Legal
Data Processing Agreement
Last updated: July 6, 2026
This DPA forms part of the Signalify Terms and governs the processing of customer-controlled personal data through review collection, imports, widgets, analytics, and related services.
Status and scope of this Agreement
This Data Processing Agreement (“DPA”) forms part of the Signalify Terms & Conditions and applies automatically when a customer uses Signalify to process personal data on behalf of that customer.
The customer entering the Terms is the “Customer”. The operator of Signalify identified in the Legal Notice is “Signalify”. This DPA governs Customer Personal Data processed by Signalify in connection with the Service.
If there is a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA prevails. Mandatory provisions of applicable data-protection law continue to apply.
Definitions
“Customer Personal Data” means personal data submitted to or collected through Signalify by or for the Customer, including review and testimonial content. “Process”, “controller”, “processor”, “data subject”, “personal data breach”, and “supervisory authority” have the meanings given by applicable data-protection law, including the GDPR where applicable.
“Subprocessor” means a third party appointed by Signalify to process Customer Personal Data on Signalify’s behalf in connection with the Service.
Roles of the parties
Customer as controller
The Customer determines the purposes and essential means of processing Customer Personal Data, including what reviews are collected or imported, which content is approved, how long it is retained, and where it is displayed. The Customer is therefore generally the controller.
Signalify as processor
Signalify processes Customer Personal Data on the Customer’s documented instructions to provide, secure, support, and maintain the Service.
Signalify as independent controller
Signalify acts as an independent controller for account administration, billing, subscription and trial records, security, fraud prevention, product analytics, support, and legal compliance. Those activities are governed by the Privacy Policy rather than this DPA.
Details of processing
Subject matter and purpose
Hosting, organising, importing, moderating, displaying, and deleting reviews and testimonials; operating public review pages and embedded widgets; applying tags and Smart Display rules; providing widget and review-request analytics; and providing related support and security.
Nature of processing
Collection, recording, organisation, structuring, storage, retrieval, consultation, formatting, transmission, public display when instructed, restriction, deletion, and other operations required to provide the Service.
Duration
For the duration of the Customer’s use of the Service and any limited retention period described in this DPA, the Terms, or the Privacy Policy, unless law requires longer retention.
Categories of personal data
- Review and testimonial text.
- Reviewer names, display names, roles, or company information if provided.
- Ratings, review dates, visibility status, and moderation data.
- Optional review photos, image descriptions, externally hosted image URLs, and source URLs.
- Import source, import batch, tags, and duplicate-detection data.
- Public review-form submissions and limited request-page or widget activity events.
- Project, widget, and display configuration associated with customer content.
- Technical and security metadata necessary to deliver and protect the Service.
Categories of data subjects
- The Customer’s end customers, clients, users, or reviewers.
- People named or depicted in reviews, testimonials, or uploaded images.
- Visitors who submit content through public review forms.
- Visitors who interact with public widgets or review pages where limited analytics are enabled.
- Customer account users, to the extent their data appears within Customer-controlled content.
Customer instructions
The Terms, this DPA, the Customer’s use and configuration of the Service, and lawful written support requests constitute the Customer’s documented instructions.
Signalify will process Customer Personal Data only on those instructions unless processing is required by applicable law. If legally permitted, Signalify will inform the Customer before carrying out legally required processing.
Signalify will promptly inform the Customer if, in its reasonable opinion, an instruction infringes applicable data-protection law. Signalify may suspend the affected processing while the parties clarify the instruction.
Customer obligations
- Comply with applicable privacy, data-protection, consumer-protection, marketing, and review-authenticity laws.
- Have a valid legal basis for collecting, importing, using, and publicly displaying Customer Personal Data.
- Provide required privacy notices and obtain required permissions or consents.
- Ensure instructions to Signalify are lawful and proportionate.
- Avoid submitting special-category, highly sensitive, or unnecessary personal data.
- Maintain accurate visibility settings and remove content that should no longer be public.
- Respond to data-subject requests and complaints concerning Customer-controlled content.
- Secure account credentials and appropriately manage authorised users.
Signalify obligations as processor
- Process Customer Personal Data only on documented instructions and only as needed to provide the Service.
- Ensure authorised personnel are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures proportionate to the risks of processing.
- Assist the Customer with data-subject requests, breach obligations, impact assessments, and supervisory-authority consultations, taking into account the nature of processing and information available to Signalify.
- Maintain records and information reasonably necessary to demonstrate compliance with this DPA.
- At the Customer’s choice, delete or return Customer Personal Data after termination, subject to legal, security, backup, and technical retention requirements.
Confidentiality
Signalify treats Customer Personal Data as confidential. Access is limited to personnel and providers who need it to operate, secure, maintain, or support the Service.
Signalify will not sell Customer Personal Data or use it for unrelated advertising. Public display configured by the Customer is not a breach of confidentiality.
Security measures
- Managed hosting, database, authentication, and storage infrastructure.
- Transport encryption for data in transit where supported by the relevant service.
- Authentication, session controls, and restricted administrative access.
- Project-level access controls and database row-level security where implemented.
- Separation of public and authenticated application paths.
- Environment-secret management and server-side protection of privileged credentials.
- Logging, monitoring, error handling, and measures intended to prevent abuse.
- Backups, recovery capabilities, and provider-level resilience where available.
- Periodic review of production configuration, permissions, and security-sensitive workflows.
Personal data breaches
Signalify will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
The notice will include available information reasonably needed for the Customer to assess and meet its legal obligations, such as the nature of the breach, affected categories, likely consequences, and mitigation steps. Information may be provided in phases as the investigation progresses.
Notification does not constitute an admission of fault or liability.
Data-subject requests
If Signalify receives a request relating to Customer Personal Data, Signalify will normally direct the requester to the Customer unless law requires a different response.
Taking into account the nature of processing, Signalify will provide reasonable technical and organisational assistance so the Customer can respond to valid requests for access, correction, deletion, restriction, portability, or objection.
The Customer remains responsible for assessing the request, verifying the requester, determining the lawful response, and communicating with the data subject.
Subprocessors
The Customer grants Signalify general written authorisation to appoint subprocessors necessary to provide the Service. Signalify remains responsible for requiring subprocessors to protect Customer Personal Data through written terms appropriate to the services they provide.
Signalify may update its providers as the Service evolves. Where required by law and reasonably practicable, Signalify will provide notice of a material new subprocessor and an opportunity to raise a reasonable data-protection objection.
International transfers
Signalify and its subprocessors may process Customer Personal Data outside the country where the Customer or data subject is located.
Where the GDPR restricts a transfer outside the EEA, Signalify will rely on an adequacy decision, approved Standard Contractual Clauses, the EU–US Data Privacy Framework where applicable, or another lawful transfer mechanism.
The Customer authorises transfers necessary to provide the Service subject to those safeguards.
Return, deletion, and retention
During use of the Service, Customers may delete reviews and other content through available product controls. Customers should export any data they need before deleting a project or account.
Following termination or a valid deletion instruction, Signalify will delete or anonymise Customer Personal Data within a reasonable period, except where retention is required by law or reasonably necessary for security, dispute resolution, backups, or the prevention of abuse.
Data remaining in backups will be isolated from ordinary use and removed according to the applicable backup lifecycle. Externally hosted images and third-party source content must be deleted from the original provider separately.
Compliance information and audits
Upon reasonable written request, Signalify will provide information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and proportionality safeguards.
Where legally required and available documentation is insufficient, the Customer may request a reasonable audit. Audits must be coordinated in advance, avoid disruption, protect other customers’ data, and be no more frequent than once per year unless a breach or supervisory authority reasonably requires otherwise.
The Customer is responsible for reasonable costs of an audit that exceeds Signalify’s ordinary compliance assistance, unless the audit identifies a material breach by Signalify.
Liability and order of precedence
Liability arising from this DPA is subject to the limitations and exclusions in the Terms, except where applicable law does not permit those limitations.
If approved transfer terms conflict with this DPA, the transfer terms prevail for the relevant international transfer. This DPA otherwise prevails over conflicting privacy-processing terms in the Terms.
Changes and contact
Signalify may update this DPA to reflect changes in law, subprocessors, security practices, or the Service. Material changes will be communicated where required.
For data-processing, deletion, security, or subprocessor questions, contact hello@signalify.io.