Yousign & the GDPR

The European General Data Protection Regulation (GDPR) seeks to provide enhanced protection for the personal data of citizens of the European Union. This regulation makes it possible to harmonise data processing methods and gives everyone the possibility to control how their personal data is used and stored. In the course of its activities, Yousign processes certain personal data belonging to its clients and users. In our capacity as a Trusted Third Party, the security and privacy of the data we collect has always been a key priority for us. Yousign therefore ensures that it is fully compliant with the GDPR for its complete range of activities, guaranteeing you of the privacy of the documents and information processed and hosted on our servers and those of our subcontractors.

A secure document storage system

  • Yousign stores its clients’ PDF documents in storage areas located in the European Union, with two service providers: Amazon AWS and Microsoft Azure. The contracts between us guarantee that this data is kept in the European Union.
  • Access to our service providers’ storage services is limited to Yousign, and secured by means of several authentication factors. As an example, we use the Yubikey solution, a secure hardware authenticator solution.
  • For each service provider, the data is replicated in several logical zones (different infrastructure) and physical zones (several kilometres apart).
  • All data is encrypted using AES256 encryption with an SSE-C encryption key known only by Yousign.
  • The data in transit is encrypted via TLS allowing for secure exchanges between Yousign and the services provided by its service providers.
  • A checksum mechanism makes it possible to guarantee the integrity of the file throughout the storage process.

GDPR Compliance

Yousign has introduced a series of measures to guarantee its compliance with the GDPR and the modified “Loi Informatique et Libertés” (French data protection act).

We guarantee the implementation of your rights concerning the processing of your personal data

The GDPR further extends people’s rights. You already have the right to access, rectify, delete and oppose the use of your data and to refer any complaint relating to the said processing to a Regulatory Authority in the event of a dispute. In addition to these rights, you now have the right to limit the processing of your personal data and also the right to data portability regarding your personal data.

Traceability and control of our personal data processing operations

As the Data Controller, we maintain a register of processing operations making it possible to draw up a complete inventory of the types of data processing we perform, of the types of data necessary to this processing and its retention periods. Among other things, the objective is to ensure that only data necessary to each processing operation is collected. This register is updated in real time and undergoes periodical verifications.

Privacy by Design

When developing new services or improving our existing services, the GDPR officers are systematically consulted to anticipate the “personal data protection” aspects. Yousign aims to maintain its users’ trust and confidence by guaranteeing security and transparency.

Implementation of a data breach declaration procedure

We have introduced an alert procedure to be used in the event of any accidental breach, non-availability, alteration, deletion or loss of data and in the case of security issues arising. Among other things, this procedure makes it possible to take the necessary security measures and to inform the data subjects within 72 hours in addition to the supervisory authority when necessary. To meet our legal obligations on this point, we maintain a register of data breaches.

The subcontractors’ register

We maintain an exhaustive list of all of our subcontractors and we have ensured that those likely to process personal data are committed to ensuring compliance with the existing and future legal frameworks.

The register of our subcontracting activities

In order to comply with the legal framework, we also maintain a register of our subcontracting activities for each of our clients.

Training and awareness-building activities for our staff concerning cybersecurity and data protection

Yousign’s staff are regularly informed of the challenges of cybersecurity and all have taken the MOOC run by the ANSSI (the French IT security agency) dealing with these issues.

Designation of a Data Protection Officer (DPO)

We have appointed a DPO with the task of ensuring compliance with the GDPR within our organisation. He is also the key point of contact for clients and users requiring any information concerning data protection. To contact our DPO: dpo@yousign.fr.

How can you access your data?

If you are a Yousign client

Yousign is responsible for processing the personal data of its staff and clients. In doing so, only data necessary to managing our clients and prospective customers is collected.

This data is collected for the end purpose of providing information to clients and prospective customers and managing the contracts established between Yousign and its clients. The data is stored in compliance with the end purposes for which it is collected. Pursuant to the “Loi Informatique et Libertés” (the French data protection act) and the GDPR, the data subjects may exercise their right to access, rectify or delete their data, to oppose its use or to limit its processing, to data portability, and their right not to be subject to an individual automated decision. You may submit your request by simply e-mailing the following address: dpo@yousign.fr.

If you consider that we are not respecting your rights, you may also refer the matter to the Supervisory Authority of the country in which you live.

Any request to exercise your rights submitted by post must be accompanied by a copy of a valid identity document.

If you are an external signatory / not a client of Yousign

On behalf of its clients, Yousign is authorised to process personal data needed to supply the services to which the said clients have subscribed.

The processing of the signatories’ personal data includes among other things the collection and hosting of personal data belonging to the signatories of the clients’ documents. The legal basis for this processing is the provision of services.

When Yousign is involved as a data processor, unless expressly agreed otherwise we are not authorised to manage your rights-related requests such as rights to access, rectify, delete or oppose the use of data, to limit its processing, the right to data portability or the right not to be subject to an individual automated decision. For this, you should directly contact the organisation using Yousign’s services as part of your electronic signature procedure. Naturally, Yousign will cooperate fully with its clients, for whom it operates as a subcontractor, in order to respond to any requests from clients.

Emailing

To learn more about Yousign’s legal information and privacy policy, please consult our dedicated webpage by clicking here.

Contact

For all requests for information concerning the processing of your personal data please contact the following address: dpo@yousign.fr.