1. Introduction
This DPA is entered into between the Customer (the "Controller") and Notary7 ("Processor"). It applies whenever Notary7 processes Personal Data on behalf of the Customer in connection with the provision of online notarisation, apostille, embassy legalisation, sworn translation, document retrieval, and related services (the "Services").
2. Definitions
Capitalised terms not defined herein have the meaning given in the GDPR (Regulation (EU) 2016/679). For convenience:
- "Personal Data" — any information relating to an identified or identifiable natural person.
- "Processing" — any operation performed on Personal Data, whether automated or not.
- "Sub-processor" — any third party engaged by Notary7 to process Personal Data.
- "SCCs" — the EU Standard Contractual Clauses (Decision 2021/914).
3. Scope & roles of the parties
The Customer is the Controller and determines the purposes and means of processing. Notary7 acts as the Processor and processes Personal Data only on the documented instructions of the Customer, except where required to do so by law.
| Role | Party | Responsibility |
|---|---|---|
| Controller | Customer | Lawful basis, data subject notices, accuracy of submitted data |
| Processor | Notary7 | Security, confidentiality, sub-processor governance |
| Sub-processors | See Annex 3 | Hosting, e-signature, payments, communications |
4. Subject matter & duration
The subject matter is the processing required to deliver the Services as described in the main agreement. This DPA remains in force for the duration of the Services and survives termination as long as Notary7 processes Personal Data on behalf of the Customer.
5. Processing on documented instructions
Notary7 shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Union or Member State law.
5.1 Notification of conflicting law
Where Notary7 is required by law to process Personal Data outside these instructions, it shall inform the Customer of that legal requirement before processing, unless prohibited from doing so.
6. Confidentiality
Notary7 ensures that persons authorised to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or statutory duty (including notarial secrecy where applicable).
7. Security of processing (Art. 32)
Notary7 implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
- Pseudonymisation where reasonably feasible.
- Role-based access control with least-privilege principles.
- Mandatory two-factor authentication for all staff and contractors.
- Continuous logging, intrusion detection, and quarterly penetration testing.
- Documented incident response and business continuity plans.
Full details are set out in Annex 2.
8. Sub-processors
The Customer provides a general authorisation for Notary7 to engage Sub-processors, subject to the conditions below.
- Notary7 imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA.
- Notary7 remains fully liable to the Customer for the performance of each Sub-processor.
- Notary7 maintains an up-to-date list of Sub-processors (Annex 3) and provides 30 days' prior notice of any intended addition or replacement.
- The Customer may object on reasonable data protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected Services.
9. Data subject rights
Taking into account the nature of the processing, Notary7 assists the Customer by appropriate technical and organisational measures, for the fulfilment of the Customer's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).
10. Personal data breach notification
Notary7 shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach. The notification will include:
- The nature of the breach, including categories and approximate numbers of data subjects and records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its adverse effects.
- The name and contact details of the Data Protection Officer.
11. International data transfers
Where Personal Data originating in the EEA, UK or Switzerland is transferred to a country not deemed adequate by the European Commission, the parties rely on the SCCs (Module 2: Controller to Processor) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference.
12. Audits & inspections
Notary7 makes available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to a reasonable notice period and confidentiality obligations.
13. Return & deletion of data
At the Customer's choice, Notary7 shall delete or return all Personal Data after the end of the provision of Services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
14. Liability & indemnification
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the main agreement between the parties.
15. Governing law
This DPA is governed by the laws of England and Wales, unless a different governing law is required by mandatory EU data protection law, in which case the laws of the Member State of the Customer's establishment apply.
Annex 1 — Details of processing
- Customer end-users requesting notarial services
- Signatories named on submitted documents
- Customer staff and authorised representatives
- Identification data (name, DOB, ID/passport number)
- Contact data (email, phone, address)
- Document contents submitted for service
- Biometric data (liveness check, where used)
- Payment metadata (no card numbers stored)
Verification of identity, drafting and signing of notarial acts, apostille / legalisation routing, translation, secure storage, and delivery of completed documents.
For the duration of the Services and thereafter as required by applicable notarial recordkeeping laws (typically 7–10 years).
Annex 2 — Technical & organisational measures
| Domain | Measure |
|---|---|
| Access control | SSO, MFA, RBAC, quarterly access reviews |
| Encryption | TLS 1.2+ in transit, AES-256 at rest, KMS-managed keys |
| Network | Private VPC, WAF, DDoS protection, IP allow-listing |
| Application | SAST/DAST in CI/CD, dependency scanning, secure SDLC |
| Monitoring | 24/7 SOC, SIEM, anomaly detection, 1-year audit log retention |
| Personnel | Background checks, annual security training, NDAs |
| Resilience | Daily backups, multi-region failover, 99.9% SLA |
| Physical | Tier III+ data centres, ISO 27001 / SOC 2 Type II |
Annex 3 — Sub-processors
The following Sub-processors are currently engaged by Notary7. An up-to-date register is available on request.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting & storage | EU (Ireland) / US |
| Cloudflare | CDN, WAF, DDoS protection | Global |
| Stripe | Payment processing | EU / US |
| Twilio | SMS & voice verification | EU / US |
| SendGrid | Transactional email | EU / US |
| DHL / FedEx / UPS | Document delivery | Global |
Contact
Last updated: 1 June 2026 · Version 2.1