SignOver Legal

Data Processing Agreement v0.1.0-beta.3

Between Signover and Operator Companies

signover.app | Vehicle Proof of Delivery Platform

Draft for Legal Review — Version 1.0

Effective 2026-05-05 · Evidence hash c3cdc2c5986f

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Signover Operator Terms & Conditions. By accepting the Operator Terms & Conditions, the Operator agrees to this DPA. This DPA governs the processing of personal data by Signover on behalf of the Operator in connection with the provision of the Signover platform.

1. Definitions

In this DPA:

  • "Controller" means the Operator, being the entity that determines the purposes and means of processing personal data submitted through the platform
  • "Processor" means Signover, being the entity that processes personal data on behalf of the Controller
  • "Data Subject" means the individual to whom personal data relates, including drivers, countersigners, and any other individuals whose data is submitted to the platform
  • "Personal Data" has the meaning given in UK GDPR
  • "Processing" and "Process" have the meanings given in UK GDPR
  • "Sub-Processor" means any third party engaged by Signover to process personal data in connection with providing the platform
  • "UK GDPR" means the UK General Data Protection Regulation as defined in section 3(10) of the Data Protection Act 2018

2. Roles of the Parties

2.1 Controller

The Operator is the Data Controller for all personal data submitted to the Signover platform in connection with vehicle transport jobs. This includes job record data, collection and delivery addresses, countersigner email addresses and signatures, and driver data associated with the Operator's jobs.

2.2 Processor

Signover is the Data Processor for the personal data described in 2.1. Signover processes this data solely on the instructions of the Operator and for the purpose of providing the Signover platform services.

2.3 Separate Controller

Signover acts as a separate and independent Data Controller (not as Processor) for:

  • Operator account data collected for the purposes of account administration, beta service operations, and communication
  • Driver account data collected directly from drivers for the purposes of driver account management
  • Non-identifying platform performance data collected through Vercel Speed Analytics

This DPA applies only to Signover's processing as Processor. Signover's processing as Controller is described in the Signover Privacy Policy.

2.4 Drivers

All drivers using Signover hold their own individual Signover account. Drivers may be permanently linked to the Operator's account or connected on a one-off basis via a unique job code. In both cases, when a driver conducts a job under the Operator's account, the Operator is the Data Controller for the personal data associated with that job, and the driver acts as the Operator's agent for the purposes of data collection.

3. Subject Matter, Nature, and Purpose of Processing

  • Subject matter: personal data submitted to the Signover platform in connection with vehicle transport jobs
  • Nature: collection, storage, organisation, structuring, retrieval, display, transmission, and deletion of personal data
  • Purpose: solely to provide the Signover vehicle proof of delivery platform services to the Operator
  • Duration: the term of the Operator's subscription plus 6 months following cancellation, after which all personal data is permanently deleted

3.1 Categories of Personal Data Processed

  • Vehicle details and job information
  • Collection and delivery addresses
  • Damage markers, defect notes, and condition photographs
  • Collection countersigner name (if provided), email address, OTP log, digital signature, IP address, user-agent, agreement timestamp, and legal document version/hash metadata
  • Delivery countersigner name (if provided), email address, OTP log, digital signature, IP address, user-agent, agreement timestamp, and legal document version/hash metadata
  • Driver identifier and job association data

3.2 Categories of Data Subjects

  • Countersigners at collection (persons handing over vehicles)
  • Countersigners at delivery (persons receiving vehicles)
  • Drivers associated with jobs under the Operator's account
  • Any other individuals whose personal data is included in job records by the Operator

4. Signover's Obligations as Processor

4.1 Instructions

Signover shall process personal data only on documented instructions from the Operator, as set out in these Terms and this DPA. If Signover is required to process personal data for any other purpose by applicable law, it will inform the Operator before processing unless prohibited from doing so by law.

If Signover believes any instruction from the Operator would breach UK GDPR or other applicable data protection law, it shall notify the Operator and may refuse to carry out that instruction.

4.2 Confidentiality

Signover shall ensure that all personnel authorised to process personal data under this DPA are subject to appropriate confidentiality obligations.

4.3 Security

Signover shall implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, in accordance with UK GDPR Article 32. These measures include:

  • Encryption of personal data in transit and at rest
  • Role-based access controls limiting internal access to personal data
  • Secure authentication for all platform users
  • Regular monitoring and testing of security measures

4.4 Sub-Processors

The Operator authorises Signover to engage the following sub-processors:

  • Supabase — primary application database and storage infrastructure.
  • Cloudflare Images — secure storage and delivery for uploaded vehicle/inspection images.
  • Resend — transactional delivery of OTP and related service emails.

Signover will impose materially equivalent data protection obligations on each authorised sub-processor by contract and remains responsible for the sub-processor's performance of those obligations to the extent required by UK GDPR.

Signover shall notify the Operator of any intended changes to this sub-processor list by [email / in-app notification / updating the DPA with 30 days' notice]. The Operator may object to a new sub-processor on reasonable grounds within [14] days of notification.

4.5 Data Subject Rights

Signover shall assist the Operator in responding to requests from data subjects exercising their rights under UK GDPR. Where Signover receives a data subject request directly (for example from a countersigner), it will:

  • Notify the Operator promptly and in any event within [5] business days
  • Provide such assistance as the Operator reasonably requires to fulfil the request within the statutory timeframe
  • Not respond to the data subject directly except as instructed by the Operator or as required by law

4.6 Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, Signover shall:

  • Notify the Operator without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide sufficient information to enable the Operator to comply with its own notification obligations to the ICO and affected data subjects
  • Take reasonable steps to investigate, contain, and mitigate the breach

4.6A Assistance with Compliance

Taking into account the nature of processing and information available to Signover, Signover shall assist the Operator in meeting obligations under UK GDPR Articles 32 to 36, including security of processing, breach response support, data protection impact assessments, and prior consultation with supervisory authorities where required.

4.7 Deletion and Return of Data

At the end of service provision and subject to applicable law, Signover shall, at the Operator's choice, return personal data to the Operator and/or securely delete personal data processed under this DPA. Where data must be retained by law, Signover will continue to protect it in accordance with this DPA.

Where deletion is selected, deletion shall cover live systems, backups, and all sub-processor copies, subject to technical backup rotation cycles and legal requirements.

On request from the Operator, Signover shall confirm in writing that deletion has been completed.

4.8 Audit Rights

The Operator may, on reasonable written notice, audit Signover's compliance with this DPA. In practice, Signover may satisfy audit requests through the provision of documentation, certifications, completed questionnaires, or third-party audit reports rather than through physical site access, unless the Operator has reasonable grounds to require otherwise.

5. Operator's Obligations as Controller

  • Ensure all personal data provided to or processed through Signover has been collected lawfully and in compliance with UK GDPR
  • Ensure countersigners are informed that their data will be processed by Signover in accordance with Signover's Privacy Policy
  • Respond to data subject rights requests within the statutory timeframes, with Signover's assistance as described above
  • Not instruct Signover to process personal data in a manner that would breach UK GDPR
  • Ensure drivers operating under the Operator's account handle personal data in accordance with applicable law

6. Liability

Each party shall be liable to the other for breaches of this DPA caused by their own acts or omissions.

Signover's liability under this DPA is subject to the limitation of liability provisions in the Operator Terms & Conditions. Signover is not liable for any breach resulting from the Operator's unlawful instructions.

The Operator is liable for any breach resulting from their failure to comply with their obligations as Data Controller, including any failure to lawfully collect personal data before providing it to Signover.

7. General

This DPA is governed by the laws of England and Wales. In the event of any conflict between this DPA and the Operator Terms & Conditions, this DPA shall take precedence in relation to the processing of personal data.

Signover reserves the right to update this DPA to reflect changes in applicable law or processing activities. Material changes will be notified to Operators in accordance with the notification provisions in the Operator Terms & Conditions.

Signover — signover.app. This document is a draft for legal review only and does not constitute legal advice.