Introduction
According to Article 35 under the General Data Protection Regulation (GDPR), a Data Protection Impact Assesment (DPIA) should be carried out by data controllers where data processing would be likely to result in a high risk to the rights and freedoms of data subjects. These assessments will help data controllers to understand the data processes, systems, technologies, and take the required measures to ensure data security and privacy of data subjects.
Companies that fail to conduct a DPIA when mandated are breaching the GDPR and could face enormous fines of up to 4% of global annual revenue. This document will give data controllers information about Zoho Sign that will help them determine whether a DPIA is needed, and if so, what details must be considered.
We recommend you read Zoho's privacy policy first before reading further.
| Article 35 | Relevant Information About Zoho Sign |
|---|---|
| A systematic and extensive evaluation of personal aspects relating to natural persons which are based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person | Zoho Sign may perform some automated processing of data for delivering intuitive reports that will help data controllers gain insights on the status of documents. Additionally, Zoho Sign also offers REST APIs with which data controllers can customize the way they process data. |
| Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10 | Zoho Sign is not designed or built for processing special categories of personal data. However, a data controller could use the application to process the enumerated special categories of data. |
| Systematic monitoring of a publicly accessible area on a large scale | Zoho Sign is not designed or built to conduct such monitoring. However, a data controller could use Sign to process the data collected through such monitoring. |
| Purpose(s) of processing | The purpose(s) of processing data using Zoho Sign is based on the intent of the controller who implements, configures, and uses it as required. |
| Categories of personal data processed | Customer DataThis is all data, including text, signatures, documents, roles, email addresses, phone numbers, image files, and other document fields that customers provide to Zoho Sign. Log DataData that Zoho Sign generates to run the application, such as use or performance data. Most of these data contain pseudonymous identifiers generated by Zoho Sign. Support DataData provided to Zoho Sign by customers to engage with Zoho technical experts and get online support services. Apart from these data, Zoho Sign also collects administrator and billing data, subscription details, payment data, and contact information for providing effective services. Zoho as a data controller will process these data in its own capacity. |
| Data retention | Customer DataZoho Sign will retain deleted documents at the backend for 60 days. After the 60-day retention period, Zoho Sign will delete the data permanently. We retain your information for as long as it is required for the purposes stated in our Privacy Policy. |
| Location and transfers of personal data | Please refer to our Privacy Policy. |
| Data sharing with third-party sub processors | Please refer to our Privacy Policy. |
| Data sharing with independent third-parties | Please refer to our Privacy Policy. |
| Data subject rights | Please refer to our Privacy Policy. |
| An assessment of the risks to the rights and freedoms of data subjects | The key risks to the rights and freedoms of data subjects with the use of Zoho Sign depends on how the data controller uses it. The data controller should be aware of the risk of unauthorized access or inadvertent disclosure. |
| Risk | Likelihood | Severity | Mitigations |
|---|---|---|---|
| Signature link reaching the hands of malicious insiders and hackers | Possible | High | Signing link is sent only to recipient's email. However, users can configure authentication code/OTP for an additional level of security. |
| Email account of recipients getting hacked | Possible | High | Users can configure signer's authentication code to overcome situations like this. |
| Signing link being sent to the wrong recipient | Possible | Medium | Users can use the recall option. |
| Signed documents reaching the hands of malicious insiders and hackers | Possible | Low | Users can securely manage documents within Zoho Sign. Alternatively, they can also store them on cloud storage services. |
| Certificate of completion shared with the wrong person | Possible | Low | The certificate of completion is sent only to the signers and recipients. |
| Loss of users mobile/laptop | Possible | Low | We recommend users configure TFA/MFA for their Zoho Sign mobile apps. |
Disclaimer : Zoho Sign is not providing any legal advice in this document. This document is being provided for informational purposes only. We recommend you consult with your legal team to determine the need for any DPIAs related to the use of Zoho Sign.