Version 1.0 (01 February 2026) 

between 

Customer of Covosign 

– hereinafter “Controller” – 

and 

SMITH & FRIDAY PTE. LTD, 160 Robinson Road, #14-04, Singapore Business Federation Center, Singapore 068914 

– hereinafter “Processor” – 

Controller and Processor together referred to as the “Parties”. 

1. Subject Matter and Scope

1.1 The Processor provides a web-based software solution that enables the preparation, transmission, signing, and management of documents by electronic means (“Service”) under a separate agreement (“Terms of Service”). 

1.2 In the course of providing the Service, the Processor processes personal data exclusively on behalf of the Controller within the meaning of Article 4 No. 8 GDPR. 

1.3 This Data Processing Agreement (“DPA”) governs the processing of personal data pursuant to Article 28 GDPR and forms an integral part of the Terms of Service. 

2. Duration of Processing

Processing shall take place for the duration of the Terms of Service and, where applicable, for limited retention periods necessary for backup, system integrity or statutory retention obligations, after which the data shall be deleted or returned in accordance with the Controller’s instructions. 

3.Processing on Instructions

3.1 The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization. 

3.2 Instructions are issued primarily through the configuration and use of the Service or in text form (e.g. email). 

3.3 If the Processor considers an instruction to be in violation of applicable data protection law, it shall inform the Controller without undue delay and suspend execution of the instruction pending clarification. 

4. Confidentiality and Personnel

4.1 The Processor shall ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations pursuant to Article 28(3)(b) GDPR. 

4.2 Access to personal data is limited to those persons who require such access for the performance of the Service. 

5. Technical and Organizational Measures 

5.1 The Processor shall implement appropriate technical and organizational measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk. 

5.2 The technical and organizational measures are set out in Annex 1 to this DPA. 

5.3 The Processor may adapt the measures provided that the overall level of protection is not reduced. 

6. Sub-Processors

6.1 The Controller grants general authorization for the engagement of sub-processors pursuant to Article 28(2) GDPR. 

6.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 14 days in advance. The Controller may object on reasonable data protection grounds within this period.  

6.3 Sub-processors shall be contractually bound by data protection obligations equivalent to those set out in this DPA. 

7. International Data Transfers

Personal data is processed primarily within the European Union or European Economic Area. Where personal data is transferred outside the EU/EEA, such transfers shall be safeguarded in accordance with Articles 44–49 GDPR, including, where applicable, adequacy decisions of the European Commission and/or the Standard Contractual Clauses (SCCs), together with supplementary technical and organizational measures where required. Infrastructure hosting for the Service is configured in EU regions. Administrative access is restricted to authorized personnel in accordance with internal access control policies. 

8. Assistance to the Controller 

The Processor shall assist the Controller, taking into account the nature of the processing, in fulfilling obligations relating to data subject rights, data protection impact assessments and prior consultations pursuant to Articles 12–36 GDPR. 

9. Personal Data Breaches

9.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. 

9.2 The notification shall contain all information required under Article 33(3) GDPR to the extent available. 

10. Audits and Compliance

10.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. 

10.2 Audits may be conducted at reasonable intervals, taking into account certifications, audit reports or comparable evidence, and shall not unreasonably disrupt the Processor’s operations. 

11. Return and Deletion of Data

Upon termination of the Terms of Service, the Processor shall, at the choice of the Controller, return or delete all personal data processed on behalf of the Controller unless statutory retention obligations apply. 

12. Liability

Liability between the Parties shall be governed by Article 82 GDPR and the liability provisions of the Terms of Service. 

13. Final Provisions

13.1 This DPA shall prevail over conflicting provisions of the Terms of Service with regard to data protection. 

13.2 Amendments to this DPA shall be made in text form. 

13.3 The governing law shall be the law agreed in the Terms of Service. 

ANNEX 1 – Technical and Organizational Measures pursuant to Article 32 GDPR 

The Processor implements the following technical and organizational measures: 

1. 1. 1. Physical access control

– Operation of processing systems in secured data centers 

– Restricted access for authorized personnel only 

– Visitor management and logging procedures 

1. 1. 2. Logical access control

– Role-based access control 

– Principle of least privilege 

– Strong authentication mechanisms 

– Secure password policies 

– Automatic session timeouts 

– Logging of access attempts 

1. 1. 3. Data access control

– Logical tenant separation in multi-tenant environments 

– Separation of administrative and operational access 

– Encryption of personal data at rest 

1. 1. 4. Transmission control

– Encryption of data in transit using state-of-the-art cryptographic protocols 

– Secure and authenticated communication channels 

1. 1. 5. Input control

– Logging and audit trails for relevant processing activities 

– Time-stamped system logs 

– Protection of logs against unauthorized modification 

1. 1. 6. Availability and resilience

– Regular backups 

– Backup storage in separated environments 

– Disaster recovery and business continuity procedures 

– Monitoring of system availability 

1. 1. 7. Integrity

– Integrity checks for stored and transmitted data 

– Integrity controls ensuring that subsequent modifications of signed documents are detectable via audit logs and system records 

1. 1. 8. Separation principle

– Logical separation of data of different controllers 

– Separation of test and production environments 

1. 1. 9. Privacy by design and by default

– Data minimization 

– Default restrictive access settings 

– Configurable retention and deletion mechanisms 

1. 1. 10. Organizationalmeasures 

– Confidentiality obligations for personnel 

– Regular data protection and security training 

– Defined incident management procedures 

ANNEX 2 – Description of the Processing pursuant to Article 28(3) GDPR 

1. 1. 1. Subject matter of the processing

Provision of a web-based electronic signature and document workflow service. 

1. 1. 2. Nature of the processing

Hosting, transmission, signing, identity verification, storage of documents and generation of audit trails. 

1. 1. 3. Purpose(s) of the processing

– Enabling electronic signing of documents 

– Verification and documentation of signature processes 

– Ensuring integrity and authenticity of signed documents 

– Operation and security of the Service 

1. 1. 4. Categories of data subjects

– Employees of the Controller 

– Customers and business partners of the Controller 

– Contractual counterparties 

– Other individuals designated by the Controller 

1. 1. 5. Categories of personal data

– Identification data (e.g. name, email address) 

– Contact data 

– Signature-related metadata (e.g. timestamps, IP addresses) 

– Audit and log data 

– Document content uploaded by the Controller 

1. 1. 6. Special categories of personal data

Special categories of personal data are processed only if and to the extent such data is included in documents uploaded by the Controller. No targeted processing pursuant to Article 9 GDPR takes place. 

1. 1. 7. Duration of processing

For the duration of the Terms of Service and applicable retention periods. 

1. 1. 8. Location of processing

European Union / European Economic Area; third-country transfers only with appropriate safeguards. 

1. 1. 9. Sub-processing

Use of sub-processors in accordance with Article 28 GDPR and this DPA. 

ANNEX 3 – List of Sub-Processors pursuant to Article 28(4) GDPR 

The following entities act as sub-processors when the Processor processes personal data on behalf of the Controller. Where service providers act as independent controllers (e.g. payment service providers), they are identified separately below.  

The Controller authorizes the use of the following sub-processors for the provision of the Service: 

• • • • • Hetzner Online GmbH– Germany   

  Data hosting and application infrastructure (EU hosting). 

• • • • • AmazonWeb Services EMEA SARL – EU   

  S3: document storage   

  SES: transactional email delivery   

  Processing based on EU Standard Contractual Clauses where applicable. 

• • • • • DING SAS (Prelude)– France   

  Mobile messaging and SMS delivery. 

• • • • • Stripe Payments Europe Ltd.– Ireland  

  Payment processing and billing.   

  Stripe processes personal data as an independent controller for payment services. 

The Processor shall inform the Controller of any intended changes to this list in accordance with Clause 6 of this DPA.