Monze – Sign Beautifully....Finish Faster.

1. Our Commitment to GDPR Compliance

Monze Digital Solutions ("we," "our," or "us") is fully committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) and other applicable data protection laws. This comprehensive guide outlines how we comply with GDPR requirements and explains your rights as a data subject.

The GDPR applies to the processing of personal data of individuals located in the European Economic Area (EEA), regardless of where the processing takes place. As a global service provider, we ensure GDPR compliance for all our users, providing the same high level of data protection worldwide.

This document should be read in conjunction with our Privacy Policy, Terms of Service, and Cookie Policy, which together form our comprehensive data protection framework.

2. Data Controller Information

Data Controller Details

Company: Monze Digital Solutions
Address: 22 4th St #602, San Francisco, CA 94103, United States
Email: dpo@monze.net
Phone: (415) 821-4241

EU Representative: For matters related to GDPR compliance, EU residents can contact our EU representative at eu-representative@monze.net

As the data controller, we determine the purposes and means of processing your personal data. We have appointed a Data Protection Officer (DPO) who oversees our data protection activities and serves as your primary contact for GDPR-related matters.

3. Legal Basis for Processing Personal Data

Under GDPR, we must have a valid legal basis for processing your personal data. We process your data based on the following legal grounds:

3.1 Contract Performance (Article 6(1)(b))

Processing necessary to provide our e-signature services and fulfill our contractual obligations to you:

Account creation and management
Document processing and electronic signature services
Payment processing and billing
Customer support and service delivery
Service-related communications

3.2 Legitimate Interest (Article 6(1)(f))

Processing for our legitimate business interests, balanced against your rights and freedoms:

Service improvement and optimization
Security monitoring and fraud prevention
Analytics and usage statistics
Business development and research
Network and information security

We conduct regular legitimate interest assessments to ensure our interests do not override your fundamental rights and freedoms.

3.3 Consent (Article 6(1)(a))

Processing based on your explicit, freely given consent:

Marketing communications and newsletters
Optional features and personalization
Non-essential cookies and tracking
Market research and surveys
Third-party integrations (where optional)

You can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3.4 Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations:

Tax and accounting requirements
Anti-money laundering and KYC procedures
Data retention for legal compliance
Regulatory reporting and audits
Law enforcement requests (where legally required)

3.5 Vital Interests (Article 6(1)(d))

In rare circumstances, we may process data to protect vital interests, such as preventing harm to individuals or responding to emergency situations.

4. Your GDPR Rights

Under GDPR, you have comprehensive rights regarding your personal data. These rights are not absolute and may be subject to certain limitations, but we are committed to facilitating their exercise wherever possible:

4.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to:

The personal data we hold about you
The purposes of processing
The categories of personal data concerned
The recipients or categories of recipients
The retention period or criteria for determining it
Information about your other GDPR rights

How to exercise: Submit a request through your account settings or contact our DPO. We may require identity verification.

4.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed. This includes:

Correcting factual errors in your personal data
Updating outdated information
Completing incomplete data with additional information

How to exercise: Update information directly in your account settings or contact us with the correct information.

4.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to have your personal data erased in certain circumstances:

The data is no longer necessary for the original purpose
You withdraw consent and there's no other legal basis
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed
Erasure is required for compliance with legal obligations

Limitations: We may retain data where necessary for legal compliance, exercising legal claims, or other legitimate purposes.

4.4 Right to Restrict Processing (Article 18)

You can request restriction of processing in specific situations:

You contest the accuracy of the data (during verification)
Processing is unlawful but you prefer restriction over erasure
We no longer need the data but you need it for legal claims
You've objected to processing (pending verification of legitimate grounds)

Effect: We will store the data but not process it further without your consent or for specific legal purposes.

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller when:

Processing is based on consent or contract
Processing is carried out by automated means

Available formats: JSON, CSV, or other standard formats. We can also transmit data directly to another controller where technically feasible.

4.6 Right to Object (Article 21)

You have the right to object to processing based on:

Legitimate interests: We must demonstrate compelling legitimate grounds that override your interests
Direct marketing: Absolute right to object - we must stop processing for marketing purposes
Scientific/historical research: Unless necessary for public interest tasks

Marketing opt-out: Use unsubscribe links in emails or update your communication preferences in account settings.

4.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. If we use automated decision-making, you have the right to:

Obtain human intervention
Express your point of view
Contest the decision
Obtain an explanation of the decision

5. Email Communication Compliance

5.1 GDPR-Compliant Email Practices

Our email communication practices are designed to fully comply with GDPR requirements:

Transactional Emails

Legal Basis: Contract performance and legitimate interest

Essential service communications necessary for account management and service delivery:

Account creation and verification emails
Security alerts and password reset notifications
Document signature requests and status updates
Billing statements and payment confirmations
Service announcements and maintenance notifications
Legal and compliance communications

Opt-out: You cannot opt out of essential transactional emails as they are necessary for service delivery. However, you can close your account to stop receiving them.

Marketing Emails

Legal Basis: Explicit consent (Article 6(1)(a))

Promotional communications sent only with your explicit consent:

Product updates and new feature announcements
Educational content and best practices
Special offers and promotional campaigns
Industry insights and newsletters
Event invitations and webinar announcements

Consent management: We use double opt-in for marketing subscriptions and maintain detailed records of consent, including timestamp, IP address, and consent method.

5.2 Consent Management

Our consent management practices ensure GDPR compliance:

Freely given: Consent is not a condition for using our core services
Specific: Separate consent for different types of marketing communications
Informed: Clear information about what you're consenting to
Unambiguous: Positive action required (no pre-ticked boxes)
Withdrawable: Easy opt-out mechanisms in every email and account settings

5.3 Data Subject Rights in Email Communications

Access: Request copies of all emails sent to you and associated metadata
Rectification: Update your email address and communication preferences
Erasure: Request deletion of your email data (subject to legal retention requirements)
Restriction: Limit processing to specific types of communications
Portability: Export your communication preferences and history
Object: Opt out of marketing emails (absolute right)

6. Data Protection Measures

6.1 Technical Safeguards

We implement state-of-the-art technical measures to protect your personal data:

Encryption: AES-256 encryption at rest and TLS 1.3 in transit
Access Controls: Role-based access with multi-factor authentication
Network Security: Firewalls, intrusion detection, and DDoS protection
Data Minimization: Automated systems to limit data collection and retention
Pseudonymization: Where possible, we replace identifying information with pseudonyms
Backup Security: Encrypted backups with restricted access

6.2 Organizational Measures

Staff Training: Regular GDPR and data protection training for all employees
Access Management: Principle of least privilege and regular access reviews
Incident Response: Comprehensive breach response procedures
Vendor Management: Due diligence and contractual safeguards for processors
Privacy by Design: Data protection considerations in all system development
Regular Audits: Internal and external security and privacy assessments

6.3 Compliance Certifications

SOC 2 Type II: Annual compliance audits for security and availability
ISO 27001: Information security management system certification
Privacy Shield: Self-certification for US-EU data transfers (where applicable)
Regular Penetration Testing: Quarterly security assessments by third parties

7. International Data Transfers

7.1 Transfer Mechanisms

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs)

We use the European Commission's approved Standard Contractual Clauses for transfers to countries without adequacy decisions, including additional safeguards where necessary.

Adequacy Decisions

We prioritize transfers to countries with European Commission adequacy decisions, such as Canada, Japan, and the UK.

Binding Corporate Rules

For intra-group transfers, we maintain binding corporate rules approved by relevant data protection authorities.

7.2 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) to evaluate the level of protection in destination countries and implement additional safeguards where necessary, including enhanced encryption, access controls, and contractual protections.

8. Data Retention and Deletion

8.1 Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account Data

Active accounts: Retained while your account is active
Closed accounts: Deleted within 90 days unless legal retention applies
Legal compliance: Up to 7 years for tax and regulatory requirements

Document Data

User-controlled: According to your account settings and preferences
Legal documents: Retained as required by applicable laws
Audit trails: 7 years for legal and compliance purposes

Communication Data

Email communications: 3 years for customer service purposes
Marketing data: Until consent is withdrawn or 3 years of inactivity
Support tickets: 5 years for quality assurance and legal protection

8.2 Automated Deletion

We use automated systems to ensure data is deleted according to our retention schedules. You will receive notifications before data deletion where appropriate, and you can request early deletion subject to legal and contractual obligations.

9. Data Breach Procedures

9.1 Breach Detection and Response

We maintain comprehensive procedures for detecting, investigating, and responding to data breaches:

24/7 Monitoring: Continuous security monitoring and automated threat detection
Incident Response Team: Dedicated team with defined roles and responsibilities
Containment: Immediate steps to contain and mitigate the breach
Assessment: Evaluation of the scope, impact, and risk to data subjects
Documentation: Detailed records of all breach-related activities

9.2 Notification Procedures

Supervisory Authority Notification

We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to rights and freedoms, including all required information under Article 33 GDPR.

Data Subject Notification

We will notify affected individuals without undue delay when a breach is likely to result in high risk to their rights and freedoms, providing clear information about the breach and recommended actions.

10. Exercising Your GDPR Rights

10.1 How to Submit Requests

You can exercise your GDPR rights through multiple channels:

Online Portal

Access your account settings to manage many rights directly, including data access, rectification, and communication preferences.

Email Requests

Send detailed requests to our Data Protection Officer at dpo@monze.net with "GDPR Rights Request" in the subject line.

Written Requests

Mail written requests to our Data Protection Officer at 22 4th St #602, San Francisco, CA 94103, United States.

10.2 Request Processing

Response Time: We respond within 30 days (extendable to 90 days for complex requests)
Identity Verification: We may require proof of identity to protect your data
Free of Charge: First request is free; additional requests may incur reasonable fees
Status Updates: We provide regular updates on request processing
Appeal Process: You can appeal our decisions through our internal review process

10.3 Required Information

To process your request efficiently, please provide:

Full name and email address associated with your account
Specific right you wish to exercise
Detailed description of your request
Proof of identity (copy of ID document)
Any relevant dates, documents, or context

11. Complaints and Supervisory Authorities

11.1 Internal Complaints Process

If you have concerns about our data processing practices, please contact us first:

Email our Data Protection Officer at dpo@monze.net
We will acknowledge your complaint within 5 business days
We aim to resolve complaints within 30 days
You will receive a written response explaining our decision

11.2 Supervisory Authority Rights

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you:

Have your habitual residence
Have your place of work
Believe the alleged infringement occurred

11.3 Key Supervisory Authorities

European Data Protection Board

Website: edpb.europa.eu
Find your local supervisory authority through their website

Irish Data Protection Commission

Our lead supervisory authority for EU operations
Website: dataprotection.ie
Email: info@dataprotection.ie

12. Updates to This GDPR Compliance Guide

We regularly review and update this GDPR Compliance guide to reflect:

Changes in data protection laws and regulations
Guidance from supervisory authorities
Updates to our data processing practices
Feedback from data subjects and stakeholders

Material changes will be communicated through email notifications, website announcements, and account notifications. We encourage you to review this guide periodically to stay informed about your rights and our practices.

13. Contact Information

For all GDPR-related inquiries, requests, or complaints, please contact:

Data Protection Officer
Monze Digital Solutions
22 4th St #602
San Francisco, CA 94103
United States

Email: dpo@monze.net
Phone: (415) 821-4241
EU Representative: eu-representative@monze.net

Business Hours: Monday - Friday, 9:00 AM - 6:00 PM PST
Emergency Contact: For urgent data protection matters, call our 24/7 security hotline at (415) 821-4241 ext. 911