Integritet och säkerhet

GDPR is EU Regulation on data protection and privacy (personal data).

The regulation is implemented in all local privacy laws across the entire EU and EEA region. It will apply to all companies selling to and storing personal information about citizens in Europe, including companies on other continents. It provides citizens of the EU and EEA with greater control over their personal data and assurances that their information is being securely protected across Europe.

What counts as personal data?

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

What does it mean?

GDPR contains several requirements that benefit consumers by requiring increased control and transparency related to the personal data collected by organizations. At the same time, there are significant fines for infringements - up to 4% of global revenue or a maximum of EUR 20 million. Important differences to the previous privacy policy are that it includes much stronger terms for consent and obligations for data processors and data collectors, where mandatory contract terms between the parties are required.

Privacy by Design

GetAccept is built from the ground up to incorporate the principles of data protection and privacy through design (Privacy by Design).

Your rights under GDPR

The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.

• The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
• The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
• The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
• The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
• The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
• The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
• The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

Data Processing Agreement (DPA)

The GDPR states specific demands for agreements between Data Controllers and their Data Processors that are used to process the personal data that they are in control of. These agreements are called Data Processing Agreements and should always be handled if data is shared with third parties. You can find GetAccepts standard DPA here.

Schrems II and the SCC

On 16 July 2020, the Court of Justice of the European Union (ECJ) in its case called “Schrems II”) changed the way data can be transferred to a third country outside of EU, invalidated the old EU-US Privacy Shield. The Commission’s Standard Contractual Clauses (SCC) are valid as a transfer mechanism but require additional security measures and transfer impact assessments (see below). GetAccept has the latest SCCs in place with all sub processors. For more detailed information on the latest initiatives and our view of the EU - US data transfer topic please contact us.

Transfer impact Assessment (TIA)

GetAccept has conducted Transfer Impact Assessment on its data transfers. For a copy of our Assessment please reach out to us on [email protected].

Contact information

If you have any questions or suggestions regarding our policies or practices, please contact us at legal @getaccept.com. We are always happy to discuss!

GetAccept provides you with a legally binding eSignature solution for your agreements and contracts. GetAccept complies with the requirements of the U.S. Electronic Signature in Global and National Commerce Act of 2000 (ESIGN), the Uniform Electronic Transactions Act (UETA), and the European Union eIDAS (EU No.910/2014) regarding electronic signatures and transmissions, which makes eSignatures fast, easy, and legally binding.

E-signature Law in the United States

GetAccept’s electronic signature solution in the United States complies with the definition of an electronic signature under the Electronic Signatures in Global and National Commerce (ESIGN) and the Uniform Electronic Transactions Act (UETA).

E-signature Law in the United Kingdom

In the United Kingdom, the equivalent legislation to the ESIGN Act in the United States is the Electronic Communications Act 2000. GetAccepts electronic signature solution complies with the definition of an electronic signature under this act.

E-signature Regulation in the European Union

In 2014, the European Parliament created a more uniform market for electronic transactions with the release of the EU Regulation No 910/2014 on electronic identification and trust services for electronic transactions in the internal market, also known as eIDAS. Electronic signatures are actively being used in Europe, and GetAccept’s eSignatures are compliant with eIDAS and EU electronic signature technical standards. You can read more about eIDAS below.

Signature authentication

GetAccept authenticates document signers so there is 100% transparency as to who is signing your documents. To protect all GetAccept user accounts, user information is transferred over 256-bit SSL encryption, including sensitive information like usernames and passwords. GetAccept also prevents others from accessing or using your account by imposing automated session time-outs and emailing you every time a contract is sent to, received by, or signed using an account.

Signature affixation

Each signature on a contract is imposed and affixed to the contract. GetAccept creates a comprehensive transaction trail between signing parties. To provide transaction history, we track and timestamp various information from the moment the document is submitted for signature to when it is completely signed and secured.

Full evidence log

A complete evidence log is a crucial factor to confirm when choosing an eSignature provider. Every send-out has a unique ID that reflects the contents of the document. GetAccept tracks the entire process and compiles it into a complete history of every action taken inside the document. Activities are marked with a trusted timestamp, email, IP number, and IP location.

Court-admissible transactions log 

GetAccept creates a comprehensive transaction trail between signing parties. In order to provide this transaction history, we track and timestamp various information from the moment the document is submitted for signature to when it is completely signed and secured, such as IP information and UserAgent information. To ensure against any tampering with your transaction log, the transaction log is secured with hashing technology. This audit trail gives you a full evidence log to bring to court should any conflicts arise.

Electronic signatures and eIDAS

eIDAS is an EU regulation on electronic identification and trust services for electronic transactions that applies as law within the whole of the EU.

Electronic Identification, Authentication and Trust Services (eIDAS)

The goal of the eIDAS regulation, which started in 2014, is to facilitate the flow of commerce in the EU through transparency, security, technical neutrality, cooperation, and interoperability. In pursuit of these values, eIDAS:

• Standardizes the use of electronic identification (eID)
• Defines a new class of “electronic trust services” (eTS)
• Clarifies and ensures the legal validity of electronic signatures
• Creates a European internal market within the EU for electronic trust services
  
  

Different levels of electronic signatures

The eIDAS regulation defines three types of electronic signatures: (Basic) Electronic Signature, Advanced Electronic Signature, and Qualified Electronic Signature. According to eIDAS, an electronic signature is defined as “data in electronic form which is attached to or logically associated with other data in electronic form and is used by the signatory to sign”.

Basic electronic signature

A basic electronic signature can be any kind of signature made in an electronic and digital environment, where the signatory has manifested their intent (e.g. by clicking a button or checking a box) to become bound by the contents of the document signed.

GetAccepts standard "click to sign" solution is considered a very strong Basic electronic signature and sufficient for most business agreements.

Advanced electronic signature (AdES)

According to eIDAS, an advanced electronic signature shall meet the following requirements:

1. uniquely linked to and capable of identifying the signatory;
2. created in a way that allows the signatory to retain control;
3. linked to the document in a way that any subsequent change of the data is detectable.
   
   

These elements of unique identity, control, and integrity of the signed document can be achieved through different means. A recognized eID assures secure authentication of the signatory’s identity in the online environment.

GetAccept has multiple ways of creating a Advanced Electronic Signature, for instance with the use of a eID or MFA solution.

Qualified electronic signature (QES)

According to eIDAS, “‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and is based on a qualified certificate for electronic signatures.” The use of Qualified Electronic Signatures includes an extra layer of assurance and trust that results in a special legal effect that shall be recognized by courts in the EU.

From a legal perspective QES should in EU be equivalent to a "wet ink" signature and the burden of proof in a court is on the challenger.

GetAccept has thru an external partnership the possibility to offer QES seamlessly integrated into the signing workflow in most European countries.  It should be noted that QES add a extra level of security but also complexity and cost to the signature flow.

Please contact us for more detailed information on QES.

GetAccept is built on a stable, redundant and scalable infrastructure and designed for 100% uptime. We have backups, full encryption and conduct yearly penetration tests to secure data against all possible threats. No system is better than the persons working on it and we provide regular security training to our staff and have among other things implemented a segregation of duties and least privilege access principles in the organization.

SOC2

System and Organization Control (SOC) 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

GetAccept undergoes a yearly rigorous audit conducted by a reputable certified third party auditor to certify the GetAccept services against this standard. The audit firm evaluates if GetAccept compliance controls are designed appropriately and if they are effectively operational.

The latest SOC 2 type 2 report may be requested by reaching out to our support. Potential customers can reach out to sales for more information.

Encryption and additional security measures

We encrypt our data in transit using ECDSA 256 (a 3072bit equivalent SSL/TLS certificate) and we encrypt our data in rest using the industry-standard AES-256. Read more about GetAccepts additional security measures here.

Data Storage

GetAccept only uses trusted and a select few sub processors that stores data. The sub-processors are assessed continually. Read more about the sub processors in our DPA.

Privacy

In general, the Personal Information you provide to us is used to help us communicate with you better. GetAccept takes your privacy seriously and will never share your personal information with any third party other than what is stated in our privacy policy. Read more here Privacy Policy.