Data Processing Agreement

Last updated: 11 July 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Customer” and data controller) and Aletheia Tech Ltd, a company incorporated in England and Wales, with its registered office in London, United Kingdom (“BAScribe”, “we”, “us”, “our”). (the “Processor”), and applies where BAScribe processes personal data on the Customer’s behalf under UK GDPR, EU GDPR and comparable laws.

If you require a countersigned copy for your records, contact support@bascribe.com.

1. Roles and scope

The Customer is the controller and BAScribe is the processor of the personal data the Customer submits to the Service. BAScribe processes that data only to provide the Service and on the Customer’s documented instructions, including as set out in the Terms and this DPA.

2. Details of processing

Subject matter and duration: provision of the e-signature Service for the term of the Customer’s account. Nature and purpose: uploading, sending, signing, verifying, storing (for 30 days) and anchoring documents. Data subjects: the Customer’s users and the signers they invite. Categories of data: names, email addresses, optional phone numbers, signature audit data (IP, timestamps, consent), and document content the Customer chooses to upload.

3. Processor obligations

BAScribe will: process personal data only on the Customer’s instructions; ensure persons authorised to process it are bound by confidentiality; implement appropriate technical and organisational security measures; and assist the Customer with data-subject requests and with its obligations under Articles 32–36 GDPR, taking into account the nature of processing.

4. Security measures

Encryption in transit, access controls and least-privilege access, private document storage with automatic deletion after 30 days, and integrity protection via cryptographic hashing and on-chain anchoring.

5. Subprocessors

The Customer authorises BAScribe to engage the subprocessors listed at bascribe.com/legal/subprocessors. BAScribe imposes data-protection obligations on each subprocessor no less protective than this DPA, and will give notice before adding or replacing a subprocessor so the Customer may object on reasonable grounds.

6. Data-subject requests

BAScribe will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures to respond to requests from data subjects exercising their rights.

7. Personal-data breaches

BAScribe will notify the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer’s data, and will provide information reasonably available to help the Customer meet its notification obligations.

8. International transfers

Where BAScribe or its subprocessors process personal data outside the UK/EEA, the transfer is covered by appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference.

9. Audit

BAScribe will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality and scheduling.

10. Deletion and return

Uploaded and executed documents are deleted automatically 30 days after signing. On termination, BAScribe will delete or return the Customer’s personal data except where retention is required by law. On-chain hashes are permanent and cannot be deleted.

11. Liability and governing law

Liability under this DPA is subject to the limitations in the Terms. This DPA is governed by the laws of England and Wales. For any question, contact support@bascribe.com.