under Article 27 GDPR. Until a representative is appointed, EEA data subjects and supervisory authorities should contact our DPO directly at dpo@zerodocs.xyz. We will publish EU representative details at zerodocs.xyz/legal/gdpr upon appointment.
12.3 Grievance Officer (India — DPDP Act and IT Rules)
Detail | Information |
|---|---|
Name | Devendra Tanwar (legal@zerodocs.xyz) |
legal@zerodocs.xyz | |
Acknowledgement timeline | Within 24 hours of receipt |
Resolution timeline | Within 15 days of receipt (IT Rules 2021) |
13.1 Retention During Contract
We retain Customer Data for the duration of your Subscription Plan and for the periods set out in our Privacy Notice and DPA. Electronic signature audit trails are retained for a minimum of 7 years following execution to support the legal validity of signed documents under applicable law (Indian IT Act; ESIGN Act; eIDAS).
13.2 Deletion and Return on Termination
Action | Timeline | Notes |
|---|---|---|
Data export window | 30 days following end of Subscription Term | You may export all Customer Data in JSON or PDF format during this window. |
Deletion from active systems | Within 30 days of end of export window | Active databases, application servers, and caches. |
Deletion from backups | Within 90 days | Encrypted backups are purged on their natural rotation cycle. |
Audit trail retention (legal obligation) | 7 years post-execution | Signing audit trails may be retained beyond contract end to satisfy legal validity requirements. Retained data is isolated and access-restricted. |
Deletion certificate | On request | We will provide written confirmation of deletion upon request. |
13.3 Deletion on Data Subject Request
Where you instruct us to delete personal data in response to a data subject erasure request, we will delete the specified data from active systems within 30 days. Where legal retention obligations (such as audit trail integrity for electronically signed documents) prevent full deletion, we will isolate the data, restrict all non-essential processing, and notify you of the specific retention obligation that applies.
14.1 Information and Documentation
We will make available to you, on reasonable written request, all information necessary to demonstrate compliance with our obligations under GDPR Article 28 and our DPA. This includes: the current sub-processor register; TOM documentation; DPA terms; relevant security certifications; and DPIA summaries.
14.2 Third-Party Audit Reports
We make the following audit reports and certifications available to enterprise customers under NDA:
14.3 On-Site Audits
You have the right to conduct, or mandate an independent third-party auditor to conduct, an on-site audit of our data protection practices relevant to our processor obligations. Such audits are subject to: (a) reasonable prior written notice of at least 30 days; (b) agreement on scope, timing, and cost allocation; (c) execution of a confidentiality agreement protecting our infrastructure details. Audits must not unreasonably disrupt our operations. We may satisfy audit requests through provision of third-party audit reports where these adequately address your requirements.
For all GDPR and data protection enquiries, DPA requests, data subject rights assistance, and breach notifications:
Contact Role | Use For | Contact Details |
|---|---|---|
Data Protection Officer (DPO) | GDPR / UK GDPR / LGPD / PDPA enquiries; DPIAs; data subject rights; supervisory authority liaison | dpo@zerodocs.xyz |
Privacy Team (General) | Privacy enquiries; DSR assistance requests; DPA requests; sub-processor queries | privacy@zerodocs.xyz |
Grievance Officer (India) | DPDP Act / IT Rules grievances | legal@zerodocs.xyz |
Security Team | Breach notifications; security vulnerabilities; penetration test reports | support@zerodocs.xyz |
Legal Team | DPA negotiations; custom contract terms; legal process | legal@zerodocs.xyz |
Postal Address | Formal legal correspondence | Attention: Privacy Team BoringDollars Private Limited B8A, Bhawani Singh Road, C-Scheme Jaipur 302001, Rajasthan India, India |
Supervisory Authorities
Jurisdiction | Supervisory Authority | Website |
|---|---|---|
EU / EEA | Your national DPA (list at edpb.europa.eu) | edpb.europa.eu |
United Kingdom | Information Commissioner’s Office (ICO) | ico.org.uk |
India | Data Protection Board of India (when constituted) | meity.gov.in |
Brazil | Autoridade Nacional de Proteção de Dados (ANPD) | gov.br/anpd |
Singapore | Personal Data Protection Commission (PDPC) | pdpc.gov.sg |
Australia | Office of the Australian Information Commissioner (OAIC) | oaic.gov.au |
© 2026 BoringDollars Private Limited. All rights reserved.
ZeroDocs is a product of BoringDollars Private Limited, incorporated in India under the Companies Act 2013.