This Privacy Policy was drafted by the Signatrust team for Sign a Trust (KvK 83656480, VAT NL003855446B93), with the Autoriteit Persoonsgegevens as lead supervisory authority. It should be reviewed by qualified Dutch counsel before it is relied upon. It is published in good faith but is not a substitute for legal advice.
In plain language (TL;DR)
- Zero data access by design. We do not receive your prompts, model outputs, documents, files or the personal data of your end users. They are hashed in your environment; only the fingerprint reaches us.
- What we do see: the email and password (hashed) you create your account with, the agent names you choose, the metadata you choose to send (decision type, risk level, policies, timestamps), and ordinary server logs.
- What we never sell. We do not sell personal data. Ever.
- You stay in control. You can access, correct, export or delete your account data, withdraw any consent, and complain to a Data Protection Authority. See section 8.
- Where it lives. The Service runs on a dedicated server hosted within the European Union. The identity of the data-centre operator is disclosed under NDA to enterprise customers on request at privacy@signatrust.net. No personal data is transferred outside the EEA except as described in section 7.
1. Who is the controller
The data controller for the personal data described in this Policy is:
- Operator: Sign a Trust
- Jurisdiction of incorporation: the Netherlands — Province of Overijssel
- Registered office: Haverstraat 43, 7413 XR Deventer, the Netherlands
- Dutch Chamber of Commerce (KvK) number: 83656480
- VAT identification number: NL003855446B93
- Data Protection contact: privacy@signatrust.net
- Data Protection Officer: not designated — the processing carried out by Sign a Trust does not fall within the mandatory cases listed in Art. 37(1) GDPR. A DPO will be appointed and announced here if this changes.
When you call our API as a business to record decisions made about your own end users, you typically act as a controller in respect of those end users; we typically act as a processor on your instructions for any metadata derived from their personal data. A Data Processing Agreement (DPA) is available on request.
2. What we collect (and what we don't)
2.1 What we do not collect
Because the Service is designed for zero data access:
- We do not receive your raw inputs (prompts, requests, documents).
- We do not receive your raw outputs (model responses, generated files).
- We do not receive the content of files you sign through Signatrust Sign; only the SHA-256 hash computed in the user's browser.
- We do not request and do not want the personal data of your end users (names, identifiers, addresses, financial details, health data, etc.).
2.2 What we do collect
Categories of personal data we process when you use the Service:
- Account data: email address, password (stored as a salted hash), display name, organisation name (optional), the date you accepted these documents.
- API metadata: agent names, decision types, risk levels, policy identifiers, permission identifiers, timestamps, the SHA-256 fingerprints of inputs and outputs, and the Receipt identifier and sequence number. Fingerprints are one-way and do not contain the underlying content.
- Trust signals: derived statistics about your account — volume of Receipts, ratio of human-reviewed actions, incident counts — used to compute the Trust Score and Trust Passport.
- Network contributions (opt-in only): when you select Level 2 or Level 3 in the Trust program, we additionally process the anonymised, k-protected counts and rates you choose to contribute.
- Support & communications: messages you send to us by email or other support channels.
- Technical logs: IP address, user-agent, request path, response code, latency, error traces. Used for security, abuse prevention and debugging; retained as described in section 4.
3. Why we process it & on what lawful basis
For each category we set out the purpose and the GDPR Article 6(1) lawful basis:
- Providing the Service (account, API, ledger, verification, Trust Passport, compliance & risk reports) — performance of a contract with you, Art. 6(1)(b).
- Account security and abuse prevention (rate limits, anomaly detection, fraud and forgery monitoring, security investigations) — legitimate interests in protecting the Service, our users and third parties, Art. 6(1)(f).
- Compliance with legal obligations (tax records for paid plans, responses to lawful orders, GDPR record-keeping) — legal obligation, Art. 6(1)(c).
- Service emails (account confirmation, API-key reset, security notices, material policy changes) — performance of a contract / legal obligation.
- Network contributions and benchmarks — explicit consent, Art. 6(1)(a). You may withdraw consent at any time by returning to Level 1 (Private) in the Trust program; withdrawal does not affect lawfulness before withdrawal.
- Product analytics — first-party, aggregate-only analytics derived from server logs. No third-party advertising trackers. Legitimate interests, Art. 6(1)(f).
We do not process special categories of personal data under Art. 9 GDPR. Please do not submit them; if you accidentally do, contact us so we can delete them.
4. How long we keep it
- Account data: for the lifetime of the account and up to 6 months after deletion, for security and dispute-handling, then removed.
- API metadata and Receipts: kept for the lifetime of the account. Sealed Receipts remain in the append-only ledger after account closure to preserve the integrity of the chain (without them, downstream Receipts cannot be verified). Personal identifiers in the agent profile (such as your display name) are removed; the Receipt's cryptographic content (hashes, signature, timestamp) is retained.
- Technical logs: typically retained for 30 days, up to a maximum of 90 days, for security and reliability.
- Support correspondence: 2 years after the matter is closed, unless a longer period is required by law.
- Billing records (paid plans): 7 years, or any longer period required by applicable tax/accounting law.
5. Cookies & local storage
The Service uses a minimal set of strictly-necessary cookies and browser localStorage to keep you signed in and to remember the API key you created in the Sandbox dashboard. We do not use advertising, cross-site or tracking cookies, and no third-party analytics SDKs are loaded.
- Authentication cookie — session token after sign-in; expires when you log out or after a reasonable inactivity period. Strictly necessary; no consent required.
- Sandbox localStorage — on
/dashboardand/sign, your demo agent identifier and the one-time API key are stored in your own browser. You can clear them at any time from the page or via your browser's privacy controls. - Preferences — UI preferences such as theme or section state, stored locally in your browser only.
You can disable cookies in your browser, but parts of the Service will stop working (you will not be able to stay signed in).
6. Who else sees it (subprocessors)
We do not sell personal data and we do not share it for advertising. We use a small number of carefully selected subprocessors, each bound by a Data Processing Agreement under Art. 28 GDPR:
- Hosting: a single EU-based data-centre operator providing the dedicated server, storage and network on which the Service runs. The provider's identity is disclosed under NDA to enterprise customers on request.
- Email delivery (account confirmation, API-key reset, security notices): outbound email is sent directly from our own server over SMTP. No third-party email delivery service (e.g. SendGrid, Postmark, Mailgun, AWS SES) is involved in transactional mail at this time.
- Domain & DNS: the registrar and authoritative DNS provider for
signatrust.net. Neither receives application-level personal data; both see only the queries inherent to operating the domain. The provider's identity is disclosed under NDA on request. - TLS certificates: Let's Encrypt (ISRG), automated issuance only.
- Error monitoring (if enabled): self-hosted, no third-party processor.
A current list of subprocessors is available on request at privacy@signatrust.net; material changes are notified to active customers with reasonable advance notice.
We may disclose personal data to courts, regulators or law-enforcement authorities where required by law or in response to a lawful order. We will, where permitted, notify the affected user before disclosing.
7. International transfers
Personal data is stored and processed in the European Union. Where a subprocessor or a counterparty requires a transfer outside the EEA, we rely on an Article 45 adequacy decision where available, otherwise on the European Commission's Standard Contractual Clauses (Decision 2021/914) with appropriate supplementary measures. Details are available on request.
8. Your rights under the GDPR
If you are in the EU/EEA, you have the following rights with respect to your personal data:
- Right of access (Art. 15) — a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — deletion of your personal data, subject to limited exceptions (e.g. legal obligations, integrity of the cryptographic ledger as described in section 4).
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — a machine-readable export of the data you provided.
- Right to object (Art. 21) to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) for any processing based on consent — without affecting prior lawful processing.
- Right not to be subject to a solely automated decision with legal or similarly significant effects (Art. 22). The Trust Score and Risk Profile are technical signals; they do not by themselves take decisions about you.
- Right to lodge a complaint with a supervisory authority — your local Data Protection Authority, or our lead authority the Autoriteit Persoonsgegevens (Dutch DPA), Bezuidenhoutseweg 30, 2594 AV The Hague, the Netherlands — autoriteitpersoonsgegevens.nl.
To exercise any of these rights, write to privacy@signatrust.net. We respond within one month (extendable by two further months for complex requests, with notice). We may need to verify your identity before acting.
9. Security
We protect personal data with measures appropriate to the risk, including:
- TLS in transit (HTTPS only; HSTS); encrypted backups at rest where supported by the storage layer.
- Salted password hashing; one-time display of API keys; SHA-256 hashing of keys at rest.
- Ed25519 signing of every Receipt, with chained hashes that make undetected tampering of the ledger infeasible.
- Strict separation between fingerprint metadata and any operational secrets.
- Principle of least privilege for staff access; access reviews; audit logging.
- A coordinated vulnerability disclosure address at security@signatrust.net.
No system is perfectly secure. We make no guarantee against every possible attack, but we treat security as a first-class engineering and operational priority.
10. Children
The Service is not directed at children. We do not knowingly process personal data of children under 16 (or the digital-age-of-consent equivalent in your jurisdiction). If you believe a child has provided us with personal data, contact us and we will delete it.
11. Automated decision-making & profiling
The Service produces derived signals — Trust Score, Trust Passport, Risk Profile, premium index — from verifiable history. These are intended to inform decisions taken by you or by counterparties (auditors, regulators, insurers). Signatrust does not itself take legally significant decisions about you on the basis of profiling. Where you, as a controller, use these signals to take a decision with legal or similarly significant effects about an individual, you are responsible for the obligations in Art. 22 GDPR, including providing meaningful information about the logic and the right to human intervention.
12. Personal-data breach handling
If we become aware of a personal-data breach affecting your data, we will notify the relevant supervisory authority without undue delay and where feasible within 72 hours, as required by Art. 33 GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay, as required by Art. 34. Customers with active accounts will receive a notice by email and an in-product banner.
13. Changes to this Policy
We may update this Policy to reflect changes to the Service or to applicable law. We will publish the new version at signatrust.net/privacy, update the "Last updated" date, and give reasonable advance notice of material changes by email to active account holders.
14. Contact & supervisory authority
- Data protection contact: privacy@signatrust.net
- Postal: Data Protection, Sign a Trust, Haverstraat 43, 7413 XR Deventer, the Netherlands
- Data Protection Officer: not designated (no mandatory case under Art. 37(1) GDPR applies to current processing).
- Lead supervisory authority: Autoriteit Persoonsgegevens (Dutch DPA), Bezuidenhoutseweg 30, 2594 AV The Hague, the Netherlands — autoriteitpersoonsgegevens.nl. You may also complain to the supervisory authority of your country of residence.