Legal
for the cloud-based service Signivo
Last updated: May 21, 2026
Note: This is a convenience translation of the German Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV). The German version is the legally binding document. In case of any discrepancy, the German version shall prevail.
Table of content
Subject Matter and Duration of Processing
Nature and Purpose of Processing
Categories of Personal Data
Categories of Data Subjects
Obligations of the Processor
Obligations of the Controller
Sub-Processors
Third-Country Transfers
Technical and Organisational Measures (TOMs)
Deletion and Return of Data
Audit Rights of the Controller
Liability
Final Provisions
Annex 1 - Technical and Organisational Measures (TOMs)
Annex 2 - Sub-Processors
This Data Processing Agreement (hereinafter "DPA") supplements the contractual relationship between the customer (hereinafter "Controller") and
MonsJovis Holding UG (haftungsbeschränkt)
c/o Aurich
Eichenallee 37
14050 Berlin, Germany
Commercial register: Charlottenburg Local Court (Amtsgericht Charlottenburg), HRB 214851 B
Managing Director: Markus Aurich
(hereinafter "Processor" or "Signivo")
The Controller uses the cloud-based service Signivo for the central management of email signatures for Google Workspace and Microsoft 365 (hereinafter "Service"). In the course of providing the Service, the Processor processes personal data on behalf of and under the instructions of the Controller. This DPA governs the rights and obligations of the parties in connection with such processing on behalf of the Controller.
Upon acceptance of this DPA (via the button at signivo.io/dpa or by signature), this DPA becomes part of the main contract between the parties (Signivo's Terms of Service, hereinafter "Main Contract").
(1) The Processor processes personal data on behalf of the Controller exclusively for the provision of the Service, i.e. for the central management and deployment of email signatures for the Controller's Google Workspace or Microsoft 365 tenant.
(2) The duration of processing corresponds to the term of the Main Contract. Following termination of the Main Contract, the provisions of § 10 of this DPA apply.
The processing comprises the following activities:
In the course of processing on behalf of the Controller, the following categories of personal data are processed:
Directory data - Google Workspace (via the Google Directory API, read-only access):First and last name, email address, job title, department, telephone number(s) including mobile number, profile picture URL, address (formatted primary address), website URL, manager email address, organisational unit assignment (OU path), Google groups (name, email, display name, description, member count) and group memberships (member ID, email) held short-term in memory at runtime without persistent storage, OU hierarchy (unique ID, display name, OU path, parent path, description) held only short-term in memory for rendering the OU tree, tenant domains and domain aliases, operational account metadata (suspended, archived, creationTime, lastLoginTime) for filtering inactive accounts, and custom attributes (customSchemas) defined by the workspace administrator, accessed exclusively in respect of a Signivo-maintained allowlist of signature-relevant schemas.
Directory data - Microsoft 365 (via the Microsoft Graph API, read-only access):Microsoft object ID, first and last name, display name, primary email address, user principal name (UPN), job title, department, telephone number(s), account activation status, user type, creation time, up to 15 tenant-specific extension attributes (onPremisesExtensionAttributes 1 to 15), profile picture, manager email address, Microsoft 365 groups (name, email, members), tenant domains, and organisation name.
Gmail settings and send-as configurations (read and write access, via the Gmail API):Email signatures and send-as aliases with metadata (send-as email address, display name, primary flag, default flag, alias flag, verification status).
"Signivo for Outlook" Outlook add-in (via the Office.js API):Business email address, display name, currently selected sender address of the user, and the body type of the message currently being composed (HTML or plaintext, transient, not stored). Write access is strictly limited to the active compose item and serves exclusively for the insertion of the centrally configured signature; the content, recipients, subject, and attachments of the composed email are not read.
Data entered by administrators:Company name, website URL, telephone number, address, legal disclaimers, social media links, and uploaded files (e.g. company logos).
Activity logs:User ID, email address, name, type of action, timestamp.
Pseudonymised telemetry and feature management identifiers:Workspace IDs, pseudonymised user IDs, event names, workspace properties (e.g. plan type, onboarding status) for product analytics, feature management, and error analysis via PostHog (EU instance). Email addresses are not transmitted in this context.
Not processed:Across all platforms: email contents, subject lines, metadata, or attachments. For Google Workspace additionally: contacts, Google Drive files, calendar entries, or any other workspace data. For Microsoft 365 additionally: OneDrive or SharePoint files, calendar entries, Teams messages, contents of other mailbox folders, or any other tenant data, in each case to the extent such data do not serve email signature management.
(1) The Processor processes personal data exclusively on the basis of documented instructions from the Controller pursuant to Art. 28 (3) (a) GDPR. The instructions are set out in this DPA, the Main Contract, and the configurations made by the Controller within the Service (e.g. signature templates, assignment rules, sync settings). Further individual instructions may be issued in writing or by email. The relevant email address for instructions is privacy@signivo.io.
(2) Where the Processor is of the opinion that an instruction issued by the Controller infringes the GDPR or other data protection provisions, it will inform the Controller of this without undue delay. The Processor is entitled to suspend execution of the relevant instruction until confirmation or modification by the Controller.
(3) The Processor ensures that persons involved in the processing are committed to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28 (3) (b) GDPR). Manual access by Processor personnel to personal data of individual Controllers is limited to the following exceptional cases: (a) the affected user has expressly consented (e.g. in the context of a support request); (b) such access is necessary for security reasons (e.g. to investigate a security incident); (c) such access is required to comply with applicable laws; or (d) the data are used exclusively in aggregated and anonymised form for internal operational analyses, without any inference being possible regarding individual Controllers or users. Supplementary details are set out in Section 6 of the Privacy Policy.
(4) The Processor supports the Controller in fulfilling its obligations under Art. 12 to 22 GDPR (rights of data subjects) and Art. 32 to 36 GDPR (security of processing, data protection impact assessments, prior consultation) through appropriate technical and organisational measures. The provision of self-service functions integrated within the Service (in particular workspace deletion in the Signivo console) and the disclosure of standard documentation (TOMs, sub-processor list, DPA) is provided free of charge. Requests for data portability pursuant to Art. 20 GDPR and other data subject requests are processed by the Processor on request via privacy@signivo.io; this is provided free of charge within the standard scope. Individual support services going beyond the standard scope will be provided by the Processor against reasonable reimbursement of costs based on its usual hourly rates.
(5) The Processor will notify the Controller without undue delay if it becomes aware of personal data breaches (Art. 33 (2) GDPR). The notification will contain at least a description of the nature of the breach, the categories and volumes of data affected (to the extent known), the likely consequences, and the measures taken and proposed.
(1) Within the scope of this DPA, the Controller is responsible for compliance with data protection provisions, in particular for the lawfulness of data processing and the safeguarding of the rights of data subjects (its employees and users of the connected platforms).
(2) The Controller issues all instructions relating to data processing. It is responsible for assessing the lawfulness of the processing pursuant to Art. 6 (1) GDPR.
(3) The Controller will inform the Processor without undue delay if it identifies any errors or irregularities in the processing.
(1) The Controller hereby grants the Processor general written authorisation to engage further processors (sub-processors) pursuant to Art. 28 (2) GDPR.
(2) The sub-processors engaged at the time of conclusion of this DPA are listed in Annex 2. By concluding this DPA, the Controller approves the engagement of these sub-processors.
(3) The Processor will notify the Controller at least 14 days in advance of any intended change (addition or replacement of a sub-processor), by email to the administrator email address registered in the Signivo account. The current list of sub-processors is available at any time at signivo.io/privacy in the section "Sub-Processors and Third-Party Providers".
(4) The Controller may object to the change within 7 days of notification, in writing, on substantiated data protection grounds. In the event of a justified objection, the Processor will endeavour to offer a reasonable alternative solution. If this is not possible, the Controller is entitled to a special right of termination effective on the date on which the new sub-processor is scheduled to be engaged. In such case, the Controller receives a pro-rata refund of any fees already paid in advance for the period following the effective date of termination; no refund is provided for the period already used. For lifetime deal licences, a pro-rata refund of the purchase price is only granted if the special termination becomes effective within 12 months of acquisition; after expiry of this period, no refund entitlement exists.
(5) The Processor contractually ensures that sub-processors are subject to data protection obligations at least equivalent to those laid down in this DPA (Art. 28 (4) GDPR). The Processor is liable to the Controller for the compliance of its sub-processors with data protection obligations.
(1) The core infrastructure of the Service (database, application servers, file storage) is operated within the EU (Frankfurt region, Germany).
(2) Where sub-processors process personal data in third countries (outside the EEA), the transfer is carried out exclusively on the basis of one of the following mechanisms:
(3) Details of the individual sub-processors and the transfer mechanisms applied are set out in Annex 2.
(1) The Processor implements the technical and organisational measures described in Annex 1 pursuant to Art. 32 GDPR in order to ensure a level of protection appropriate to the risk.
(2) The Processor is entitled to adjust the technical and organisational measures during the term of the contract, provided that the contractually agreed level of protection is not undercut.
(1) Following termination of the Main Contract, the personal data processed on behalf of the Controller will be retained for 30 days in order to give the Controller the opportunity to back up its data or to reactivate the workspace.
(2) Upon expiry of the 30-day period, all personal data processed on behalf of the Controller will be deleted from the production systems. The deletion comprises: the workspace and its settings, all memberships and invitations, all signatures and signature versions, all deployments and logs, all uploaded files, and the encrypted OAuth tokens. To the extent that data are temporarily still contained in encrypted, automated backups of the infrastructure providers, these will be overwritten upon expiry of the regular backup retention period and will not be used productively or restored in the meantime.
(3) Prior to deletion, Gmail signatures already deployed are automatically removed for all affected users, provided that the corresponding Google permissions still exist at that point in time. For Microsoft 365, removal of the integration or of the Outlook add-in ends the further provision of signatures; emails already sent remain unaffected.
(4) The Controller may trigger immediate deletion at any time by manually deleting the workspace in the Signivo console (Settings → General → Delete Workspace). Independently of this, individual platform integrations (Google Workspace, Microsoft 365) may be disconnected in the Signivo console; the integration-specific deletion of cached directory data is in that case effected immediately and transactionally, see further details in Sections 4.3 (Google) and 5.1 (Microsoft) of the Privacy Policy.
(5) Directory data are overwritten with each synchronisation cycle; no historical snapshots are stored. Activity logs are automatically deleted after a maximum of 24 months. Pseudonymised telemetry and feature management data (PostHog) are deleted after a maximum of 12 months. Diagnostic logs of the Outlook add-in (email address, display name) are deleted after a maximum of 30 days. Data from AI-assisted company information extraction (Anthropic) are deleted by the API provider by default after 30 days and are not used for training purposes.
(1) The Controller is entitled to verify compliance with the provisions set out in this DPA (Art. 28 (3) (h) GDPR).
(2) The Processor will, upon request, make available to the Controller, to a reasonable extent, all information necessary to demonstrate compliance with its obligations. This includes in particular the provision of current certifications, audit reports, security documentation, and written information.
(3) On-site audits by the Controller or an auditor commissioned by it are possible with reasonable advance notice (at least 30 days) and subject to consideration of the Processor's operational interests, no more than once per calendar year and on an ad-hoc basis where there is concrete suspicion of a material breach of this DPA. The costs of an on-site audit are borne by the Controller, unless the audit reveals a material breach of this DPA by the Processor.
The contractual liability of the parties is otherwise governed by the provisions of the Main Contract (Terms of Service). Mandatory liability provisions under the GDPR, in particular Art. 82 GDPR, remain unaffected.
(1) Amendments and supplements to this DPA must be made in writing, including by email; oral amendments are not effective. This also applies to any waiver of this written-form requirement.
(2) Should individual provisions of this DPA be or become invalid, this shall not affect the validity of the remaining provisions. The parties undertake to replace any invalid provision with a valid provision that comes as close as possible to the economic purpose of the invalid provision.
(3) This DPA is governed by the laws of the Federal Republic of Germany. The place of jurisdiction is Berlin, to the extent permitted by law.
(4) In the event of conflicts between this DPA and the Main Contract, this DPA prevails to the extent that the processing of personal data is affected.
Physical access control:The infrastructure is operated at Google Cloud Platform and Supabase in certified data centres (Frankfurt region, EU). The Processor does not operate any physical servers of its own. Physical access control to the data centres lies with the respective operators (Google: SOC 2, ISO 27001; Supabase: SOC 2).
Logical access control:Authentication of workspace administrators is provided via Supabase Auth (email/password with hashed storage, Google OAuth, or Microsoft Entra ID). For Outlook add-in users, identification against the Signivo API is performed via single sign-on through Microsoft Entra ID; only the standard OpenID Connect scopes openid and profile are requested for this purpose. The email address required for user assignment is not read from the Entra token but is read at runtime from the Office context (Office.context.mailbox.userProfile.emailAddress); no further Microsoft Graph or mailbox calls are made on the basis of this authentication. Access to the Service is granted exclusively via JWT bearer tokens with limited validity.
Data access control:Row Level Security (RLS) on all database tables: authenticated users see exclusively data from their own workspace. Sensitive columns (in particular OAuth tokens) are excluded from client queries. Role-based permission model (Owner, Admin, Member).
Separation control:Logical tenant separation via workspace IDs. Data of different Controllers are processed in the same database but strictly separated by RLS policies.
Transmission control:All data transmissions are carried out via TLS/SSL. Google OAuth tokens and Microsoft Entra access and refresh tokens are stored encrypted with AES-256-GCM (with a randomly generated initialisation vector per encryption operation and a GCM authentication tag for protection against tampering).
Input control:Activity logs (user ID, email, action, timestamp) enable traceability of all material processing operations. Retention period: a maximum of 24 months.
Availability control:The infrastructure is operated on Google Kubernetes Engine (GKE) with automatic scaling and Redis caching. Supabase provides automated backups and point-in-time recovery. The operators of the infrastructure components ensure industry-standard availability.
Resilience:Due to the cloud-based architecture (GKE), capacity can be scaled automatically during peak loads.
Regular database backups via Supabase. Directory data can be re-synchronised at any time from the Controller's Google Workspace or Microsoft 365 tenant, provided that the respective platform connection and the necessary permissions exist.
Regular review of security measures as part of ongoing operations. Commitment of persons involved in data processing to confidentiality.
This Annex contains only sub-processors engaged in the processing on behalf of the Controller for the Signivo product. Providers used for website hosting, marketing tracking, payment processing, and other processing activities for which Signivo acts as an independent controller (in particular Stripe as an independent controller for payment processing) are not the subject of this DPA; a complete overview of all service providers engaged by Signivo can be found in Section 8 of the Privacy Policy at signivo.io/privacy.
| Provider | Purpose | Processing Location | Data Processed | Customer Platform User Data | Transfer mechanism |
|---|
| Google Cloud Platform |
| (Google Ireland Ltd.) | Infrastructure (GKE, Redis) | Frankfurt, EU | Application data, directory data, encrypted tokens | Yes - both | none (EU) |
| Supabase, Inc. |
| Database, authentication, file storage | Frankfurt, EU | Account data, workspace data, directory data, encrypted tokens, uploaded files | Yes - both | none (EU) |
| Google APIs |
| (Google Ireland Ltd.) | Directory sync, Gmail signatures | EU / USA | Directory data, signature HTML, OAuth tokens | Yes - Google (source) | DPF (Art. 45 GDPR) |
| Microsoft Graph APIs |
| (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland) |
| Directory sync, Outlook add-in signature insertion, authentication via Microsoft Entra ID | EU / USA | Directory data, signature HTML, Entra ID OAuth tokens | Yes - Microsoft (source) | DPF (Art. 45 GDPR); supplemented by 2021 SCC between Microsoft Ireland Operations Limited and Microsoft Corporation (Art. 46 (2) (c) GDPR) |
| Provider | Purpose | Processing Location | Data Processed | Transfer mechanism |
|---|
| PostHog, Inc. |
| (EU instance) | Product analytics, feature management, error analysis | EU | Pseudonymised user/workspace IDs, event names, workspace properties (e.g. plan type); retention max. 12 months | none (EU) |
| Anthropic, PBC |
| AI-assisted company information extraction (onboarding) | USA | Customer domain (string); additionally, potentially personal data from publicly accessible website contents, which Anthropic retrieves independently | SCC (Art. 46 GDPR) |
| Brevo (Sendinblue GmbH) |
| Transactional and lifecycle emails | EU (Germany) | Email addresses and names of workspace administrators and users for product-related communication (account confirmation, invitations, trial and subscription status, security notifications) | none (EU) |
Note on Microsoft Exchange Online: For tenants with Microsoft Roaming Signatures enabled, signatures inserted by the Outlook add-in are additionally cached in the user's Exchange Online mailbox. Hosting and data residency of this mailbox data are governed by the Controller's Microsoft 365 settings and do not constitute processing on behalf of the Controller by Signivo.
The current overview of processors and third-party providers engaged by Signivo is available at signivo.io/privacy (Section 8 of the Privacy Policy). For this DPA, the sub-processors listed in Annex 2 are decisive.
