Data Processing Addendum Summary

1. Purpose and status

This Data Processing Addendum Summary (DPA Summary) describes the data processing commitments that apply when a customer uses Sign and Go. It is intended as a concise commercial and procurement friendly summary.

If you require a full executed Data Processing Agreement, contact info@signandgo.com.au.

2. Roles of the parties

Customer is the data controller for any personal information that the Customer uploads to, or otherwise processes using, the Sign and Go platform, including personal information about its staff, clients, contractors, recipients, and signers.

NT Development Group, as owner and operator of Sign and Go, is the data processor acting on the Customer's instructions when providing the service.

Where a customer is acting as a processor on behalf of its own client, the customer remains responsible for obtaining all necessary permissions and authorisations to use the service for that end client.

3. Subject matter and duration

Subject matter: Document workflow and electronic signing services, including storage of documents, management of recipients, signing workflows, and audit trail generation.

Duration: Processing continues for the term of the customer's subscription or use of the service, and any additional period required for retention, backups, dispute resolution, or legal compliance, as described in applicable retention settings or contract terms.

4. Nature and purpose of processing

Sign and Go processes data to:

• Upload, store, and present documents for viewing and signing
• Route documents to recipients and signers and manage envelope workflow states
• Capture signing activity, including consent, timestamps, and associated audit information
• Produce completion records such as audit trails and certificates
• Provide administrative functions such as user management, access control, and support

5. Categories of personal information

Depending on how the customer uses the service, personal information processed may include:

• Identifiers and contact details such as name and email address
• Organisation and role information for users and recipients
• Document content uploaded by the customer, which may contain personal information
• Audit metadata such as timestamps, IP address, and user agent

Customers should avoid uploading special category or highly sensitive information unless necessary and appropriate for their use case and internal policy settings.

6. Categories of data subjects

Data subjects may include:

• Customer personnel and authorised users
• Customers' clients, prospects, or counterparties
• Recipients, signers, approvers, and viewers of documents
• Other individuals whose personal information appears within customer documents

7. Processing instructions and customer control

The customer controls what documents are uploaded, who is invited to workflows, and the configuration of signing and retention settings.

NT Development Group processes personal information only to provide and support the service and in accordance with customer instructions as reflected in the customer's use of the service.

NT Development Group may process limited personal information as required to comply with applicable laws or lawful requests.

8. Security measures

Sign and Go implements technical and organisational measures designed to protect personal information, including:

• Authentication and access controls, including workspace based isolation
• Secure signing links using opaque tokens with expiry and single use signing controls
• Encryption in transit using TLS
• Rate limiting on sensitive endpoints
• Audit trails including tamper evident verification using cryptographic hash chaining
• Controlled access to stored documents via envelope scoped authorisation

Security capabilities may vary by deployment configuration. Customers may contact info@signandgo.com.au for deployment specific details.

9. Subprocessors

NT Development Group may engage subprocessors to provide the service, such as hosting, database, and email delivery providers.

A current subprocessor list is provided in the Subprocessors and Infrastructure Statement.

Customers may request updates at info@signandgo.com.au.

10. Data location and cross border transfers

Customer data is stored and processed in the region where the Sign and Go deployment is configured.

Depending on deployment region, personal information may be stored or processed outside Australia.

Customers may contact info@signandgo.com.au to confirm the applicable data residency for their deployment.

11. Assistance with data subject requests

On request and where reasonably possible, NT Development Group will assist customers to address data subject requests such as access, correction, or deletion, taking into account the nature of the service and customer configuration.

12. Deletion and return of data

Customers may request deletion or return of data, subject to the service's available export and deletion features and any applicable legal retention requirements.

Residual copies may persist for a limited time in backups or logs, subject to standard operational practices.

Where automated retention and export features are not available for a specific plan or deployment, NT Development Group will work with the customer on a reasonable approach.

13. Confidentiality

NT Development Group will ensure personnel with access to customer data are subject to appropriate confidentiality obligations.

14. Incident management and notification

NT Development Group maintains an incident response process designed to triage, contain, remediate, and recover from security incidents.

Where a data breach affecting customer data occurs, NT Development Group will notify affected customers without undue delay and provide information reasonably required to support customer obligations, subject to investigation and legal constraints.

15. Audit and assurance

Customers may request reasonable information regarding security measures and subprocessors.

Formal third party certifications, audits, or reports are not provided unless explicitly stated in writing.

16. Contact

For DPA requests or data processing enquiries contact info@signandgo.com.au.