Qwoty’s Role
When using Qwoty, two distinct data processing roles apply:| Role | Description |
|---|---|
| Data Controller | You (the organisation using Qwoty) determine the purposes and means of processing |
| Data Processor | Qwoty processes personal data on your behalf according to your instructions |
- Obtaining appropriate consent or legal basis for processing
- Informing data subjects about how their data is used
- Responding to data subject access requests
- Ensuring compliance with GDPR requirements
- Processes data only according to your documented instructions
- Implements appropriate technical and organisational security measures
- Assists with data subject requests when needed
- Maintains records of processing activities
Data Processing
Qwoty processes personal data necessary to provide its services:| Data Category | Examples | Purpose |
|---|---|---|
| Identity Data | Name, email address | User accounts, recipient identification |
| Document Data | Uploaded PDFs, field values | Document storage and signing |
| Signature Data | Signature images, signing timestamps | Recording signing actions |
| Audit Data | IP addresses, browser information, action logs | Audit trail and verification |
- Delivering documents to recipients
- Recording signatures and other recipient actions
- Generating signed documents with audit trails
- Sending email notifications and transactional communications
Data Storage Locations
Qwoty primarily stores data within the European Economic Area (EEA). Application data and document storage use AWS infrastructure in the EU (Ireland and Paris). Backups are maintained in geographically separate EU locations.Data Subject Rights
GDPR grants individuals specific rights regarding their personal data. As the data controller, you are responsible for fulfilling these requests:| Right | Description |
|---|---|
| Access | Data subjects can request a copy of their personal data |
| Rectification | Data subjects can request correction of inaccurate data |
| Erasure | Data subjects can request deletion of their data (“right to be forgotten”) |
| Portability | Data subjects can request their data in a machine-readable format |
| Restriction | Data subjects can request limited processing of their data |
| Objection | Data subjects can object to certain types of processing |
Data Deletion
Qwoty supports data deletion to help fulfil erasure requests:Account Deletion
Account Deletion
- Users can delete their own accounts
- Account deletion removes profile data and authentication credentials
- Administrators can remove members from the organisation
Document Deletion
Document Deletion
- Document owners can delete documents at any stage
- Deletion removes the document, recipient data, and associated audit logs
Post-Termination Retention
Post-Termination Retention
Upon termination of the agreement, Qwoty will:
- Delete all personal data from primary systems within 10 business days
- Delete data from backup systems within 90 days, in line with the standard backup retention cycle
Data Processing Agreement
A Data Processing Agreement (DPA) is required by GDPR when a data controller engages a data processor. Qwoty’s DPA is incorporated directly into the General Terms and Conditions — accepting the GTC constitutes acceptance of the DPA. The DPA covers:- Qwoty’s obligations as a data processor
- Sub-processor authorisation and change notification (30-day advance notice)
- Technical and organisational security measures (Annex 2)
- International data transfer mechanisms
- A DPA is available upon request support@qwoty.io.