Tresorit – eSign Privacy Notice

This notice summarises how we collect and process your personal data in relation to the provision Tresorit eSign Services. Capitalized terms not defined in this notice will have the same meaning as in the eSign Specific Terms.

This notice does not describe our privacy practices relating to our website, tresorit.com and the Tresorit Services in general. As a visitor of tresorit.com and/or a user of the Tresorit Services, please visit the Tresorit Privacy Policy to learn more about the privacy practices that apply to you. Also, this notice does not apply to any third-party applications or software integrated with the Services, or to the privacy practices of any other third-party products, services or businesses.

Who will process your personal data?

Tresorit services are provided by Tresorit AG (company registration no: CH-300.3.017.920-5; address: Pfingstweidstrasse 60b, CH-8005 Zurich) ("Tresorit"), a company registered under the laws of Switzerland. Accordingly, Tresorit will be the controller of your personal data under EU law.

If your account is part of a Business Subscription – in accordance with section 5 of our Terms of Service, or you receive an eSign Request from a Qualified User who is part of a Business Subscription, in certain cases, the ultimate decisions regarding your personal data will be made by the relevant organization. In such case, your company will be considered as a controller and Tresorit will act as a processor, acting upon the instructions of such organization.

Our trust service provider partner, “Evrotrust Technologies” AD (registration number: UIC 203397356, registered address: Sofia 1113, Izgrev, Iztok, 2 Nikolay Haytov Str., entr. E, fl. 2, Bulgaria) ("Evtrotrust") acts an independent controller in connection with its data processing. The data processing of Evtrotrust, including any identification process carried out, is governed solely by its Privacy Policy. Tresorit does not endorse, is not liable for, and makes no representations as to the manner in which the trust service provider uses, stores, or processes data.

What kind of personal data do we process?

When you use the eSign Services, we need to process some information about you to make the services work and to evaluate how you use our eSign Services. This information may include the following personal data about you.

1. (Simple) Electronic Signature Process
   • Request information. If you are a Requester of an electronic signature ("SES"), we will process your email address and for identification purposes, such information will also be shared with the Signatories.
   • Signatory information. If you are a Signatory to an Execution Copy to be signed with a SES – whether as a Company Administered User or a Collaborator – we will log certain information about you (including your IP and email address) and the details of about your electronic signature process (such as when you opened or signed a document.)
     The above information will be visible to the Requester who shared the relevant Execution Copy with you. If you have any questions about this, please refer to the policies of the Qualified User’s organization. 
   • Technical information. You may add certain fields to the Execution Copies (such as the name and title of signatories). We will process such data for technical purposes only, when generating the final (executed) document.
2. Qualified Electronic Signature Process
   • Request information. If you are a Requester of a qualified electronic signatures ("EU QES"), we will process your email address, and for identification purposes, such information will also be shared with the Signatories.
   • Account information. If you are a Signatory to an Execution Copy to be signed with an EU QES, we will process your names, email address and/or phone number that you provide, so that we can verify if you have an existing account with our trust service provider partner, Evtrotrust. Also, we will receive information from Evrotrust about the status of your account with Evrotrust as well as the reasons for that status, and recommended actions.
   • Signatory information. If you are a Signatory to an Execution Copy to be signed with an EU QES – whether as a Company Administered User or a Collaborator – we will log certain information about you (including your IP and email address) and the details of about your electronic signature process (such as when you opened or signed a document.)
     The above information will be visible to the Requester who shared the relevant Execution Copy with you. If you have any questions about this, please refer to the policies of the Qualified User’s organization. 
   • Technical information. You may add certain fields to the Execution Copies (such as the name and title of signatories). We will process such data for technical purposes only, when generating the final (executed) document.
3. Other
   • Additional Data Provided by You: You may decide to share further information, including personal data, with us when you contact us, provide feedback to us regarding the eSign Services or otherwise communicate with us. It is solely your decision to share any other data with us during such communications, so our processing of such data will be based on your consent.
   • Logs: As most websites and services provided through the Internet, we gather certain information and store it in log files when you interact with our website or service. This information includes internet protocol (IP) addresses as well as browser type, operating system, identification numbers associated with your devices, time of access, and error logs.

What is the legal basis for processing?

We collect and process information about you only where we have legal bases for doing so under applicable laws. This means we collect and use your information only where:

• It is necessary in order to provide you Tresorit services, including to set up and maintain a Tresorit account for you, to provide customer support and to protect the safety and security of our services;
• It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote our services and to protect our legal rights and interests;
• You give us consent to do so for a specific purpose; or
• It is needed to comply with a legal obligation.

How do we use your data?

We may process your personal data for several purposes, such as:

Operating the Services

• We will use your personal data, in particular for the provision and maintenance of our eSign Services, including to ensure integrations with our third-party provider partners.

Communications

• We will send you information regarding the eSign Services, such as notices about your use of the Service. Please be aware that you cannot opt out of receiving certain service messages from us, including necessary security alerts and legal notices.

Developing Services

• We are always looking for ways to make Tresorit services better, faster, smarter, and more secure. We use aggregated statistics and logs about how people use our services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and improvement of our services.
• We also test and analyze certain new features with some users before rolling the feature out to all users.

Analytics

• We use analytics software to allow us to better understand the behavior of our users to grow our business. This software may record information such as how often you use our eSign Services, the events that occur while using the eSign Services, aggregated usage, and performance data.

Security

• We use information about you to secure our eSign Services, and to monitor suspicious or fraudulent activity and to identify violations of our Acceptable Use Policy.

Protecting our legitimate business interests and legal rights

• Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.

Providing (technical) support

• Occasionally, we connect personal information to information gathered in our log files as necessary to provide better customer experience and to improve our services.

Other purposes

• We may also process your data for any other purposes for which we obtain your consent where necessary or otherwise in accordance applicable law and this notice.

How do you use your personal data?

Please remember that if you send an eSign Request to someone, you may reveal details about yourself. In particular, your e-mail address is visible by the people you send an eSign Request to.

We are not responsible for your use of any otherwise personal data, which you make available to others via sending Encrypted Content, or the activities of Collaborators to whom you give or make available your information. Where you provide your personal data to us, you agree to provide and maintain complete and accurate information and understand that you are solely responsible for that data.

Do we share your personal data with third parties?

We will share your personal data with third parties only in accordance with this notice. We will never sell your personal data to third parties. However, we may need to share some information, including personal data, we obtain from your use of our service in the following circumstances.

1. Complying with legal requirements
   Tresorit may transmit personal data if the applicable legal provisions so require, or when such action is necessary to comply with any laws, including to meet national security or law enforcement requirements. We may also need to share personal data for the protection of our rights and interests, to protect your safety or the safety of others or to investigate fraud, in accordance with the applicable laws.
2. Using third-party service providers
   In certain cases, we need to share information, including personal data with our affiliates and third-party service providers.
3. Third-party trust provider providers
   Where you are a Signatory to an Execution Copy to be signed with an EU QES, your personal data will be shared with our third-party trust service provider, Evtrotrust.

Where do we transfer your data?

Tresorit AG is a company organized and existing under the laws of Switzerland, having affiliates within the territory of the EEA (Germany and Hungary). Switzerland was already granted a data protection adequacy status by the European Commission. The effect of such a decision is that, if you are located in the EEA, transfer of your personal data to Switzerland are practically considered as intra-EU transmission of data.

We primarily store personal data within the EEA, in particular, on Microsoft Azure servers in Ireland. Your personal data stored with us may also be transferred to countries outside of the EU. All such transfers of personal data are and will be made in accordance with applicable laws.

How do we protect your data?

We take appropriate technical and organizational measures to protect your personal data against loss or other forms of unlawful processing. Tresorit is ISO 27001:2022 certified.

How long will we retain your information?

We will retain your personal data as long as it is needed to fulfill the purposes specified above, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it as soon as it technically possible.

Your privacy rights

You may ask us:

• to provide information to you about the personal data that we or our processors maintain about you,
• to correct inaccuracies or amend your personal data,
• in certain circumstances, to delete your personal data,
• to restrict processing of your personal data in certain circumstances (for example, where you believe that the personal data we hold about you is inaccurate or unlawfully held),
• in certain circumstances, you may have the right to be provided with your personal data in a structured, machine readable and commonly used format and to request that we transfer the personal data to another data controller without hindrance.

You can request this by sending an email to support@tresorit.com. We will respond to your request within thirty days. Please note that we may ask you to verify your identity before complying with the request.

You also have the right to complain to a data protection authority or claim damages before the court. For more information, please contact your local data protection authority. A list of contact details for the EU data protection authorities is available here.

Withdrawal of consent

In cases where the processing of your personal data is based on your consent, you can withdraw your consent any time by contacting us at support@tresorit.com. If you withdraw your consent, we will no longer process your personal data for the relevant purpose. However, please note that such withdrawal of your consent does not affect the lawfulness of our processing activities based on consent before its withdrawal.

Changes to this notice

As every high-quality service, our service is constantly improved in effort to keep users satisfied, but these improvements necessarily mean changes. Due to the ongoing changes in the law and the changing nature of technology, data practices are changing from time to time. Thus, we reserve the right to alter or modify this notice when it is necessary.

Any further question?

If you have any questions, please contact us at support@tresorit.com.

We have also appointed a data protection officer, whom you can reach at dpo@tresorit.com. We speak English.

As Tresorit AG is located outside of the EU, we appointed our EU affiliate to represent us in relation to any GDPR-related issues. This does not change the fact that Tresorit AG is the controller who ultimately handles your data. If you wish, you can also contact them directly. The details of our EU located affiliate is available here.