VisitOnWeb srl — e-Signature.eu

Data Processing Agreement

Pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR)  Â·  Version 1.0  Â·  June 2026
Applicability

This DPA is incorporated by reference into the General Terms and Conditions of e-Signature.eu. Acceptance of the General Terms and Conditions — whether by account creation, first order, or continued use of the platform — constitutes full acceptance of this DPA. Clients requiring a bilaterally signed copy may contact [email protected].

Parties

This DPA applies to any entity (the “Data Controller”) using the e-Signature.eu platform operated by VisitOnWeb srl, BE 0894 404 534, 42 Avenue Léon Houyoux, 1160 Brussels, Belgium (the “Data Processor”).

Clients requiring a bilaterally executed version of this DPA with their entity details formally recorded may contact [email protected].

Preamble

This Data Processing Agreement (“DPA”) governs the processing of personal data by the Data Processor on behalf of the Data Controller in connection with the Electronic Signature Services provided through e-Signature.eu.

This DPA is concluded in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR) and forms part of the contractual relationship established by the acceptance of the General Terms and Conditions of e-Signature.eu.

Article 1 — Definitions

1.1  “Personal Data” — any information relating to an identified or identifiable natural person processed in connection with the Electronic Signature Services.

1.2  “Electronic Signature Services” — electronic signature services provided through e-Signature.eu, relying on eIDAS-compliant Trust Service Providers.

1.3  “Sub-processor” — any third-party processor engaged by the Data Processor to process Personal Data on its behalf.

Article 2 — Scope and Purpose

2.1  Subject matter

The Data Processor processes Personal Data on behalf of the Data Controller solely for the purpose of providing Electronic Signature Services as ordered by the Data Controller through the e-Signature.eu platform.

2.2  Duration

This DPA remains in force for the duration of the service relationship and survives termination until all Personal Data has been returned or deleted in accordance with Article 9.

2.3  Nature of processing

Processing activities include:

  • Collection of signers’ identification and contact data for the purpose of sending signature requests
  • Transmission of identification data to qualified Trust Service Providers for identity verification and signature issuance
  • Storage of signed documents for a maximum period of thirty (30) days from the date of signature, for the sole purpose of enabling download by the Data Controller
  • Permanent and automatic deletion of documents upon expiry of the 30-day period, or upon manual deletion by the Data Controller, whichever occurs first

Article 3 — Categories of Data and Data Subjects

3.1  Personal Data processed may include:

  • Identity data: name, first name, date of birth, ID document references
  • Contact data: email address, phone number
  • Electronic identification data: credentials used for identity verification (method-dependent)
  • Signature metadata: IP address, timestamp, device information, audit trail elements

3.2  Categories of data subjects

Individuals designated by the Data Controller as signatories, including employees, contractors, clients, or any other natural persons authorised by the Data Controller to sign documents electronically.

Article 4 — Obligations of the Data Processor

The Data Processor shall:

  • Process Personal Data only on documented instructions from the Data Controller, unless required to do so by EU or Member State law
  • Ensure that persons authorised to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organisational measures as described in Article 5
  • Assist the Data Controller in responding to data subject rights requests under Chapter III GDPR
  • Assist the Data Controller in ensuring compliance with Articles 32 to 36 GDPR
  • At the Data Controller’s choice, delete or return all Personal Data upon termination of services
  • Make available all information reasonably necessary to demonstrate compliance with Article 28 GDPR

Article 5 — Security Measures

5.1  Technical measures

  • SSL/TLS encryption for all data transmissions between users and the platform
  • Encrypted storage of documents and associated audit trails
  • Secure API connections with qualified Trust Service Providers
  • Application of security updates within 30 days (critical patches within 72 hours)
  • Multi-factor authentication (MFA) for all administrative access

5.2  Organisational measures

  • Access control and least-privilege authorisation procedures
  • Ongoing security awareness for all persons with access to personal data
  • Documented incident response procedures
  • Quarterly review of access rights to critical systems

5.3  Sub-processor security

The Data Processor relies additionally on security measures implemented by its Sub-processors. All Trust Service Providers are eIDAS-qualified and supervised by competent European national authorities.

Article 6 — Sub-processors

6.1  General authorisation

The Data Controller grants the Data Processor general authorisation to engage Sub-processors, subject to the conditions of this Article.

6.2  Current Sub-processors

Sub-processor Role Location Scope
eID Easy OÜ (Estonia) Signature engine & TSP aggregator EU — Estonia All signature methods
itsme® / Belgian Mobile ID SA (Belgium) QES — identity verification EU — Belgium itsme® signers only
Evrotrust Technologies AD (Bulgaria) QES — identity verification EU — Bulgaria Evrotrust signers only
Veriff OÜ (Estonia) AES — identity verification EU/EEA * Veriff signers only
Mollie B.V. (Netherlands) Payment processing EU — Netherlands Billing data only
CloudConvert GmbH (Germany) File conversion EU — Germany Upload conversion only

* Veriff processes identity verification data within the EU/EEA. For detailed information on Veriff’s data infrastructure, refer to eID Easy’s documentation, as eID Easy is the contracting party with Veriff.

6.3  Sub-processor obligations

The Data Processor ensures that Sub-processors are bound by contracts imposing equivalent data protection obligations as set out in this DPA.

6.4  Changes to Sub-processors

The Data Processor shall inform the Data Controller of any intended addition or replacement of Sub-processors at least 30 days in advance. The Data Controller may object on reasonable grounds within 15 days of notification. Absence of objection within that period constitutes acceptance.

Article 7 — Data Location

Personal Data is processed and stored within the European Union or the European Economic Area by VisitOnWeb srl and its Sub-processors, subject to the qualification in Article 6.2 regarding Veriff.

No transfer of Personal Data outside the EU/EEA is made by VisitOnWeb srl. To the extent that any Sub-processor may process data outside the EU/EEA, such transfers are subject to appropriate safeguards under Chapter V GDPR.

Article 8 — Data Breach Notification

The Data Processor shall notify the Data Controller without undue delay and no later than 72 hours after becoming aware of a personal data breach likely to result in a risk to the rights and freedoms of natural persons.

Such notification shall include, to the extent available at the time:

  • The nature of the breach and categories of data affected
  • The approximate number of data subjects concerned
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

Article 9 — Return or Deletion of Data

Upon termination of services, the Data Processor shall, at the Data Controller’s written choice:

  • Return all Personal Data in a commonly used electronic format; or
  • Securely delete all Personal Data and provide written confirmation of deletion

Signed documents and associated audit trails are automatically and permanently deleted 30 days after the date of signature, or upon manual deletion by the Data Controller, whichever occurs first.

Data may be retained beyond these periods only where required by applicable EU or Member State law (including Belgian accounting and tax obligations applicable to the Data Processor).

Article 10 — Audit and Compliance Demonstration

The Data Processor shall make available to the Data Controller all information reasonably necessary to demonstrate compliance with this DPA and with Article 28 GDPR, including this DPA, applicable security documentation, and the current list of Sub-processors.

Where the Data Controller requires additional assurance, it may mandate an independent auditor, subject to:

  • At least 30 days’ prior written notice
  • Audit conducted during normal business hours without unreasonably disrupting operations
  • Costs borne by the Data Controller
  • Auditor bound by appropriate confidentiality obligations

Given the size of the Data Processor’s organisation, audit requests will be accommodated primarily through document review and written responses. On-site audits require mutual agreement and reasonable advance planning.

Article 11 — Liability

Each Party shall be liable for damages caused by processing that infringes GDPR, in accordance with Articles 82–84 GDPR.

The Data Processor’s liability to the Data Controller under this DPA is limited to direct damages and shall not exceed the total fees paid by the Data Controller in the twelve (12) months preceding the event giving rise to the claim.

This limitation does not apply in cases of wilful misconduct or gross negligence.

Article 12 — Miscellaneous

12.1  Governing law and jurisdiction

This DPA is governed by Belgian law and the GDPR. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Brussels, Belgium.

12.2  Relationship to General Terms and Conditions

This DPA is published at https://www.e-signature.eu/dpa/ and is incorporated by reference into the General Terms and Conditions of e-Signature.eu. Acceptance of the General Terms and Conditions — whether by account creation, first order, or continued use of the platform — constitutes full acceptance of this DPA.

In the event of conflict between this DPA and the General Terms and Conditions on matters of data protection, this DPA shall prevail.

Clients requiring a bilaterally signed copy of this DPA may contact [email protected]. The Data Processor will provide a countersigned version upon request, without modification to the standard terms unless otherwise agreed in writing.

12.3  Amendments

The Data Processor reserves the right to update this DPA to reflect changes in applicable law or Sub-processor arrangements, with 30 days’ prior notice published on this page.

12.4  Severability

If any provision of this DPA is found invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Version 1.0 — June 2026
VisitOnWeb srl — BE 0894 404 534 — [email protected]
Type to search

Shopping cart

0
image/svg+xml

No products in the cart.

Continue Shopping

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None