Security & Privacy

Platform Limitations & Legal Disclaimers

Electronic Signature Technology

Pactly currently supports Simple Electronic Signatures (SES) under the EU eIDAS regulation. We do not support Advanced Electronic Signatures (AES) or Qualified Electronic Signatures (QES) that require qualified trust service providers or certified signature creation devices.

Use Case Limitations

Important: Pactly is not suitable for use in:

Highly regulated industries requiring advanced signature standards (healthcare, financial services, pharmaceuticals)
Court filings, government submissions, or legal proceedings requiring notarization
Transactions requiring qualified trust service providers under applicable law
Use cases where local law mandates Advanced or Qualified Electronic Signatures

User Responsibility: Users are solely responsible for determining whether Pactly's Simple Electronic Signature technology meets their specific legal, regulatory, and business requirements in their applicable jurisdiction.

Jurisdictional & Regulatory Limitations

Electronic signature enforceability may vary by jurisdiction, document type, and regulatory environment. Pactly makes no warranties regarding the legal validity, enforceability, or regulatory compliance of signatures created through our platform in any specific jurisdiction or use case.

Our Security Commitment

At Pactly, security and privacy are fundamental to everything we do. We implement enterprise-grade security measures to protect your documents, signatures, and personal information.

Data Security

Encryption

Data in Transit: All data transmitted using TLS 1.3 encryption
Data at Rest: AES-256 encryption for stored documents and data
Database Encryption: Encrypted database storage with key rotation
Backup Encryption: All backups encrypted using industry standards

Cryptographic Integrity

SHA-256 Hashing: Document integrity verification
Digital Fingerprinting: Tamper-evident technology
Hash Chaining: Immutable, cryptographically-secured audit trail creation
Cryptographic Signatures: Mathematical proof of authenticity

Legal Probative Value: Pactly's cryptographic audit trails are immutable, hash-chained, and designed to be legally probative for evidentiary use in case of dispute, subject to applicable rules of evidence and judicial discretion.

Infrastructure Security

Cloud Security: AWS/Azure enterprise-grade infrastructure
Network Security: Firewall protection and intrusion detection
Access Controls: Multi-factor authentication and role-based access
Monitoring: 24/7 security monitoring and threat detection

Privacy Protection & Data Processing

Data Collection & Processing

We collect and process the following categories of personal data:

Essential Service Data:

Name, email address, and electronic signature data
Authentication credentials, MFA tokens, and session identifiers
Document content and metadata for signature workflows

Security & Fraud Prevention:

Device fingerprints, IP addresses, and geolocation data
Session data, browser information, and access logs
Behavioral analytics for fraud detection and security monitoring

Business Operations:

Billing and payment information, including transaction history
Company details and organizational information (when provided)
Customer service communications and support requests

Analytics & Improvement:

Platform usage analytics and performance metrics
Feature usage patterns and user experience data

Data Retention

Active Documents: Retained while account is active plus legal retention periods
Completed Documents: Retained per legal requirements (minimum 7 years or as required by law)
Personal Data: Deleted upon account closure subject to legal retention obligations
Audit Logs: Retained for compliance, security, and legal purposes
Billing Data: Retained per tax and accounting requirements

Data Access Controls

User Access: Users control access to their documents and data
Administrative Access: Strictly controlled on need-to-know basis
Third-Party Access: No data sharing without explicit consent or legal obligation
Legal Process: Data disclosed only upon valid legal process or court order

Legal Basis for Data Processing

We process personal data based on the following legal grounds:

| Processing Purpose | Legal Basis | |------------------------|-----------------| | Document signing workflows and service delivery | Contractual necessity | | Account creation and user authentication | Contractual necessity | | Fraud detection and platform security | Legitimate interests | | Usage analytics and service improvement | Legitimate interests | | Billing and payment processing | Contractual necessity | | Legal compliance and regulatory obligations | Legal obligation | | Marketing communications | User consent (withdrawable) | | Customer support and service communications | Contractual necessity |

Cross-Border Data Transfers

International Transfer Mechanisms

Adequacy Decisions: Transfers to countries recognized by applicable data protection authorities
Standard Contractual Clauses (SCCs): EU-approved contractual safeguards for international transfers
Data Processing Agreements: Binding corporate rules and processor agreements
Additional Safeguards: Technical and organizational measures for enhanced protection

Regional Data Localization

Enterprise clients may request regional data localization options to meet specific compliance requirements. Contact our enterprise team for availability and pricing.

Compliance Standards

Industry Standards

ISO 27001: Information Security Management System certification
SOC 2 Type 2: Security, availability, and confidentiality controls audit
GDPR: European Union General Data Protection Regulation compliance
CCPA/CPRA: California Consumer Privacy Act and amendments compliance

Regional Privacy Laws

GDPR (EU/EEA): Full compliance with European privacy regulations
CCPA/CPRA (California): Consumer privacy rights protection and data broker obligations
PIPEDA (Canada): Personal Information Protection and Electronic Documents Act compliance
LGPD (Brazil): Lei Geral de Proteção de Dados compliance
Other Jurisdictions: Compliance with applicable local data protection laws

Technical Safeguards

Authentication & Authorization

Multi-Factor Authentication: SMS, email, and authenticator app-based 2FA
Single Sign-On (SSO): Enterprise identity provider integration
Role-Based Access: Granular permission controls and least privilege access
Session Management: Secure session handling, timeout, and token management

Audit & Monitoring

Complete Audit Trails: Every action logged with immutable timestamps
Security Monitoring: Real-time threat detection and automated response
Access Logging: Detailed logs of all system access and data processing
Compliance Reporting: Automated compliance reporting and audit capabilities

Incident Response

Security Team: Dedicated cybersecurity professionals and incident response team
Incident Response Plan: Documented procedures for security incidents and data breaches
Notification Process: Timely breach notification to authorities and affected individuals
Recovery Procedures: Business continuity, disaster recovery, and forensic capabilities

Your Privacy Rights

Access & Control Rights

Data Access: Right to access and obtain copies of your personal data
Data Portability: Export your data in machine-readable formats
Data Rectification: Update, correct, or complete your personal information
Data Erasure: Request deletion of your personal data (subject to legal retention)

Objection & Restriction Rights

Processing Objection: Object to processing based on legitimate interests
Direct Marketing Opt-Out: Unsubscribe from all marketing communications
Automated Decision Making: Opt-out of automated profiling and decision-making
Processing Restriction: Request restriction of certain processing activities

Exercising Your Rights

To exercise your privacy rights, contact us at [email protected] with your request and identity verification. We will respond within the timeframes required by applicable law.

Cookies & Tracking Technologies

Pactly uses cookies, web beacons, and similar tracking technologies for authentication, security, analytics, and user experience optimization. For detailed information about our use of cookies and your choices, please review our Cookie Policy.

Security Measures

Physical Security

Data Centers: Tier 3+ certified data centers with redundant infrastructure
Access Controls: Biometric and multi-factor physical access controls
Environmental Controls: Climate, power, and environmental monitoring systems
Security Personnel: 24/7 on-site security presence and surveillance

Logical Security

Vulnerability Management: Regular security assessments and penetration testing
Third-Party Security Testing: Independent security audits and assessments
Secure Development: Code reviews, security testing, and secure coding practices
Dependency Management: Regular security updates, patches, and vulnerability scanning

Contact & Reporting

Security & Privacy Contacts

Security Team: [email protected]
Privacy Officer: [email protected]
Compliance Team: [email protected]
Data Protection Officer: [email protected]

Reporting Security Issues

Vulnerability Disclosure: Responsible disclosure program for security researchers
Security Incidents: Immediate incident reporting and response procedures
Privacy Complaints: Formal complaint resolution process

Legal Review & Document Hierarchy

Legal Compliance Review: This document was last reviewed for legal accuracy and regulatory compliance on January 15, 2025.

Document Status: This Security & Privacy overview is provided for informational purposes only. In the event of any conflict between this overview and our binding legal agreements, the Privacy Policy and Terms of Service shall govern.

Periodic Updates: This document is reviewed periodically for legal accuracy, regulatory changes, and technical updates. Users are encouraged to review this page regularly for updates.

For complete privacy practices and legal obligations, please review our Privacy Policy. For platform terms and conditions, see our Terms of Service. For cookie usage details, see our Cookie Policy.

Last updated: January 15, 2025 Last legal compliance review: January 15, 2025