Resources

HelloSign Trust Center

Security & Compliance

HelloSign and GDPR Compliance

Our commitment to you and the protection of your data

As of May 25, 2018 the `General Data Protection Regulation' or GDPR is enforced across all EU states. This compliance regulation intends to unify legislation around how personal data is used and managed, leading to more standardized protections for all. Under GDPR, consumers will benefit from increased privacy protections for their personal data.

Organizational Readiness at HelloSign

Protecting our customer's personal data is of utmost important to the HelloSign team. For the last several months, we've worked diligently to ensure all GDPR compliance requirements were met well in advance.

Training and Privacy Awareness

All HelloSign employees have been given GDPR training, overseen by our on-site compliance team. Training sessions are conducted upon hire for all new employees and annually thereafter.

Data Mapping and Privacy Impact Assessment

To verify that our privacy practices are appropriate, HelloSign conducted an initial data mapping exercise. This included a Privacy Impact Assessment (PIA) to assess how we collect, process, and store personal data and determine potential privacy impacts.

Information Security Policies

HelloSign has informational security and data protection policies governing when employees and contractors can access data stores containing your data.

Data Transfer

HelloSign participates in and has certified its compliance with the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. HelloSign is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers data to a third party acting as an agent on its behalf. HelloSign complies with the Privacy Shield Frameworks for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.

Incident response

Our Incident Response procedures have been designed and tested to ensure potential security events are identified and reported to appropriate personnel for resolution, personnel follow defined protocols for resolving security events, and steps for resolution are documented and reviewed by the InfoSec Team on a regular basis. Additionally we're working to update these policies and procedures to include breach notification if and when a security incident involves the loss of or unauthorized use of personal identifiable information (PII).

Product reviews

We've updating our Software Development Lifecycle ("SDLC") to ensure the System changes are performed in accordance with GDPR requirements, including considerations for Privacy in the following areas:

  • Planning
  • Change Documentation
  • Development of Test Plans
  • Change Testing and Documentation of Results
  • Quality Assurance ("QA") Review and Approval
  • Third-party Review and attestation
  • Periodic review and update

Vendor reviews

All our current vendors have been reviewed to ensure they meet security and privacy requirements required for GDPR. To maintain assurance, these reviews will be conducted for all incoming vendors.

Contractual Protections - Data Processing Agreements

HelloSign has created a GDPR-ready Data Processing Agreement should you require EU-compliant contractual protections. The HelloSign Data Processing Addendum (“DPA”) describes the data protection obligations between the Customer for the Service delivered by HelloSign (“Data Processor”). Data Processing Agreements are available for our customers should they be required.

List of authorized sub-processors

View list of authorized sub-processors

HelloSign Security Infrastructure and Certifications

At HelloSign, we understand the serious ramifications of compliance and have diligently built processes to make our service compliant with the standards which govern your business.

HelloSign is compliant with the following:

  • SOC 2 Type I
  • HIPAA
  • The U.S. ESIGN act of 2000
  • The Uniform Electronic Transactions Act (EUTA) of 1999
  • The new eIDAS regulation for the EU of 2016 (EU Regulation 910/2014), which replaces the former European EC/1999/93 Directive
  • Privacy Shield

Product Readiness

Encryption

By default, communication with our services uses Transport Layer Security (TLS), which is regularly updated to use the latest ciphersuites and TLS configurations. Additionally we encrypt all customer data at rest using AES 256-T.

Data Deletion and Access

GDPR gives consumers the legal right to request access to and request the amendment of, or deletion of personal information stored by a company.

We do allow our customers to delete their data from our products whenever processing is complete, legally binding retention requirements are met, and all parties associated with the artifact in question have agreed to its deletion.

Cookie Compliance

At HelloSign we mostly use "session cookies" that are automatically deleted after each visit. These cookies permit us to recognize users and avoid repetitive requests for the same information.

However, cookies can be uniquely attributed to a device and therefore they are capable of identifying an individual.  As such, we've reviewed all of our cookies to ensure the required consent is gathered and that they are treated as PII when appropriate.