GDPR Compliance
Last updated: March 27, 2026
Our Commitment to GDPR
VeloSign is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements and outlines your rights as a data subject.
1. Data Controller
VeloSign acts as the data controller for personal data collected through account registration, platform usage, and customer support interactions. When our customers use VeloSign to send documents for signing, VeloSign acts as a data processoron behalf of the customer (the data controller) for the signers' personal data.
2. Lawful Basis for Processing
We process personal data under the following lawful bases:
- Contract performance — Processing necessary to provide our e-signature services to you, including account management, document processing, and signature verification.
- Legitimate interests — Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and ensuring platform security.
- Legal obligation — Processing necessary to comply with applicable laws, such as maintaining audit trails for e-signature validity.
- Consent — Where required, we obtain your explicit consent before processing personal data, such as for marketing communications.
3. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:
Right of Access
You can request a copy of the personal data we hold about you. We will provide this information within 30 days of your request.
Right to Rectification
You can request that we correct any inaccurate or incomplete personal data. You can also update your information directly through your account settings.
Right to Erasure
You can request that we delete your personal data. We will comply unless we have a legal obligation to retain it (e.g., audit trail records required for e-signature validity).
Right to Data Portability
You can request your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV).
Right to Restrict Processing
You can request that we temporarily stop processing your personal data in certain circumstances, such as while we verify the accuracy of your data.
Right to Object
You can object to the processing of your personal data for direct marketing purposes or where we rely on legitimate interests as our lawful basis.
Right to Withdraw Consent
Where we process data based on your consent, you can withdraw that consent at any time without affecting the lawfulness of prior processing.
4. Data We Collect
We collect and process the following categories of personal data:
- Account information — Name, email address, hashed password
- Document data — Uploaded documents, signature images, form field entries
- Audit trail data — IP addresses, user agents, timestamps of actions
- Payment data — Processed by Stripe; we do not store credit card numbers
- Usage data — Pages visited, features used, for improving our service
5. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- AES-256-GCM encryption for all documents at rest
- TLS encryption for all data in transit
- Multi-factor authentication (MFA) for account security
- Regular security reviews and monitoring
- Access controls and role-based permissions
- Secure password hashing using bcrypt
6. Data Transfers
Our servers are located in the United States. If you are accessing our services from outside the United States, your personal data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers in accordance with GDPR requirements.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer needed, it is securely deleted or anonymized.
8. Data Protection Officer
For GDPR-related inquiries, data subject access requests, or to exercise any of your rights, please contact us:
We will respond to all legitimate requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.
9. Sub-Processors
We use the following sub-processors to provide our services:
| Service | Purpose | Location |
|---|---|---|
| DreamHost | Hosting & infrastructure | United States |
| Stripe | Payment processing | United States |
| Resend | Email delivery | United States |
| Google (Gemini AI) | AI field detection (optional) | United States |
See also: Privacy Policy | Terms of Service | Cookie Policy