GDPR

1.Controller and processor roles

Our role under the GDPR depends on the data in question:

• We are the controller for the personal data of our account holders — registration details, billing data and usage analytics — as described in our Privacy Policy.
• We are a processor for the content of the documents you validate. Validation Reports can contain personal data about document signers (for example a signer’s name and certificate details). We process that data only on your instructions and on your behalf; you are the controller for it.

Because we never store the documents themselves, our processing as a processor is limited to generating and storing the Validation Report you ask us to produce.

2.Data Processing Agreement (DPA)

Where we act as your processor, our processing is governed by a Data Processing Agreement that meets the requirements of GDPR Article 28. Our standard DPA is available on request and, once accepted, forms part of your agreement with us. It covers the subject-matter, duration, nature and purpose of processing, the types of personal data and categories of data subjects, and our obligations as processor. To request the DPA, contact info@sealium.eu.

3.Sub-processors

We engage the following sub-processors to deliver the Service. Each is bound by data-protection terms consistent with the GDPR. We will give advance notice of changes so you can object on reasonable grounds.

4.Data-subject rights

Data subjects have the rights set out in GDPR Articles 15–22 — access, rectification, erasure, restriction, portability and objection. Where we are the controller, you can exercise these rights directly with us (see our Privacy Policy). Where we are your processor, we will assist you, by appropriate technical and organisational measures, to respond to data-subject requests you receive, insofar as possible.

5.International transfers

We host and store customer data in the European Union. Where a sub-processor processes personal data outside the EEA, we rely on an adequacy decision or on the European Commission’s Standard Contractual Clauses, together with supplementary measures where appropriate, to safeguard the transfer.

6.Security measures

In line with GDPR Article 32, we maintain technical and organisational measures appropriate to the risk, including:

• encryption of data in transit (TLS);
• scoped, revocable API-key authentication and OAuth2/OIDC for the console;
• per-tenant isolation of stored Validation Reports;
• HMAC-signed webhooks with per-tenant signing secrets;
• least-privilege access to infrastructure and structured audit logging;
• a data-minimising architecture in which documents are never stored.

7.Personal-data breaches

We maintain procedures to detect, investigate and respond to personal data breaches. Where we act as controller and a breach is likely to result in a risk to individuals, we notify the supervisory authority without undue delay and, where required, within 72 hours, and inform affected individuals where the risk is high. Where we act as your processor, we notify you without undue delay after becoming aware of a breach affecting your data.

8.Contact and supervisory authority

For any GDPR matter, including DPA requests and data-protection questions, contact info@sealium.eu. You may also lodge a complaint with the Hungarian supervisory authority, Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), H-1055 Budapest, Falk Miksa utca 9-11, Hungary — https://naih.hu.