Inkless – Data Processing Agreement (DPA)
Last updated: 14/04/2026
This Data Processing Agreement (“DPA”) forms part of the Inkless Terms & Conditions and applies where Inkless Ltd (“Inkless”, “we”, “us”) processes Personal Data on behalf of a customer (“Customer”, “you”) in the course of providing the Inkless services (“Services”).
This DPA is intended to meet the requirements of Article 28(3) of the UK GDPR and (where applicable) the EU GDPR. If you require a signed copy, please contact legal@inkless.co.uk.
1. Definitions
Capitalised terms not defined in this DPA have the meanings given in the Terms & Conditions. In this DPA:
- Controller, Processor, Personal Data, Processing, Supervisory Authority have the meanings in the UK GDPR (and EU GDPR where applicable).
- Customer Personal Data means Personal Data processed by Inkless as Processor on behalf of Customer.
- Sub-processor means a third party appointed by Inkless to process Customer Personal Data.
- UK GDPR means the UK General Data Protection Regulation as incorporated into UK law.
- EU GDPR means Regulation (EU) 2016/679.
2. Roles and Scope
For the purposes of this DPA, Customer is the Controller (or may be a Processor acting on behalf of another Controller), and Inkless is a Processor to the extent it processes Customer Personal Data to provide the Services.
3. Customer Instructions
Inkless will process Customer Personal Data only on documented instructions from Customer, including as necessary to: (a) provide and support the Services; (b) prevent or address technical or security issues; and (c) comply with applicable law.
Customer is responsible for ensuring its instructions comply with applicable data protection law and that it has a valid legal basis for Processing Customer Personal Data.
4. Confidentiality
Inkless will ensure that persons authorised to process Customer Personal Data are under appropriate confidentiality obligations.
5. Security
Inkless will implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. A summary of measures is described in Annex 2 (Technical and Organisational Measures).
6. Sub-processors
Customer authorises Inkless to appoint Sub-processors to assist in providing the Services. Inkless will impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA.
A list of current Sub-processors is described in Annex 3. Inkless may update Sub-processors from time to time. If Customer has a reasonable objection to a new Sub-processor on data protection grounds, Customer may contact Inkless to discuss.
7. International Transfers
Where Processing involves a transfer of Customer Personal Data outside the UK or EEA, Inkless will ensure an appropriate transfer mechanism is in place (for example, the UK International Data Transfer Addendum and/or EU Standard Contractual Clauses where applicable).
8. Assistance
Taking into account the nature of the Processing, Inkless will provide reasonable assistance to Customer to respond to requests from Data Subjects to exercise their rights, and to meet Customer’s obligations relating to security, breach notification, and DPIAs, to the extent required under applicable law.
9. Personal Data Breach
Inkless will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably required to help Customer meet its breach notification obligations.
10. Deletion or Return of Data
Upon termination of the Services, Inkless will, at Customer’s choice and where technically feasible, delete or return Customer Personal Data, except to the extent Inkless is required to retain it by applicable law.
11. Audits
Inkless will make available information reasonably necessary to demonstrate compliance with this DPA. Customer may conduct an audit (including inspections) only where required by applicable law and subject to reasonable prior notice, confidentiality, and security requirements, and limited to once per year unless a material incident has occurred.
12. Liability
Liability under this DPA is subject to the limitations and exclusions set out in the Terms & Conditions, unless prohibited by law.
Annex 1 – Details of Processing
- Subject matter: Provision of the Services (e-signature, document workflow, audit trails, notifications).
- Duration: The term of the Services, plus any retention period required by law or configured in the Services.
- Nature and purpose: Hosting, storing, transmitting, displaying, signing, auditing, and supporting documents and workflows.
- Types of Personal Data: Names, email addresses, phone numbers (if provided), IP addresses, audit log metadata, document contents uploaded by Customer (may include personal data), user account details, and usage/activity logs.
- Categories of Data Subjects: Customer users, Customer recipients/signers, and other individuals included in documents.
- Special categories: Customer may upload documents containing special category data. Customer is responsible for ensuring appropriate safeguards and instructions.
Annex 2 – Technical and Organisational Measures
Inkless maintains measures appropriate to the risk, which may include (depending on configuration): access controls, encryption in transit, encryption at rest for storage systems, logging and monitoring, backups, vulnerability management, and least-privilege permissions.
The Services also use integrity and audit mechanisms typical for e-signature and document workflow systems, including event/audit logging and (where configured) document hashing and trust services for e-sealing.
Annex 3 – Sub-processors
The Services use (or may use) the following Sub-processors to provide core functionality:
- IONOS (application hosting and infrastructure)
- Amazon Web Services (AWS) – London region (document storage/data services)
- Stripe (payments, invoicing, subscription billing)
- Mandrill (transactional email delivery)
- Webex Interact (SMS/text message delivery)
- Microsoft OneDrive (optional customer-enabled document storage/integration)
- SSL.com (document e-seal / trust service, including document hashing as part of the sealing process)
This list should be kept up to date with your actual vendors and hosting regions. Some integrations (such as OneDrive) are optional and only used if enabled by Customer.