Documenso
Compliance

GDPR

Understand how Documenso handles GDPR compliance for data processing and storage.

Documenso's Role

When using Documenso for document signing, two distinct data processing roles apply:

RoleDescription
Data ControllerYou (the organisation using Documenso) determine the purposes and means of processing
Data ProcessorDocumenso processes personal data on your behalf according to your instructions

As the data controller, you are responsible for:

  • Obtaining appropriate consent or legal basis for processing
  • Informing data subjects about how their data is used
  • Responding to data subject access requests
  • Ensuring compliance with GDPR requirements

As the data processor, Documenso:

  • Processes data only according to your instructions
  • Implements appropriate security measures
  • Assists with data subject requests when needed
  • Maintains records of processing activities

Data Processing

Documenso processes personal data necessary to provide document signing services:

Data CategoryExamplesPurpose
Identity DataName, email addressUser accounts, recipient identification
Document DataUploaded PDFs, field valuesDocument storage and signing
Signature DataSignature images, signing timestampsRecording signing actions
Audit DataIP addresses, browser information, action logsAudit trail and verification

Data is processed for the following purposes:

  • Delivering documents to recipients
  • Recording signatures and other recipient actions
  • Generating signed documents with audit trails
  • Sending email notifications

Data Storage Locations

Where your data is stored depends on how you use Documenso:

For the hosted cloud service:

  • Application data is stored in data centres within the European Union
  • Document storage uses EU-based infrastructure
  • Backups are maintained in geographically separate EU locations

Contact Documenso for specific information about sub-processors and data centre locations.

When you self-host Documenso:

  • You control all data storage locations
  • No data is transmitted to Documenso's infrastructure
  • You choose your own database, file storage, and backup locations

Self-hosting provides complete control over data residency, which may be required for certain compliance scenarios.

Data Subject Rights

GDPR grants individuals specific rights regarding their personal data. As the data controller, you are responsible for fulfilling these requests:

RightDescription
AccessData subjects can request a copy of their personal data
RectificationData subjects can request correction of inaccurate data
ErasureData subjects can request deletion of their data ("right to be forgotten")
PortabilityData subjects can request their data in a machine-readable format
RestrictionData subjects can request limited processing of their data
ObjectionData subjects can object to certain types of processing

When you receive a data subject request, you can:

  • Export user and document data from your Documenso account
  • Delete user accounts and associated documents
  • Contact Documenso support for assistance with cloud-hosted data

Data Deletion

Documenso supports data deletion to help fulfill erasure requests:

Self-Hosting for GDPR Compliance

Self-hosting Documenso can simplify GDPR compliance:

  • Data residency - Store all data in your chosen jurisdiction
  • Sub-processor control - No third-party data processors beyond your own infrastructure
  • Direct access - Full database access for data subject requests
  • Retention control - Implement custom data retention and deletion policies

See the Self-Hosting Guide for deployment options.

Data Processing Agreement

A Data Processing Agreement (DPA) is a contract required by GDPR when a data controller engages a data processor.

  • A DPA is available upon request
  • Contact support@documenso.com to request a DPA
  • The DPA covers Documenso's obligations as a data processor

No DPA with Documenso is required since no personal data is processed by Documenso.

Disclaimer

This documentation is provided for informational purposes only and does not constitute legal advice. GDPR compliance depends on your specific circumstances, including how you use Documenso, what data you process, and your organisation's obligations.

Consult with qualified legal counsel to:

  • Determine your GDPR obligations
  • Draft appropriate privacy notices
  • Establish lawful bases for processing
  • Implement compliant data handling procedures

Signature Levels

Understand the three eIDAS signature levels — SES, AES, and QES — their requirements, legal effect, and when to use each.

Certifications & Regulatory Compliance

Documenso's compliance status for industry certifications and regulatory frameworks.

On this page

Documenso's RoleData ProcessingData Storage LocationsData Subject RightsData DeletionSelf-Hosting for GDPR ComplianceData Processing AgreementDisclaimerRelated