Data Processing Addendum (DPA)
Effective date: 6.1.2026 (version 1.0)
This Data Processing Addendum (“DPA”) forms part of the agreement between Circularo (“Processor”) and the customer (“Controller”) and applies where Circularo processes Personal Data on behalf of the Controller in the provision of its services.
This DPA is concluded in accordance with Article 28 of Regulation (EU) 2016/679 (“GDPR”).
1. Definitions
1.1 Agreement
The binding agreement governing the provision of services by Circularo to the Controller, including the Terms of Service and any applicable order form or contract.
1.2 Controller
The customer that determines the purposes and means of the processing of Personal Data, as defined in Article 4(7) GDPR.
1.3 Processor
Circularo, acting on behalf of the Controller, as defined in Article 4(8) GDPR.
1.4 Data Protection Laws
All applicable laws and regulations relating to data protection and privacy, including Regulation (EU) 2016/679 (GDPR) and any national implementing legislation.
1.5 Personal Data
Any information relating to an identified or identifiable natural person processed by Circularo on behalf of the Controller in connection with the Services, as defined in Article 4(1) GDPR.
1.6 Processing
Any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) GDPR.
1.7 Data Subject
An identified or identifiable natural person to whom Personal Data relates.
1.8 Services
Circularo’s document management, workflow, electronic signing, notification, certificate handling, and related services provided under the Agreement.
1.9 Sub-processor
Any third party engaged by Circularo to process Personal Data on behalf of the Controller in connection with the Services.
1.10 Customer Configuration
The technical and functional settings selected by the Controller within the Services, including the use of customer-provided infrastructure (such as SMTP servers or certificates) or optional third-party services.
1.11 Cloud Infrastructure
The hosting, storage, security, and hardware security module (HSM) services provided to Circularo via Microsoft Azure data centers located in the European Union.
1.12 Digital Certificate
An electronic certificate used for signing or authentication purposes, whether provided by the Controller or issued through a certification authority upon the Controller’s request.
1.13 HSM (Hardware Security Module)
A secure cryptographic key management system used for the storage and protection of cryptographic keys and certificates.
1.14 Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, as defined in Article 4(12) GDPR.
1.15 Standard Contractual Clauses or SCCs
Standard data protection clauses adopted by the European Commission for the transfer of Personal Data to third countries pursuant to Article 46 GDPR.
1.16 Supervisory Authority
An independent public authority established pursuant to Article 51 GDPR.
2. Roles of the Parties
2.1 The Controller determines the purposes and means of the Processing of Personal Data.
2.2 The Processor processes Personal Data solely on documented instructions from the Controller, including instructions arising from the Agreement, this DPA, and the Controller’s Customer Configuration of the Services.
3. Description of the Processing
3.1 Subject Matter
The Processing of Personal Data as necessary to provide the Services.
3.2 Duration
For the term of the Agreement and any additional period during which the Processor processes Personal Data on behalf of the Controller.
3.3 Nature and Purpose of the Processing
Processing operations include, as applicable:
Hosting, storing, securing, and managing documents and related metadata
Executing document workflows and electronic signing
Delivering email and SMS notifications, where enabled
Issuing, storing, and validating Digital Certificates, where requested
Ensuring availability, integrity, and security of the Services
3.4 Categories of Data Subjects
Employees, contractors, representatives, customers, or other individuals whose Personal Data is processed through the Services.
3.5 Categories of Personal Data
Depending on Customer Configuration:
Identification and contact data
Business-related data required for Digital Certificate issuance
Document content and metadata
Communication details for notification delivery
The Services are not designed to require the Processing of special categories of personal data unless explicitly configured by the Controller.
4. Processor Obligations
The Processor shall:
a) Process Personal Data only on documented instructions from the Controller
b) Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
c) Implement appropriate technical and organizational measures pursuant to Article 32 GDPR
d) Assist the Controller with Data Subject rights requests, Personal Data Breaches, and data protection impact assessments
e) Notify the Controller without undue delay upon becoming aware of a Personal Data Breach
5. Sub-processing
5.1 General Authorization
The Controller grants the Processor general authorization to engage Sub-processors. The Processor remains fully responsible for its Sub-processors’ compliance with this DPA.
5.2 Cloud Infrastructure
The Processor utilizes Microsoft Azure and Oracle cloud services as Cloud Infrastructure for the provision of the Services.
Sub-processor: Microsoft Corporation or Oracle Corporation (KSA)
Processing activities: Cloud hosting, data storage, security services, and HSM
Locations:
European Union - Microsoft data center located in the Netherlands
United Arab Emirates - Microsoft data center located in the Emirate of Dubai
State of Qatar - Microsoft data center located in the State of Qatar
Kingdom of Saudi Arabia - Oracle data center in Jeddah, Saudi Arabia
Safeguards:
Microsoft Products and Services Data Protection Addendum - learn more.
Data Processing Agreement for Oracle Services - learn more.
Personal Data is stored and processed within the Cloud Infrastructure in data centers located in the European Union, the United Arab Emirates, State of Qatar or the Kingdom of Saudi Arabia, depending on the Controller’s Customer Configuration and the geographic region selected for the Services.
5.3 Email Notification Services
5.3.1 Customer-Provided SMTP
Where the Controller configures the Services to use its own SMTP servers, the Processor does not engage any third-party Sub-processor for email delivery.
5.3.2 Default Email Service (Optional)
Where enabled through Customer Configuration, the Processor engages Brevo (formerly Sendinblue):
Sub-processor: Brevo
Location: Paris, France (EU)
Processing activities: Delivery of email notifications
Safeguards: Brevo Terms of Use and Data Processing provisions - learn more.
5.4 Digital Certificates
5.4.1 Customer-Provided Digital Certificates
Where the Controller provides its own Digital Certificates, such certificates are stored and protected exclusively within the Processor’s HSM environment hosted in the relevant Cloud Infrastructure.
No Personal Data is disclosed to any certification authority in this scenario.
5.4.2 Processor-Issued Digital Certificates
Where requested by the Controller, the Processor may engage certification authorities as Sub-processors for the issuance of Digital Certificates.
5.4.2.1 European Union and Global
Sub-processor: První certifikační autorita, a.s. (1st Certification Authority)
Location: Prague, Czech Republic (EU)
Processing activities: Issuance of company Digital Certificates
Personal Data processed: Limited business-related identification data required for certificate issuance
Safeguards: Principles of Client’s Personal Data Processing - learn more.
Following issuance, Digital Certificates are stored exclusively within the Processor’s HSM hosted on Microsoft Azure. During certificate validation, no Personal Data beyond that embedded in the Digital Certificate is processed by the certification authority.
5.4.2.1 United Arab Emirates
Where applicable to the Controller’s jurisdiction or Customer Configuration, the Processor may engage:
Sub-processor: Dubai Electronic Security Center (DESC)
Location: Dubai, United Arab Emirates
Processing activities:
Issuance of electronic certificates and electronic seals
Support for electronic signing of documents in accordance with applicable UAE and Dubai laws
Personal Data processed:
Limited identification and business-related data strictly required for the issuance of electronic certificates or electronic sealsLegal and regulatory framework:
UAE Federal Data Protection Law
DESC Information Security Regulation (ISR)
Law No. (15) of 2024 Concerning the Dubai Electronic Security Center
Following issuance, Digital Certificates are stored exclusively in the Processor’s HSM.
During validation, no Personal Data beyond that embedded in the Digital Certificate is processed by the certification authority.
Processing under this subsection applies only where the Controller operates in, or explicitly configures the Services for use in, the United Arab Emirates or the Emirate of Dubai.
5.5 SMS Notification Services (Optional)
Where enabled through Customer Configuration, the Processor engages:
Sub-processor: Twilio Inc.
Location: United States (San Francisco, California)
Processing activities: SMS message delivery
Safeguards: Twilio Data Protection Addendum, including Standard Contractual Clauses - learn more.
5.6 KYC Services (Optional)
Where enabled through Customer Configuration, the Processor engages:
Sub-processor: Identomat Inc.
Location: United States (Champaign, Illinois)
Processing activities (where applicable):
Identity Document (ID) Verification
Biometric Verification & Liveness Detection
AML Screening
Proof of Address (PoA) Verification
Video KYC
Multi-Factor Authentication (MFA)
Safeguards: Data Privacy Statement of Identomat Inc. - learn more.
6. International Data Transfers
Where Personal Data is transferred outside the jurisdiction in which it is processed, including cross-border transfers involving the European Union, the United Arab Emirates, State of Qatar or the Kingdom of Saudi Arabia, the Processor ensures that such transfers are subject to appropriate safeguards in accordance with applicable Data Protection Laws, including Standard Contractual Clauses, regulatory requirements, and technical and organizational measures designed to protect the confidentiality, integrity, and availability of Personal Data.
7. Technical and Organizational Measures
The Processor implements appropriate technical and organizational measures, including:
Encryption of Personal Data at rest and in transit
Role-based access controls
Secure cryptographic key and certificate management via HSM
Security monitoring and incident response procedures
8. Assistance with Data Subject Rights
The Processor shall, taking into account the nature of the Processing, assist the Controller in fulfilling its obligations to respond to requests from Data Subjects under Articles 12–22 GDPR.
9. Return or Deletion of Personal Data
Upon termination of the Agreement, the Processor shall, at the Controller’s choice, delete or return all Personal Data unless retention is required by applicable law.
10. Audits and Information
The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA and allow audits, subject to reasonable confidentiality and security requirements.
11. Liability
Liability arising under this DPA shall be governed by the Agreement and applicable Data Protection Laws.
12. Governing Law
This DPA shall be governed by the governing law specified in the Agreement, unless otherwise required by Data Protection Laws.
13. Order of Precedence
In the event of a conflict, this DPA shall prevail with respect to data protection obligations.