Skip to main content
FusionDocs
This page is under review. Content may change. Don't rely on it yet. Report an issue

This is a plain-English overview. The legally controlling text is in our Privacy Policy and Data Processing Agreement.

GDPR, in plain English.

What we do with personal data, how we comply with EU and UK data-protection law, and how you exercise your rights.

What you probably came here to verify

  • FusionDocs complies with the EU GDPR and UK GDPR
  • Pre-signed DPA available from your dashboard, no negotiation required for most teams
  • EU data residency option — your data stays in AWS eu-central-1
  • Standard Contractual Clauses (SCCs) in place for transfers outside the EEA / UK
  • Subprocessor list public and current, with email notifications on changes
  • Data Subject Access Requests handled in-product, response within 30 days
  • We don't sell personal data. We don't train AI models on your documents.

Controller, processor, and what that means

Under GDPR there are two main roles. Knowing which you're in matters.

When you use FusionDocs to send documents

  • You are the Controller — you decide what's signed, who's involved, why
  • We are the Processor — we act on your instructions to provide the service
  • The Data Processing Agreement (DPA) governs that relationship

When FusionDocs collects your own account information

  • We are the Controller — for your name, email, billing info, account activity

Your customers (signers) under GDPR

When you send a document for signing, the signer's personal data is processed:

  • By you (as Controller — you decide who to send to and why)
  • By us (as Processor on your behalf)

The signer must be informed about who's processing their data and why. Our default signing flow includes a notice with your name, our name, links to both privacy policies, and the legal basis. You can configure this for your jurisdiction in your workspace settings.

Pre-signed, ready to go

You don't need to negotiate a DPA. Ours is pre-signed and downloadable from your account dashboard. It includes:

  • Subject matter, duration, and purpose of processing
  • Types of personal data and categories of data subjects
  • Your rights as Controller and our obligations as Processor
  • Subprocessor approval (general written authorization)
  • Cross-border transfer mechanisms (SCCs)
  • Audit rights
  • Annex II (technical and organizational measures)

Negotiated DPA

Enterprise customers can negotiate custom DPA terms. Contact legal@fusiondocs.com.

Moving data across borders, legally

EU/EEA to outside

Where we transfer personal data outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs) — incorporated in our DPA, the 2021 modules
  • Adequacy decisions where applicable (UK, Switzerland, Israel, Argentina, etc.)
  • Supplementary measures — encryption, access controls, transparency about subprocessors — for transfers to non-adequate jurisdictions

UK to outside

We use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, as applicable.

EU data residency

For workspaces hosted in our EU region (AWS eu-central-1, Frankfurt), your Customer Content stays in the EU. Some metadata (billing, support tickets, account info) may be processed in our headquarters region — listed transparently in our subprocessor disclosures.

What you can ask us to do

If we hold personal data about you, you have these rights under GDPR Articles 15–22:

  • Right to access (Art. 15) — get a copy of your data
  • Right to rectification (Art. 16) — correct anything wrong
  • Right to erasure (Art. 17) — also known as “right to be forgotten”
  • Right to restriction (Art. 18) — pause processing
  • Right to portability (Art. 20) — get your data in a machine-readable format
  • Right to object (Art. 21) — to certain processing
  • Right not to be subject to automated decision-making (Art. 22) — n/a; we don't make automated decisions with legal effects about you

How to exercise

  • If you're a FusionDocs account holder: use the data export / deletion tools in your account settings
  • If you're a signer or otherwise a data subject of one of our customers: contact the customer who sent you the document. They're the Controller; we'll help them respond, but we can't process the request on their behalf without their authorization.
  • If you're not sure: email privacy@fusiondocs.com and we'll route it.

Response time

We respond within 30 days. Complex requests may extend to 90 days with notice.

Complaints

If you're not satisfied with our response, you can complain to your local Data Protection Authority. EU DPAs are listed at edpb.europa.eu. The UK's is the Information Commissioner's Office at ico.org.uk.

Why we process what we process

For your Customer Content (documents)

  • Legal basis: contract (Art. 6(1)(b)) — we process because we have to in order to provide the service you contracted with us for

For account info, billing, support

  • Legal basis: contract, plus legitimate interest for fraud prevention and account security

For marketing

  • Legal basis: consent (where required by applicable law, e.g., EU, UK), or legitimate interest (for non-EU/UK customers, with a clear opt-out)

For audit logs and security

  • Legal basis: legitimate interest (security, fraud prevention, legal defense), plus legal obligation in some jurisdictions

For special categories (Art. 9)

We don't intentionally collect special categories of data (health, race, religion, etc.). If you choose to put such data in a document you upload, you do so as Controller — make sure you have the legal basis for it.

Age 16 and under

FusionDocs is not directed at children. We don't knowingly collect personal data from anyone under 16. If we learn we have, we delete it.

If you're an EU customer using FusionDocs in connection with minors (employment of 14-year-olds, school programs, etc.), make sure you have appropriate parental consent or another legal basis under Article 8.

If something goes wrong

We follow GDPR Article 33 (notification to supervisory authorities) and Article 34 (notification to data subjects).

What we promise

  • Notification to you (as Controller) within 72 hours of confirmation of a breach affecting your data
  • Information about what happened, what data was involved, our remediation, and our recommended next steps
  • Cooperation with your own breach-notification obligations to your data subjects

What we ask of you

If you suspect a breach on your side that involves FusionDocs data, tell us at security@fusiondocs.com. Faster cooperation is better cooperation.

EU Representative and DPO

  • Our EU Representative under GDPR Art. 27 is [NAME, ADDRESS]
  • Our UK Representative under UK GDPR Art. 27 is [NAME, ADDRESS]
  • Our Data Protection Officer is [NAME], reachable at dpo@fusiondocs.com

Want the DPA or have a specific question?

Get the DPATalk to our privacy team
SecurityCompliancePrivacyTermsGDPR