Updated: July 2022

Privacy Notice

Summary

 General information

At Scrive we process personal data for our own business purposes, on behalf of our customers and ultimately for you. This privacy notice details how Scrive is processing personal data relating to customers and prospects, as well as how personal data is being processed within our services. You can read more about how and why we process personal data in our full text privacy notice, which you find below this summary.

 Processing within Scrive’s services

Scrive has a responsibility to care for the personal data that is processed within our services, but our type of responsibility does to some extent depends on how the services are provided. When we process personal data within our services, that is normally done on behalf of one of our customers.

 Processing outside of Scrive’s services

We process personal data outside of our services for the purposes of:

  • Invoicing and payments
  • Marketing
  • Customer feedback
  • Recruitment

 What are your rights?

As a data subject, you have several rights, including:

  • Your right to object
  • Your right of access
  • Your right to erasure
  • Your right to compliant
  • Other rights

 Contact information

For any privacy related inquiries, please contact us at dpo@scrive.com.

 

Full Privacy Notice

We care about your integrity. 

At Scrive AB (Scrive) we process personal data for our own business purposes, on behalf of our customers and ultimately for you. This privacy notice details how Scrive is processing personal data relating to customers and prospects, as well as how personal data is being processed within Scrive’s services (including, but not limited to, Scrive eSign and Scrive eID Hub)

What is personal data?

The GDPR (General Data Protection Regulation, regulation (EU) 2016/679) defines personal data as “any information relating to an identified or identifiable natural person”. The natural person, such as yourself, is referred to as a “data subject” and you may be identified (or are identifiable) via information like your name, your personal identification number, but also via e.g. an IP-address, genetic data etc.

“Sensitive personal data” is by its nature, particularly sensitive for you. It requires specific protection to avoid significant risks to your fundamental rights and freedoms. This includes, among other things, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.

Data protection law

As a Swedish company, Scrive is governed by the laws of Sweden and the European Union, which includes the GDPR.

The GDPR describes how organisations, such as Scrive, must “process” (collect, handle and store) personal data. Rules on data protection apply regardless of whether personal data is stored electronically, on paper or on other materials. Organisations that process your personal data are obliged to do that in accordance with strict regulations. The GDPR is an EU Regulation, which means that the same strict regulations, and the serious economic consequences of not adhering to the law, are the same for the whole of the EU. An organisation that determines the purposes of the processing is called a “controller“, whereas an organisation that the controller has engaged to assist in the processing is called a “processor”.

 

Processing within Scrive’s services

How does Scrive process your personal data?

Scrive offers its services through different business models, and the responsibility for the processing of personal data depends on which services we provide, how the services are provided, and to whom. 

Scrive eSign

Scrive eSign is a cloud-based software as a service solution (SaaS) for electronic signatures of documents.

Scrive’s responsibility for the different categories of data subjects that may take part in an electronic signature process within Scrive eSign (“Scrive eSign workflow”) is as described below:

(i) Scrive Users: representatives of Scrive customers with an individual admin or user account registered in Scrive eSign subject to a valid license agreement between Scrive and the Scrive customer.

Scrive Users may initiate Scrive eSign workflows, receive invitations to take part in Scrive eSign workflows initiated by a third party, and retain their signed documents and templates in their e-archive within Scrive eSign. 

Scrive may contact Scrive Users through Scrive eSign or through a representative, via phone or email in order to give updates on our products, services or concerning other account related issues.

Scrive is a processor on behalf of Scrive’s customers. The legal basis to process personal data of Scrive Users is the necessity to provide the services under an agreement between Scrive and the Scrive customer.

(ii) Representatives of Scrive resellers’ customers: representatives of Scrive resellers’ customers with an individual admin or user account registered in Scrive eSign subject to a valid sub-license agreement with an authorized reseller of Scrive eSign.

Representatives of Scrive resellers’ customers may initiate Scrive eSign workflows, receive invitations to take part in Scrive eSign workflows initiated by a third party, and retain their documents in their e-archive within Scrive eSign.

Scrive is a subprocessor of the Scrive reseller who in turn processes personal data on behalf of their customer. Scrive may contact representatives of Scrive resellers’ customers through Scrive eSign or through a representative, via phone or email in order to give updates on our products, services or concerning other account related issues.

The legal basis to process Scrive reseller customer representatives’ personal data is to provide the services under an agreement between Scrive and the reseller.

(iii) Private account holders: individuals that have opted in for a limited, cost-free account in Scrive eSign.

Scrive provides private account holders with cost-free accounts to let the private account holder try out Scrive eSign for free. In letting private account holders try out the Scrive eSign service, Scrive hopes to be able to convert some of these private account holders into paying customers. If you are a private account holder, Scrive may therefore contact you with offers and marketing. 

When a private account holder signs a document in Scrive eSign, this will be retained within that party’s own e-archive within Scrive eSign.

Private account holders may only initiate Scrive eSign workflows through Scrive eSign subject to such restrictions for cost-free accounts as Scrive maintains from time to time.

For private account holders, Scrive acts as the controller of your contact details and as a processor of the personal data included in documents being signed in Scrive eSign. Scrive reserves the right to terminate the account of an inactive private account holder. In case of such termination, Scrive will provide due pre-warning to the email registered in the account and enable the private account holder to offboard the contents or their account prior to final deletion thereof.

The legal basis to process Scrive Private account holders’ personal data is to provide the services under the Terms of Service that the private account holder agreed to before creating a Scrive account.

(iv) External Scrive eSign users: individuals that have received an invitation message to review or sign a document made available through Scrive eSign, and that have no account of their own within Scrive eSign. (An external Scrive eSign user may opt in to become a private account holder in Scrive eSign.)

External Scrive eSign users only take part in a Scrive eSign workflow when so invited.

Scrive remains a processor, or subprocessor, on behalf of the customer that initiated the specific electronic signature process.

The legal basis to process External Scrive eSign users’ personal data is to provide the services under an agreement between Scrive and the controller.

N.b. should Scrive itself be the initiator of the Scrive eSign workflow, then Scrive is the controller, in which case the legal basis is the necessity for the performance of a contract between Scrive and the recipient of the Scrive eSign workflow.

Processing of personal data within Scrive eSign

When Scrive acts as the processor (or subprocessor) on behalf of a customer using the eSign service, the customer is responsible for the processing of your personal data and the legal basis of processing.

  1. If you have an individual account with Scrive eSign, Scrive is processing the following personal data in relation to you:
  • name and email address (mandatory)
  • mobile phone number
  • ID number
  • position with your employer
  • user language (as setting in Scrive eSign)
  • company details (name, address, organisation number and country)

This information is necessary for us to process for the purpose of the performance of the contract with you/the company you represent. Without this information we will not be able to provide the eSign Service to you. We keep this data for the duration of our agreement with you/your employer and up to 30 days thereafter.

  1. Regardless of what data subject category you belong to, Scrive processes the following information regarding you:
  • your communication and behaviour in Scrive eSign, for example IP-addresses, language settings and digital fingerprints that can strengthen the legal position of the parties to a document in a Scrive eSign workflow;
  • your usage of the eSign service (including user statistics such as number of documents sent/signed by you);
  • your interactions with us, including emails and support tickets

This information is necessary for us to process for the performance of the agreement with you/the company you represent and to provide you with support in relation to our eSign service. We keep this data for as long as you/the company you represent retain your documents within the e-archive of Scrive eSign. However, in an anonymised format, we also process some of your interactions with us to understand how you use the eSign service in order to improve the service for the benefit of all our customers.

For further details about data handling within Scrive eSign, please refer to the Scrive Terms of Service.

Integrations to third-party service providers

Scrive offers integrations to third-party systems, for the purposes of
(i) importing documents to sign in Scrive eSign,
(ii) exporting documents from Scrive eSign that have already been signed, and
(iii) auto-populating documents with data from external sources.

The use of integrations requires Scrive’s customer to have its own contractual relationship with the third-party service provider. The importing of personal data from or exporting of personal data to a third-party service provider through an integration only takes place on behalf of Scrive’s customer. Per default, no integrations are active.

Scrive eID Hub

Scrive eID Hub is a cloud-based software as a service solution (SaaS) used for the main purposes of performing and/or enabling access to various methods for identification and authentication of a person’s identity, verification of a person’s details such as home address or age, and electronic and/or digital signatures.

How and for what purpose your personal data is being processed within Scrive eID Hub is determined by i) the relying party (i.e. Scrive’s customer) and ii) each eID provider, respectively.

Example
A Scrive customer is using Scrive eID Hub in order to provide secure login functionality to its services. The Scrive customer has asked Scrive to enable login with Swedish BankID, Norwegian BankID and Danish MitID. If you choose to login with Swedish BankID, Scrive’s reselling bank of BankID, Scrive, and Scrive’s customer will all be processing your data in order to provide you with the login functionality.

Is my data secure with Scrive?

Security is a core value of Scrive. Ensuring the security of customer and company data is important as our customers, employees and partners hold us in a position of trust with their confidential data. Scrive applies the principles of Privacy by design and Privacy by default in developing, maintaining and providing the Scrive eSign service, as well as in the handling of personal data for other purposes.

Scrive takes all appropriate legal, technical and organisational measures to ensure that your personal data is handled securely and with an adequate level of protection. This applies both internally, by means of Scrive’s implemented information security management and data protection policies covering i.a. acceptable use, access control, operations, technology, applications, data management, business continuity and physical security and when transferring your personal data to or sharing data with selected third parties to provide our services. The rules and controls within these policies are considered the security baseline for information assets owned/controlled or otherwise processed by Scrive. Such policy documentation may be provided upon request.

What security measures has Scrive implemented?

Scrive continuously educates staff on security. 2FA login, VPN, individual accounts, and activity logging are implemented as appropriate for employees with access to Scrive’s infrastructure and for employees with customer support tasks in the system. Access to systems is given to employees on a need-to-have basis only and is governed by an approval process. Testing and production environments are separated, and data is never transferred between them.

For the actual servers, Scrive has firewalls, anti-virus and encrypted communication where feasible and reasonable. All documents are individually encrypted with keys stored in a different geographical site from the documents and the key storage itself is also encrypted. The security of the system as a whole is regularly tested by means of penetration tests performed by a third party.

The data centers used by Scrive have appropriate levels of security and are certified with ISO-27001, amongst other standards.

Third country transfers

In delivering its services Scrive does not transfer personal data outside of the EU/EEA within the context of providing our service. With all our sub-processors, we have specified the location where data will be processed to be within the EU/EEA.

However, through the Scrive eSign workflow, you and your counterparts may in each separate case access the processed document remotely (via internet) from anywhere and recipients might  be located in a region outside of the EU/EEA. In these cases a transfer of personal data to third countries is necessary for the performance or conclusion of a contract (signing a document electronically) in the interest of a data subject or that a data subject is a party to.

 

Processing activities

Processing outside of Scrive’s services

How does Scrive process personal data outside of Scrive’s services?

Scrive acts as a controller when we process personal data outside of Scrive services, as described below:

Processing for invoicing and payment purposes

Scrive processes the following information regarding you:

  • Information related to invoices, such as name, billing address and similar.

This information is necessary for us to process due to legal requirements, such as book-keeping/financial laws that Scrive is subject to. This information is kept for as long as the law requires.

Processing for marketing purposes

Based on our legitimate interest to market our products and services, Scrive seeks out new potential customers through various public and commercial sources such as for example LinkedIn and similar. Scrive may also collect information directly from you from events, fairs or our website using cookies or forms based on your consent. The information that Scrive collects for marketing purposes are:

  • Name, title, company affiliation
  • Email
  • Phone number
  • Number of employees
  • Industry
  • Turnover
  • Information collected through cookies (Cookie Declaration)

We keep such information for eighteen months unless you before that time become a customer, qualify as an opportunity or subscribe to information of Scrive.

You can at any time ask us to stop processing your personal data for marketing purposes. To make such a request, please see our contact information at the end of this privacy notice.

Processing of information provided to us for recruitment purposes

Scrive will process the information you provide to us for a job application, for recruitment purposes during the specific recruitment process and up to two years from the end of such recruitment process.

Scrive will also process the information you send in any open applications via the links provided on our website for recruitment purposes in relation to any relevant positions for one year from the submission of your application. 

Both types of applications will be processed via a candidate profile which brings together the information you provided. Your candidate profile may be of interest for Scrive in other recruitment processes, which means that if your candidate profile matches other vacant positions than the position you have applied for, we may contact you to see if you find interest in other recruitment processes.

The legal basis for processing information provided in both types of applications is your consent.

Processing for support purposes

Scrive acts as either a controller or a processor when we process personal data for support purposes, as described below:

When you contact Scrive for a support request as a non-customer, we process any data you provide to us as a controller, in order to assist you with your request or to refer you to the relevant department at Scrive. We may contact you multiple times in relation to your request. The legal basis for such processing is your consent.

When you contact Scrive for a support request as a Scrive User or private account holder, we process any data you provide to us as a processor, in order to assist you with your request or to refer you to the relevant department at Scrive. We may contact you multiple times in relation to your request. The legal basis for such processing is the agreement between Scrive and you/the company you represent.

Third country transfers

Some of the service providers that Scrive utilises for marketing purposes keep their data located outside of the EU/EEA. When personal data is transferred to these service providers, Scrive takes all appropriate legal, technical and organisational measures to ensure that the personal data is handled securely and with an adequate level of protection comparable to and within the same level as the protection offered within the EU.

Sharing your personal data

Scrive does not share your personal data except, in the following cases:

Others in Scrive eSign workflow

Irrespective of if you are a sender or receiver of a document in a Scrive eSign workflow, you and the other party/-ies invited to that workflow receives information on the other party/-ies taking part in that workflow. Such information is necessary for the execution of the workflow, to identify/authenticate the individuals taking part in accordance with the methods as configured in the Scrive eSign service by the sender, and to enable Scrive to produce the evidence package (including a transaction log) that is attached to each document signed through Scrive eSign. Thus, such information typically includes names, emails, mobile phone numbers, title, company details and IP-addresses. In addition, this may also include drawn signature (added by a party), evidence of eID authentication (including inter alia ID number or similar) when and as required for a stronger authentication.

Service providers

In order to be able to provide the eSign services or support services, conduct marketing or administer  our finances, Scrive employs several service providers, such as hosting partners and system providers.

These service providers may only process your personal data on behalf of us and in accordance with our agreement with them, and never for their own purposes. Scrive ensures that all its service providers are bound by confidentiality terms and/or sign a non-confidentiality agreement (NDA) regarding information received from Scrive. Scrive enters into Data Processing Agreements (DPA) with all its service providers and conducts Data Protection Impact Assessment (DPIA) if the processing activity poses risk to the rights and freedoms of data subjects.

Use of cookies on the Scrive.com website

A cookie is a small text file that a website saves on a user’s computer. The text file contains data the website may use when the visitor returns to the website. Scrive.com may use cookies to collect and use data from its visitors in the manners explained below.

On the public part of Scrive.com domain Scrive may gather:

Information about the visit (page views, time, IP, browser, referring URL etc.)

Information provided by the user in any of the website’s forms

Such data may be used by Scrive:

For website statistics

To personalise the website when a visitor returns (e.g. language preference, customisations)

For marketing purposes (e.g. retargeting ads, email campaigns)

When you enter Scrive.com website, you have the option to read our Cookie Declaration and adjust your cookie preferences.

How to further restrict/block use of cookies:

The first time you visited scrive.com, you were given the option to accept or reject non-necessary cookies. You are at any time able to update these settings by clicking on the link below. 

Click here to change your cookie settings.

 

Data subject rights

What are your rights?

The GDPR provides you with certain rights with regards to your personal data. 

Thus, you may make a request to the controller for:

  • access; i.e. a confirmation as to whether or not your personal data are being processed and, when that is the case, the provision of certain information about the processing
  • rectification of personal data
  • erasure of personal data (“right to be forgotten”)
  • restriction of processing
  • data portability
  • object to processing
  • withdrawal of consent

This is called a data subject rights (DSR) request. The controller is obliged to respond to a DSR-request as soon as possible and no later than within 30 days.

If Scrive is the controller of your personal data, the DSR-request to Scrive should be made by email, addressed to our Data Protection Officer at dpo@scrive.com. Even if you are not an EU/EEA resident, when Scrive is the controller of the personal data, we will honour your request and handle it according to the same high standard as is provided under the GDPR.

Please note that in case you want to make a DSR-request, this must be directed to the controller and that Scrive cannot accommodate such a request where Scrive is the processor, or subprocessor.

In addition, you have the right to lodge a complaint to a supervisory authority. The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) is the supervisory authority responsible for Scrive. If you lodge a complaint to another supervisory authority within the European Union your complaints will be reassigned to the responsible supervisory authority.

The Swedish Authority for Privacy Protection:

Integritetsskyddsmyndigheten (IMY)

Box 8114

104 20 Stockholm

+46 (0) 8-657 61 00 

imy@imy.se

 

Contact information

If you have further questions

Scrive AB, org no 556816-6804, with registered address at Grev Turegatan 11A, 114 46 Stockholm, is responsible for the processing as described in this privacy notice.

If you have any questions regarding how Scrive is processing your personal data, how functions within Scrive eSign can be used for different purposes in this regard, or would like to come in contact with our Data Protection Officer, do not hesitate to contact us at dpo@scrive.com.