Your integrity matters to us.
At Scrive AB (Scrive) we process personal data daily, for our own business purposes, on behalf of our customers and ultimately for you. Every document signed with Scrive eSign services includes information about the persons sending, receiving and signing it and as long as the data resides with us, it is our job to protect it from unlawful access and use.
What is personal data?
The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. The natural person, such as yourself, is referred to as a “data subject” and you may be identified (or identifiable) via information like your name, your personal identification number, but also via e.g. an IP-address, genetic data etc.
“Sensitive personal data” are by their nature, particularly sensitive for you. It could require specific protection to avoid significant risks to your fundamental rights and freedoms. This includes, among other things, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.
Data protection law.
As a Swedish company, Scrive is governed by the laws of Sweden which, as from May 25th 2018 includes the GDPR (General Data Protection Regulation, regulation (EU) 2016/679).
The GDPR describes how organizations, such as Scrive, must “process” (collect, handle and store) personal data. These rules apply regardless of whether personal data is stored electronically, on paper or on other materials. Organizations that process your personal data are obliged to do that in accordance with strict regulations. Similar regulations have been in force even prior the GDPR, but now the law, and the serious economic consequences of not adhering to the law, are the same for the whole of the EU. An organization that determines the purposes of the processing is called “controller“, whereas an organization that the controller has engaged to assist in the processing is called a “processor”.
What roles do Scrive have?
Scrive offers the Scrive eSign service though different business models, and the responsibility for the processing of personal data depends to some extent on how the services are provided, and to whom. Scrive’s responsibility for the different categories of data subjects that may take part in an electronic signature process within Scrive eSign (“Scrive eSign workflow”) is as described below:
(i) Scrive customer representatives: representatives of companies and organizations that have been granted a right to use the Scrive eSign through a valid license agreement with Scrive AB).
Scrive customer representatives may initiate Scrive eSign workflows, receive invitations to take part in Scrive eSign workflows initiated by a third party, and retain their signed documents and templates in their e-archive within Scrive eSign
Scrive is a processor on behalf of the Scrive customer when processing Scrive customer representatives’ personal data
(ii) Reseller customer representatives: representatives of companies and organizations that have been granted a sublicensed right to use the Scrive eSign through a valid sub-license agreement with an authorized reseller of Scrive eSign).
Reseller customer representatives may initiate Scrive eSign workflows, receive invitations to take part in Scrive eSign workflows initiated by a third party, and retain their documents in their e-archive within Scrive eSign
Scrive is a subprocessor of the Scrive reseller who in turn processes personal data on behalf of their customer
(iii) Private account holders: individuals that have opted in for a limited, cost-free account in Scrive eSign.
When a private account holder signs a document in Scrive eSign, this will be retained within that party’s own e-archive within Scrive eSign
Private account holders may only initiate Scrive eSign workflows through Scrive eSign subject to such restrictions for cost-free accounts as Scrive maintains from time to time
For private account holders, Scrive primarily acts as processor on behalf of the private account holder. However Scrive may be deemed to be/become the controller (or joint controller) due to the service being provided cost-free and that Scrive may single handedly re-determine the terms for the free account, or withdraw the same at any time. Thus, Scrive reserves the right to terminate the account of an inactive private account holder. In case of such termination, Scrive will provide due pre-warning to the email registered in the account and enable the private account holder to offboard the contents or their account prior to final deletion thereof.
(iv) External Scrive eSign users: individuals that have received an invitation message to review or sign a document made available through Scrive eSign, and that have no account of their own within Scrive eSign. (An external Scrive eSign user may opt in to become a private account holder in Scrive eSign.)
External Scrive eSign users only take part in a Scrive eSign workflow when so invited
Scrive remains a processor, or subprocessor, on behalf of the customer that initiated the specific electronic signature process
N.b. should Scrive AB itself be the initiator of the Scrive eSign workflow, then Scrive AB is the controller.
Scrive is also the controller with regards to personal data we process in our marketing and sales activities, in our communication with employees, candidates and ex-employees as well as with our vendors, consultants, customers and partners.
A controller may not process your personal data without at least one legal basis being present. The legal basis may be e.g. a contractual obligation, your own consent, the controller’s legitimate interest or a public task.
Is my data secure with Scrive?
Security is a core value of Scrive. Ensuring the security of customer and company data is important as our customers, employees and partners hold us in a position of trust with their confidential data. Scrive applies the principles of privacy by design and privacy by default in developing, maintaining and providing the Scrive eSign service, as well as in the handling of personal data for other purposes.
To this end Scrive has implemented information security management and data protection policies covering i.a. acceptable use, access control, operations, technology, applications, data management, business continuity and physical security. The rules and controls within these policies are considered the security baseline for information assets owned/controlled or otherwise processed by Scrive. Such policy documentation may be provided upon request.
The policies and processes relating to information security are subject to at least yearly management reviews.
What security measures has Scrive implemented?
Scrive continuously educates staff on security. 2FA login, VPN, individual accounts, and activity logging are implemented as appropriate for employees with access to Scrive’s infrastructure and for employees with customer support tasks in the system. Access to systems is given to employees on a need-to-have basis and is governed by an approval process. Testing and production environments are separated, and data is never transferred between them.
For the actual servers, Scrive has firewalls, anti-virus and encrypted communication where feasible and reasonable. All documents are individually encrypted with keys stored in a different geographical site from the documents and the key storage itself is also encrypted. The security of the system as a whole is regularly tested by means of penetration tests performed by a third party.
The data centers used by Scrive have appropriate levels of security and are certified with ISO-27001, amongst other standards.
What are my rights?
The GDPR provides the data subject certain rights with regards to your personal data.
Thus, you may make a request to the controller for:
access; i.e. a confirmation as to whether or not your personal data are being processed and, when that is the case, the provision of certain information about the processing
rectification of personal data
erasure of personal data (“right to be forgotten”)
restriction of processing
object to processing
withdrawal of consent
This is called a data subject rights (DSR) request. The controller is obliged to respond to a DSR-request as soon as possible and no later than within 30 days. DSR requests to Scrive as a controller should preferably be made by email, addressed to the Data Protection Officer at email@example.com.
Please note that in case you want to make a DSR-request, this must be directed to the controller and that Scrive cannot accommodate such a request where Scrive is the processor, or subprocessor.
How is personal data processed within Scrive eSign?
When Scrive acts as the processor (or subprocessor) on behalf of a customer using the eSign service, the customer is responsible for the processing of your personal data and the legal basis of processing.
If you have an individual account with Scrive eSign, Scrive is processing the following personal data in relation to you:
Name and email (mandatory)
mobile phone number
position with your employer
user language (as setting in Scrive eSign)
company details (name, address, organization number and country)
This information is necessary for us to process for the performance of the contract with you/your employer. Without this information we won’t be able to provide the eSign Service to you. We keep this data for the duration of our agreement with you/your employer and for up to one (1) month thereafter.
Regardless what data subject category you belong to Scrive processes the following information regarding you:
your communication and behaviour in Scrive eSign, for example IP-addresses, language settings and digital fingerprints that can strengthen the legal position of the parties to a document in a Scrive eSign workflow
your usage of the eSign service (including user statistics such as number of documents sent/signed by you)
your interactions with us, including emails and support tickets
This information is necessary for us to process for the performance of the contract with you/your employer. It is also processed due to our legitimate interest of providing you with support in relation to our eSign service as well as our interest in being able to understand how you use the eSign service in order to improve the service for the benefit of all our customers. We keep this data for as long as you/your employer retain your documents within the e-archive of Scrive eSign.
For further details about data handling within Scrive eSign, please refer to the Scrive Terms of Service.
Third country transfers
Through the Scrive eSign workflow, you and your invited counterparts may in each separate case access the processed document remotely from anywhere, Scrive has no way of knowing where the recipient of the email and/or SMS notifications (invitations, reminders, confirmations) sent through Scrive eSign will be located geographically, some recipients may therefore be located in a region outside of the EU/EEA.
How does Scrive process personal data outside of Scrive eSign?
Whenever relevant for invoicing and payment purposes, Scrive processes the following information regarding you:
Information related to invoices, such as name, billing address and similar.
This information is necessary for us to process due to legal requirements, such as book-keeping/financial laws that Scrive is subject to. This information is kept for as long as the law requires.
Processing for marketing purposes
Based on our legitimate interest to market our products and services, Scrive seeks out new potential customers through various public and commercial sources such as for example LinkedIn and similar. Scrive may also collect information directly from you from events, fairs or our website using cookies or forms. The information that Scrive collects for marketing purposes are:
Name, title, company affiliation
Number of employees
Information collected through cookies
We keep such information for a year unless you before that time becomes a customer, qualify as an opportunity or subscribe to information of Scrive.
You can at all times ask us to stop processing your personal data for marketing purposes by reaching out to us.
Third country transfers
Some of the service providers that Scrive utilizes for marketing purposes keep their data located outside of the EU/EEA. When personal data is transferred to these service providers, Scrive always ensures that the personal data is protected either through the Privacy Shield framework, the commission’s standard contractual clauses or another transfer mechanism deemed appropriate in accordance with the GDPR.
Sharing your personal data
Scrive does not share your personal data except, in the following cases:
To others in the Scrive eSign workflow
Irrespective of if you are a sender or receiver of a document in a Scrive eSign workflow, you and the other party/-ies invited to that workflow receives information on the other party/-ies taking part in that workflow. Such information is necessary for the execution of the workflow, to identify/authenticate the individuals taking part in accordance with the methods as configured in the Scrive eSign service by the sender, and to enable Scrive to produce the evidence package (including a transaction log) that is attached to each document signed through Scrive eSign. Thus, such information typically includes names, emails, mobile phone numbers, title, company details and IP-addresses. In addition, this may also include drawn signature (added by a party) and ID number (or similar) when and as required for a stronger authentication.
To service providers
In order to be able to provide the eSign services or support services, conduct marketing or keep our financials, Scrive employs several service providers, such as for example hosting partners and system providers.
These service providers may only process your personal data in accordance with our agreement with them, and never for their own purposes.
On the public part of Scrive.com domain Scrive may gather:
Information about the visit (page views, time, IP, browser, referring URL etc.)
Information provided by the user in any of the websites forms
Such data may be used by Scrive:
For website statistics
To personalize the website when a visitor returns (e.g. language preference, customizations)
For marketing purposes (e.g. retargeting ads, email campaigns)
Please note that whenever you are using Scrive eSign service, there are no cookies used/gathered for the purposes of marketing.
If you do not wish Scrive.com, or one of the services we use, to collect any information about your visit you may enable the “Block cookies from third parties and advertisers” option in your web browser settings. This will still allow some “non-tracking” cookies to be stored on your computer, such as language preferences. You may also disable cookies altogether in your browser settings. This will, however, limit your web browsing experience and even stop some web services from working, including Scrive eSign.
Contact and questions
Scrive AB, org no 556816-6804, with registered address at Barnhusgatan 20, SE-111 23 Stockholm, is responsible for the processing as described in this policy.
If you have any questions regarding how Scrive is processing your personal data, how functions within Scrive eSign can be used for different purposes in this regard, or would like to come in contact with our Data Protection Officer, do not hesitate to contact us at firstname.lastname@example.org.