Data Processing Agreement

Last Updated: February 21, 2026

The Long Version

1. Definitions

• "Processor" refers to Aramantos Digital, which processes personal data on behalf of the Controller.
• "Controller" refers to you (the customer), who determines the purposes and means of processing personal data.
• "Data Subjects" refers to the individuals whose personal data is processed (e.g., your users, employees, signatories, or collaborators).
• "Sub-processor" refers to a third-party service engaged by the Processor to assist in processing personal data.
• "Personal Data" has the meaning given in Article 4(1) of the GDPR.
• "Services" refers to any Aramantos Digital product used by the Controller, including ProveChain, SignaSeal, TimeAnchor, Vigilo Verify, and future products.

2. Scope and Purpose

This Data Processing Agreement ("DPA") applies when Aramantos Digital processes personal data on behalf of a customer in the course of providing the Services. It supplements the Terms of Service and Privacy Policy.

Aramantos Digital processes personal data solely to provide, maintain, and improve the Services as described in the Terms of Service. Data is not processed for any other purpose unless explicitly instructed by the Controller.

3. Types of Personal Data Processed

Depending on which Services the Controller uses, the following categories of personal data may be processed:

• Account data: Email address, display name, profile image (from OAuth provider)
• Identity data: Legal name, title, mailing address, contact email (SignaSeal)
• Document data: Agreement text, custom templates, placeholder values (SignaSeal)
• Signature data: Typed or drawn signatures, signing timestamps (SignaSeal)
• Verification data: SHA-256 file hashes, proof metadata, blockchain timestamps (ProveChain, SignaSeal, Vigilo Verify)
• Audit data: IP addresses, user agent strings, action timestamps, share tokens
• Payment data: Processed by Stripe, Aramantos Digital does not store card details

4. Categories of Data Subjects

• The Controller's employees and team members
• The Controller's clients and business partners
• Signatories and counterparties to agreements (SignaSeal)
• Any individual whose data the Controller submits to the Services

5. Processor Obligations

Aramantos Digital will:

• Process personal data only on documented instructions from the Controller, unless required by law
• Ensure that personnel authorised to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures to ensure the security of processing (see Section 8)
• Not engage another processor without prior written authorisation from the Controller (see Section 7 for current sub-processors)
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
• Assist the Controller in ensuring compliance with obligations regarding data breach notification, impact assessments, and prior consultation
• At the Controller's choice, delete or return all personal data after the end of the provision of Services (see Section 10)
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

6. Data Breach Notification

In the event of a personal data breach, Aramantos Digital will:

• Notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach
• Provide the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
• Cooperate with the Controller in investigating and mitigating the breach
• Document all breaches, including facts, effects, and remedial action taken

7. Sub-processors

Aramantos Digital uses the following sub-processors to provide the Services. Each sub-processor has been assessed for GDPR compliance:

• Cloudflare (USA, EU data processing) — DNS management and email routing (Privacy Policy)
• Vercel (USA, EU data processing) — Application hosting and CDN (Privacy Policy)
• Google Cloud Platform (USA, EU data processing) — Authentication and identity infrastructure (Privacy Notice)
• Supabase (USA, EU data processing) — Database and file storage (Privacy Policy)
• Stripe (USA, EU data processing) — Payment processing (Privacy Policy)
• Resend (USA, EU data processing) — Transactional email delivery (Privacy Policy)
• OpenTimestamps (Decentralised) — Bitcoin blockchain timestamping protocol. Open-source, no personal data transmitted, only cryptographic hashes

Aramantos Digital will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, both parties will work in good faith to resolve the issue. If no resolution is reached, the Controller may terminate the affected Services.

8. Technical and Organisational Measures

Aramantos Digital implements the following measures to protect personal data:

Encryption

• All data in transit is encrypted via HTTPS/TLS
• Database storage is encrypted at rest (AES-256)
• Payment data is handled entirely by Stripe (PCI DSS compliant)

Access Control

• Authentication via OAuth providers (GitHub, Google)
• Row-level security policies on database tables
• API key authentication for internal service-to-service communication
• Unique share tokens with automatic expiration for document access (SignaSeal)

Integrity

• SHA-256 cryptographic hashing for file and document integrity
• Bitcoin blockchain anchoring via OpenTimestamps for tamper-evident timestamps
• Hash-chained audit trails for verification history

Infrastructure

• Hosted on Vercel (edge network) and Google Cloud Run (containerised services)
• Supabase database hosted in EU region
• Cloudflare DNS with DDoS protection
• Essential cookies only, no third-party tracking

9. International Data Transfers

Some sub-processors are based in the United States. Data transfers to these providers are governed by:

• The EU-US Data Privacy Framework (where the provider is certified)
• Standard Contractual Clauses (SCCs) as adopted by the European Commission
• Each provider's own GDPR compliance mechanisms (linked in Section 7)

Blockchain data (cryptographic hashes only, containing no personal data) is written to the Bitcoin network, which is decentralised and global by design.

10. Data Retention and Deletion

Upon termination of the Services or at the Controller's request:

• Free tier: Documents and associated data are retained for 48 hours after completion, then permanently deleted
• Individual tiers: All data permanently deleted within 30 days of account deletion
• Enterprise tiers: All data permanently deleted within 90 days of account deletion (extended window for compliance and data export)
• Server logs: Deleted after 30 days
• Backups: Purged within 90 days of account deletion

Blockchain records: Cryptographic hashes anchored to the Bitcoin blockchain are permanent by design and cannot be deleted. These hashes contain no personal data and cannot be used to reconstruct the original content.

11. Audit Rights

The Controller may request information from Aramantos Digital to verify compliance with this DPA. Aramantos Digital will provide reasonable cooperation, including access to relevant documentation and, where necessary, facilitate audits or inspections. Audit requests should be made in writing with reasonable notice to support@aramantos.dev.

12. Governing Law

This DPA is governed by the laws of Ireland and the European Union, including the General Data Protection Regulation (EU 2016/679). Disputes will be resolved in Irish courts.

13. Contact

For questions about this DPA or to exercise data protection rights:

• Email: support@aramantos.dev
• Data Processor: Aramantos Digital
• Location: Ireland