This Data Processing Addendum (DPA) forms part of the ProseID Terms of Service or another agreement that references it (the Agreement). It applies when ProseID processes Customer Personal Data on the Customer's behalf.

The Customer is the controller and ProseID is the processor for Customer Personal Data. ProseID remains an independent controller for its own account administration, billing, security, abuse-prevention and legal-compliance processing described in the Privacy Policy.

Annex I

Details of processing

Subject matter

Hosting schema-defined forms; receiving, validating, encrypting, storing and delivering submissions; producing verification records and proofs; and relaying signature requests and results when signing is enabled.

Nature and purpose

Collection, transmission, organisation, validation, encryption, storage, authorised decryption, retrieval, delivery, export, restriction and deletion as necessary to provide the service under the Customer's instructions.

Duration

For the Agreement term and the customer-directed evidence-retention period described in section 11, followed by deletion or return on instruction, subject to limited legal retention.

Frequency

Continuous or event-driven, depending on the Customer's use of forms, APIs, delivery channels and account features.

Data subjects

People who complete Customer forms; recipients of session links or receipts; Customer personnel, users and invited organisation members; and people represented in Customer-provided records.

Personal data

Schema-defined responses; names, contact and delivery details where requested; typed or provider-returned signature data; session and device metadata; customer identifiers; validation outcomes; schema and form references; delivery records; and support instructions.

Sensitive data

The service does not require special-category or criminal-offence data by default. Such data may be processed only where the Customer deliberately configures a schema to collect it and has a valid legal condition and appropriate safeguards.

Annex II

Technical and organisational measures

  1. 01 Encryption in transit using TLS and provider-managed encryption at rest for hosted infrastructure.
  2. 02 Application-layer encryption of production submission and signature payloads using Google Cloud KMS. Additional authenticated data binds ciphertext to the owning organisation, and cross-organisation decryption fails closed.
  3. 03 Server-side decryption only after authentication and active organisation-membership or API-key authorisation checks. Sensitive payloads are not directly readable from the browser database client.
  4. 04 Tenant isolation through organisation-scoped access checks, restrictive Firestore rules and server-mediated public submission writes with authoritative revalidation.
  5. 05 Role-limited administrative access, confidentiality obligations and access granted according to operational need.
  6. 06 Tamper-evident session proofs containing cryptographic response and output digests, immutable published schema versions and recorded signing-provider references when applicable.
  7. 07 Cloud audit logging for KMS operations and operational logging for security, delivery and administrative events, subject to access controls.
  8. 08 Documented incident handling, dependency and code review practices, automated tests and deployment checks proportionate to the service's risk.
  9. 09 Managed hosting, database resilience and backup processes supplied by the infrastructure providers, with restoration and continuity procedures appropriate to the service.
  10. 10 Data minimisation controls including request-size limits, schema-defined fields, purpose-limited delivery and separation of account, billing, verification and session records.
Annex III

Authorised Subprocessors

Google (Firebase and Google Cloud)

Authentication, Firestore database, Cloud Functions, Storage, Cloud KMS and consent-gated analytics. Processing locations may include the EEA and United States.

Railway

Hosting the ProseID web application and API. Processing locations may include the EEA and United States.

Zoho (ZeptoMail)

Transactional delivery of receipts, PDFs, session links and service messages through the provider's EU data centre when the Customer configures or requests email delivery.

Stripe handles customer payment and card data for billing and is described separately in the Privacy Policy and Sub-processors page; it does not receive hosted-form submission payloads under this DPA. UIP is not yet active. Before UIP processes Customer Personal Data, ProseID will add it to the maintained list and provide notice under section 7.

Processor contact

ProseID

Edingekroken 12, 163 63 Spånga, Stockholm, Sweden

[email protected]