Updated: May 2020
Your integrity matters to us.
At Scrive AB (Scrive) we process personal data daily, for our own business purposes, on behalf of our customers and ultimately for you. This privacy notice details how Scrive is processing personal data relating to customers and prospects, as well as how personal data is being processed within Scrive eSign. Every document signed with Scrive eSign services includes information about the individuals sending, receiving and signing it and as long as the data resides with us, it is our job to protect it from unlawful access and use.
What is personal data?
The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. The natural person, such as yourself, is referred to as a “data subject” and you may be identified (or are identifiable) via information like your name, your personal identification number, but also via e.g. an IP-address, genetic data etc.
“Sensitive personal data” are by their nature, particularly sensitive for you. It requires specific protection to avoid significant risks to your fundamental rights and freedoms. This includes, among other things, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.
Data protection law.
As a Swedish company, Scrive is governed by the laws of Sweden which, as from May 25th 2018 includes the GDPR (General Data Protection Regulation, regulation (EU) 2016/679).
The GDPR describes how organizations, such as Scrive, must “process” (collect, handle and store) personal data. Rules on data protection apply regardless of whether personal data is stored electronically, on paper or on other materials. Organizations that process your personal data are obliged to do that in accordance with strict regulations. Similar regulations have been in force even prior the GDPR, but now the law, and the serious economic consequences of not adhering to the law, are the same for the whole of the EU. An organization that determines the purposes of the processing is called “controller“, whereas an organization that the controller has engaged to assist in the processing is called a “processor”.
Processing in Scrive eSign
What roles do Scrive have?
Scrive offers the Scrive eSign service though different business models, and the responsibility for the processing of personal data depends to some extent on how the services are provided, and to whom. Scrive’s responsibility for the different categories of data subjects that may take part in an electronic signature process within Scrive eSign (“Scrive eSign workflow”) is as described below:
(i) Scrive Users: representatives of Scrive customers with an individual admin or user account registered in Scrive eSign subject to a valid license agreement between Scrive and the Scrive customer.
Scrive Users may initiate Scrive eSign workflows, receive invitations to take part in Scrive eSign workflows initiated by a third party, and retain their signed documents and templates in their e-archive within Scrive eSign.
Scrive may contact Scrive Users through Scrive eSign or through a representative, via phone or email in order to give updates on our products, services or concerning other account related issues.
Scrive is a processor on behalf of Scrive’s customers. The legal basis to process personal data of Scrive Users is the necessity to provide the services under the Scrive eSign License Agreement between Scrive and the Scrive customer.
We may also use personal data of Scrive Users for marketing and sales purposes. Scrive may contact Scrive Users through Scrive eSign or through a sales representative of Scrive, via phone or email in order to give you updates on other products or other materials Scrive deems may be interesting to you. When we process personal data for marketing and sales purposes we make a legitimate interest assessment, by taking into consideration our existing relationship with you, whether it would be reasonably expected by you that the processing takes place and whether we can fulfil the same business outcome without processing personal data. We do not process personal data for marketing and sales purposes that do not pass this criteria.
(ii) Representatives of Scrive resellers’ customers: representatives of Scrive resellers’ customers with an individual admin or user account registered in Scrive eSign subject to a valid sub-license agreement with an authorized reseller of Scrive eSign.
Representatives of Scrive resellers’ customers may initiate Scrive eSign workflows, receive invitations to take part in Scrive eSign workflows initiated by a third party, and retain their documents in their e-archive within Scrive eSign.
Scrive is a subprocessor of the Scrive reseller who in turn processes personal data on behalf of their customer. Scrive may contact representatives of Scrive resellers’ customers through Scrive eSign or through a representative, via phone or email in order to give updates on our products, services or concerning other account related issues.
The legal basis to process Scrive reseller customer representatives’ personal data is to provide the services under the Scrive eSign Sub-License Agreement between us and the reseller.
(iii) Private account holders: individuals that have opted in for a limited, cost-free account in Scrive eSign.
When a private account holder signs a document in Scrive eSign, this will be retained within that party’s own e-archive within Scrive eSign.
Private account holders may only initiate Scrive eSign workflows through Scrive eSign subject to such restrictions for cost-free accounts as Scrive maintains from time to time.
For private account holders, Scrive primarily acts as a controller due to the service being provided cost-free and that Scrive may single handedly re-determine the terms for the free account, or withdraw the same at any time. Thus, Scrive reserves the right to terminate the account of an inactive private account holder. In case of such termination, Scrive will provide due pre-warning to the email registered in the account and enable the private account holder to offboard the contents or their account prior to final deletion thereof.
The legal basis to process Scrive Private account holders personal data is to provide the services under the Terms of Service that the private account holder agreed to before creating a Scrive account.
(iv) External Scrive eSign users: individuals that have received an invitation message to review or sign a document made available through Scrive eSign, and that have no account of their own within Scrive eSign. (An external Scrive eSign user may opt in to become a private account holder in Scrive eSign.)
External Scrive eSign users only take part in a Scrive eSign workflow when so invited.
Scrive remains a processor, or subprocessor, on behalf of the customer that initiated the specific electronic signature process.
The legal basis to process External Scrive eSign users personal data is to provide the services under the Scrive eSign License Agreement between Scrive and the controller.
N.b. should Scrive AB itself be the initiator of the Scrive eSign workflow, then Scrive AB is the controller, in which case the legal basis is the necessity for the performance of a contract between us and the recipient of the Scrive eSign workflow.
Is my data secure with Scrive?
Security is a core value of Scrive. Ensuring the security of customer and company data is important as our customers, employees and partners hold us in a position of trust with their confidential data. Scrive applies the principles of privacy by design and privacy by default in developing, maintaining and providing the Scrive eSign service, as well as in the handling of personal data for other purposes.
To this end Scrive has implemented information security management and data protection policies covering i.a. acceptable use, access control, operations, technology, applications, data management, business continuity and physical security. The rules and controls within these policies are considered the security baseline for information assets owned/controlled or otherwise processed by Scrive. Such policy documentation may be provided upon request.
The policies and processes relating to information security are subject to at least yearly management reviews.
What security measures has Scrive implemented?
Scrive continuously educates staff on security. 2FA login, VPN, individual accounts, and activity logging are implemented as appropriate for employees with access to Scrive’s infrastructure and for employees with customer support tasks in the system. Access to systems is given to employees on a need-to-have basis and is governed by an approval process. Testing and production environments are separated, and data is never transferred between them.
For the actual servers, Scrive has firewalls, anti-virus and encrypted communication where feasible and reasonable. All documents are individually encrypted with keys stored in a different geographical site from the documents and the key storage itself is also encrypted. The security of the system as a whole is regularly tested by means of penetration tests performed by a third party.
The data centers used by Scrive have appropriate levels of security and are certified with ISO-27001, amongst other standards.
How is personal data processed within Scrive eSign?
When Scrive acts as the processor (or subprocessor) on behalf of a customer using the eSign service, the customer is responsible for the processing of your personal data and the legal basis of processing.
- If you have an individual account with Scrive eSign, Scrive is processing the following personal data in relation to you:
- Name and email (mandatory)
- mobile phone number
- ID number
- position with your employer
- user language (as setting in Scrive eSign)
- company details (name, address, organization number and country)
This information is necessary for us to process for the purpose of performance of the contract with you/the company you represent. Without this information we will not be able to provide the eSign Service to you. We keep this data for the duration of our agreement with you/your employer and for up to 10 days thereafter.
- Regardless what data subject category you belong to Scrive processes the following information regarding you:
- your communication and behaviour in Scrive eSign, for example IP-addresses, language settings and digital fingerprints that can strengthen the legal position of the parties to a document in a Scrive eSign workflow;
- your usage of the eSign service (including user statistics such as number of documents sent/signed by you);
- your interactions with us, including emails and support tickets
This information is necessary for us to process for the performance of the contract with you/the company you represent and to provide you with support in relation to our eSign service . We keep this data for as long as you/the company you represent retain your documents within the e-archive of Scrive eSign. However, we also process some of your interactions with us due to our legitimate interest of being able to understand how you use the eSign service in order to improve the service for the benefit of all our customers.
For further details about data handling within Scrive eSign, please refer to the Scrive Terms of Service.
Third country transfers
Scrive does not transfer personal data outside of EU/EEA, and all our processors are located within EU/EEA.
However, through the Scrive eSign workflow, you and your counterparts may in each separate case access the processed document remotely (via internet) from anywhere. Scrive has no way of knowing where the recipient of the email and/or SMS notifications (invitations, reminders, confirmations) sent through Scrive eSign will be located geographically, some recipients may therefore be located in a region outside of the EU/EEA. Therefore, such transfer of personal data to third countries is necessary for the performance or conclusion of a contract (signing a document electronically) in the interest of a data subject or that a data subject is a party to.
Processing outside of Scrive eSign
How does Scrive process personal data outside of Scrive eSign?
Scrive is processing personal data outside of Scrive eSign as described below:
Processing for invoicing and payment purposes
Scrive processes the following information regarding you:
- Information related to invoices, such as name, billing address and similar.
This information is necessary for us to process due to legal requirements, such as book-keeping/financial laws that Scrive is subject to. This information is kept for as long as the law requires.
Processing for marketing purposes
Based on our legitimate interest to market our products and services, Scrive seeks out new potential customers through various public and commercial sources such as for example LinkedIn and similar. Scrive may also collect information directly from you from events, fairs or our website using cookies or forms based on your consent. The information that Scrive collects for marketing purposes are:
- Name, title, company affiliation
- Phone number
- Number of employees
- Information collected through cookies
We keep such information for eighteen months unless you before that time becomes a customer, qualify as an opportunity or subscribe to information of Scrive.
You can at all times ask us to stop processing your personal data that we received your consent about by reaching out to us.
Processing for customer support purposes
When you contact Scrive for support request in any form (for example by submitting an online form, email etc.), either as an existing customer or as a non-customer, we process any data you provide to us to assist you with your request or to refer you to the relevant department at Scrive. We may contact you multiple times in relation to your request. The legal basis for such processing is either the contract between Scrive and you/the company you represent or your consent.
We may also process some of your interactions with us due to our legitimate interest of being able to understand how you use the eSign service in order to improve the service for the benefit of all our customers.
Processing of information provided to us for recruitment purposes
Scrive will process the information you provide to us for a job application, for recruitment purposes during the specific recruitment process and within a year from the end of such recruitment process.
Scrive will also process the information you send in any open applications via the links provided on our website for recruitment purposes in relation to any relevant positions for one year from the submission of your application.
Both types of applications will be processed via a candidate profile which brings together the information you provided. Your candidate profile may be of interest for Scrive in other recruitment processes, which means that if your candidate profile matches other vacant positions than the position you have applied for we may contact you to see if you find interest in other recruitment processes.
The legal basis for processing information provided in both types of applications is your consent.
Third country transfers
Some of the service providers that Scrive utilises for marketing purposes keep their data located outside of the EU/EEA. When personal data is transferred to these service providers, Scrive always ensures that the personal data is protected either through the Privacy Shield framework, the European Commission’s standard contractual clauses or another transfer mechanism deemed appropriate in accordance with the GDPR.
Sharing your personal data
Scrive does not share your personal data except, in the following cases:
To others in the Scrive eSign workflow
Irrespective of if you are a sender or receiver of a document in a Scrive eSign workflow, you and the other party/-ies invited to that workflow receives information on the other party/-ies taking part in that workflow. Such information is necessary for the execution of the workflow, to identify/authenticate the individuals taking part in accordance with the methods as configured in the Scrive eSign service by the sender, and to enable Scrive to produce the evidence package (including a transaction log) that is attached to each document signed through Scrive eSign. Thus, such information typically includes names, emails, mobile phone numbers, title, company details and IP-addresses. In addition, this may also include drawn signature (added by a party), evidence of eID authentication (including inter alia ID number or similar) when and as required for a stronger authentication.
To service providers
In order to be able to provide the eSign services or support services, conduct marketing or keep our financials, Scrive employs several service providers, such as for example hosting partners and system providers.
These service providers may only process your personal data on behalf of us and in accordance with our agreement with them, and never for their own purposes. Scrive ensures that all its service providers are bound by confidentiality terms and sign an NDA regarding information received from Scrive. Scrive enters into Data Processing Agreements (DPA) with all its service providers and conducts Data Protection Impact Assessment (DPIA) if the processing activity poses risk to the rights and freedoms of data subjects.
On the public part of Scrive.com domain Scrive may gather:
Information about the visit (page views, time, IP, browser, referring URL etc.)
Information provided by the user in any of the websites forms
Such data may be used by Scrive:
For website statistics
To personalise the website when a visitor returns (e.g. language preference, customisations)
For marketing purposes (e.g. retargeting ads, email campaigns)
When you enter Scrive.com website, you have the option to read our cookie declaration and adjust your cookie preferences.
If you do not wish Scrive.com, or one of the services we use, to collect any information about your visit you may enable the “Block cookies from third parties and advertisers” option in your web browser settings. This will still allow some “non-tracking” cookies to be stored on your computer, such as language preferences. You may also disable cookies altogether in your browser settings. This will, however, limit your web browsing experience and even stop some web services from working, including Scrive eSign.
What are my rights?
The GDPR provides the data subject certain rights with regards to your personal data.
Thus, you may make a request to the controller for:
access; i.e. a confirmation as to whether or not your personal data are being processed and, when that is the case, the provision of certain information about the processing
rectification of personal data
erasure of personal data (“right to be forgotten”)
restriction of processing
object to processing
withdrawal of consent
This is called a data subject rights (DSR) request. The controller is obliged to respond to a DSR-request as soon as possible and no later than within 30 days. DSR requests to Scrive as a controller should preferably be made by email, addressed to the Data Protection Officer at [email protected]
Please note that in case you want to make a DSR-request, this must be directed to the controller and that Scrive cannot accommodate such a request where Scrive is the processor, or subprocessor.
Contact and questions
Scrive AB, org no 556816-6804, with registered address at Barnhusgatan 20, SE-111 23 Stockholm, is responsible for the processing as described in this policy.
If you have any questions regarding how Scrive is processing your personal data, how functions within Scrive eSign can be used for different purposes in this regard, or would like to come in contact with our Data Protection Officer, do not hesitate to contact us at [email protected].