Processing in SWESTEP
Processing outside of SWESTEP
What are your rights?
Your integrity matters to us.
At SWESTEP AB (SWESTEP) we process personal data daily, for our own business purposes, on behalf of our customers and ultimately for you. This privacy notice details how SWESTEP is processing personal data relating to customers and prospects, as well as how personal data is being processed within SWESTEP. Every document signed with SWESTEP services includes information about the individuals sending, receiving and signing it and as long as the data resides with us, it is our job to protect it from unlawful access and use.
What is personal data?
The GDPR (General Data Protection Regulation, regulation (EU) 2016/679) defines personal data as “any information relating to an identified or identifiable natural person”. The natural person, such as yourself, is referred to as a “data subject” and you may be identified (or are identifiable) via information like your name, your personal identification number, but also via e.g. an IP-address, genetic data etc.
“Sensitive personal data” are by their nature, particularly sensitive for you. It requires specific protection to avoid significant risks to your fundamental rights and freedoms. This includes, among other things, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.
Data protection law.
As a Swedish company, SWESTEP is governed by the laws of Sweden which, as from May 25th 2018 includes the GDPR.
The GDPR describes how organisations, such as SWESTEP, must “process” (collect, handle and store) personal data. Rules on data protection apply regardless of whether personal data is stored electronically, on paper or on other materials. Organisations that process your personal data are obliged to do that in accordance with strict regulations. Similar regulations have been in force even prior the GDPR, but now the law, and the serious economic consequences of not adhering to the law, are the same for the whole of the EU. An organization that determines the purposes of the processing is called “controller“, whereas an organization that the controller has engaged to assist in the processing is called a “processor”.
Processing in SWESTEP
What roles do SWESTEP have?
SWESTEP offers the SWESTEP service though different business models, and the responsibility for the processing of personal data depends to some extent on how the services are provided, and to whom. SWESTEP’s responsibility for the different categories of data subjects that may take part in an electronic signature process within SWESTEP (“SWESTEP workflow”) is as described below:
(i) SWESTEP Users: representatives of SWESTEP customers with an individual admin or user account registered in SWESTEP subject to a valid license agreement between SWESTEP and the SWESTEP customer.
SWESTEP Users may initiate SWESTEP workflows, receive invitations to take part in SWESTEP workflows initiated by a third party, and retain their signed documents and templates in their e-archive within SWESTEP.
SWESTEP may contact SWESTEP Users through SWESTEP or through a representative, via phone or email in order to give updates on our products, services or concerning other account related issues.
SWESTEP is a processor on behalf of SWESTEP’s customers. The legal basis to process personal data of SWESTEP Users is the necessity to provide the services under the SWESTEP License Agreement between SWESTEP and the SWESTEP customer.
We may also use personal data of SWESTEP Users for marketing and sales purposes. SWESTEP may contact SWESTEP Users through SWESTEP or through a sales representative of SWESTEP, via phone or email in order to give you updates on other products or other materials SWESTEP deems may be interesting to you. When we process personal data for marketing and sales purposes we make a legitimate interest assessment, by taking into consideration our existing relationship with you, whether it would be reasonably expected by you that the processing takes place and whether we can fulfil the same business outcome without processing personal data. We do not process personal data for marketing and sales purposes that do not pass this criteria.
(ii) Representatives of SWESTEP resellers’ customers: representatives of SWESTEP resellers’ customers with an individual admin or user account registered in SWESTEP subject to a valid sub-license agreement with an authorized reseller of SWESTEP.
Representatives of SWESTEP resellers’ customers may initiate SWESTEP workflows, receive invitations to take part in SWESTEP workflows initiated by a third party, and retain their documents in their e-archive within SWESTEP.
SWESTEP is a subprocessor of the SWESTEP reseller who in turn processes personal data on behalf of their customer. SWESTEP may contact representatives of SWESTEP resellers’ customers through SWESTEP or through a representative, via phone or email in order to give updates on our products, services or concerning other account related issues.
The legal basis to process SWESTEP reseller customer representatives’ personal data is to provide the services under the SWESTEP Sub-License Agreement between us and the reseller.
(iii) Private account holders: individuals that have opted in for a limited, cost-free account in SWESTEP.
When a private account holder signs a document in SWESTEP, this will be retained within that party’s own e-archive within SWESTEP.
Private account holders may only initiate SWESTEP workflows through SWESTEP subject to such restrictions for cost-free accounts as SWESTEP maintains from time to time.
For private account holders, SWESTEP primarily acts as a controller due to the service being provided cost-free and that SWESTEP may single handedly re-determine the terms for the free account, or withdraw the same at any time. Thus, SWESTEP reserves the right to terminate the account of an inactive private account holder. In case of such termination, SWESTEP will provide due pre-warning to the email registered in the account and enable the private account holder to offboard the contents or their account prior to final deletion thereof.
The legal basis to process SWESTEP Private account holders’ personal data is to provide the services under the Terms of Service that the private account holder agreed to before creating a SWESTEP account.
(iv) External SWESTEP users: individuals that have received an invitation message to review or sign a document made available through SWESTEP, and that have no account of their own within SWESTEP. (An external SWESTEP user may opt in to become a private account holder in SWESTEP.)
External SWESTEP users only take part in a SWESTEP workflow when so invited.
SWESTEP remains a processor, or subprocessor, on behalf of the customer that initiated the specific electronic signature process.
The legal basis to process External SWESTEP users’ personal data is to provide the services under the SWESTEP License Agreement between SWESTEP and the controller.
N.b. should SWESTEP itself be the initiator of the SWESTEP workflow, then SWESTEP is the controller, in which case the legal basis is the necessity for the performance of a contract between us and the recipient of the SWESTEP workflow.
Is my data secure with SWESTEP?
Security is a core value of SWESTEP. Ensuring the security of customer and company data is important as our customers, employees and partners hold us in a position of trust with their confidential data. SWESTEP applies the principles of Privacy by design and Privacy by default in developing, maintaining and providing the SWESTEP service, as well as in the handling of personal data for other purposes.
To this end SWESTEP has implemented information security management and data protection policies covering i.a. acceptable use, access control, operations, technology, applications, data management, business continuity and physical security. The rules and controls within these policies are considered the security baseline for information assets owned/controlled or otherwise processed by SWESTEP. Such policy documentation may be provided upon request.
The policies and processes relating to information security are subject to at least yearly management reviews.
What security measures has SWESTEP implemented?
SWESTEP continuously educates staff on security. 2FA login, VPN, individual accounts, and activity logging are implemented as appropriate for employees with access to SWESTEP’s infrastructure and for employees with customer support tasks in the system. Access to systems is given to employees on a need-to-have basis and is governed by an approval process. Testing and production environments are separated, and data is never transferred between them.
For the actual servers, SWESTEP has firewalls, anti-virus and encrypted communication where feasible and reasonable. All documents are individually encrypted with keys stored in a different geographical site from the documents and the key storage itself is also encrypted. The security of the system as a whole is regularly tested by means of penetration tests performed by a third party.
The data centers used by SWESTEP have appropriate levels of security and are certified with ISO-27001, amongst other standards.
How is personal data processed within SWESTEP?
When SWESTEP acts as the processor (or subprocessor) on behalf of a customer using the service, the customer is responsible for the processing of your personal data and the legal basis of processing.
This information is necessary for us to process for the purpose of performance of the contract with you/the company you represent. Without this information we will not be able to provide the Service to you. We keep this data for the duration of our agreement with you/your employer and for up to 10 days thereafter.
This information is necessary for us to process for the performance of the contract with you/the company you represent and to provide you with support in relation to our service. We keep this data for as long as you/the company you represent retain your documents within the e-archive of SWESTEP. However, we also process some of your interactions with us due to our legitimate interest of being able to understand how you use the service in order to improve the service for the benefit of all our customers.
For further details about data handling within SWESTEP, please refer to the SWESTEP Terms of Service.
Third country transfers
SWESTEP does not transfer personal data outside of the EU/EEA within the context of providing our service, and all our processors are located within the EU/EEA.
However, through the SWESTEP workflow, you and your counterparts may in each separate case access the processed document remotely (via internet) from anywhere. SWESTEP has no way of knowing where the recipient of the email and/or SMS notifications (invitations, reminders, confirmations) sent through SWESTEP will be located geographically, some recipients may therefore be located in a region outside of the EU/EEA. Therefore, such transfer of personal data to third countries is necessary for the performance or conclusion of a contract (signing a document electronically) in the interest of a data subject or that a data subject is a party to.
Processing outside of SWESTEP Service
How does SWESTEP process personal data outside of SWESTEP Service?
SWESTEP is processing personal data outside of SWESTEP Service as described below:
Processing for invoicing and payment purposes
SWESTEP processes the following information regarding you:
This information is necessary for us to process due to legal requirements, such as book-keeping/financial laws that SWESTEP is subject to. This information is kept for as long as the law requires.
Processing for marketing purposes
Based on our legitimate interest to market our products and services, SWESTEP seeks out new potential customers through various public and commercial sources such as for example LinkedIn and similar. SWESTEP may also collect information directly from you from events, fairs or our website using cookies or forms based on your consent. The information that SWESTEP collects for marketing purposes are:
We keep such information for eighteen months unless you before that time becomes a customer, qualify as an opportunity or subscribe to information of SWESTEP.
You can at all times ask us to stop processing your personal data that we received your consent about by reaching out to us.
Processing for customer support purposes
When you contact SWESTEP for support request in any form (for example by submitting an online form, email etc.), either as an existing customer or as a non-customer, we process any data you provide to us to assist you with your request or to refer you to the relevant department at SWESTEP. We may contact you multiple times in relation to your request. The legal basis for such processing is either the contract between SWESTEP and you/the company you represent or your consent.
We may also process some of your interactions with us due to our legitimate interest of being able to understand how you use the service in order to improve the service for the benefit of all our customers.
Processing of information provided to us for recruitment purposes
SWESTEP will process the information you provide to us for a job application, for recruitment purposes during the specific recruitment process and within a year from the end of such recruitment process.
SWESTEP will also process the information you send in any open applications via the links provided on our website for recruitment purposes in relation to any relevant positions for one year from the submission of your application.
Both types of applications will be processed via a candidate profile which brings together the information you provided. Your candidate profile may be of interest for SWESTEP in other recruitment processes, which means that if your candidate profile matches other vacant positions than the position you have applied for we may contact you to see if you find interest in other recruitment processes.
The legal basis for processing information provided in both types of applications is your consent.
Third country transfers
Some of the service providers that SWESTEP utilises for marketing purposes keep their data located outside of the EU/EEA. When personal data is transferred to these service providers, SWESTEP always ensures that the personal data is protected through transfer mechanism deemed appropriate in accordance with the GDPR.
Sharing your personal data
SWESTEP does not share your personal data except, in the following cases:
To others in the SWESTEP workflow
Irrespective of if you are a sender or receiver of a document in a SWESTEP workflow, you and the other party/-ies invited to that workflow receives information on the other party/-ies taking part in that workflow. Such information is necessary for the execution of the workflow, to identify/authenticate the individuals taking part in accordance with the methods as configured in the SWESTEP service by the sender, and to enable SWESTEP to produce the evidence package (including a transaction log) that is attached to each document signed through SWESTEP. Thus, such information typically includes names, emails, mobile phone numbers, title, company details and IP-addresses. In addition, this may also include drawn signature (added by a party), evidence of eID authentication (including inter alia ID number or similar) when and as required for a stronger authentication.
To service providers
In order to be able to provide the services or support services, conduct marketing or keep our financials, SWESTEP employs several service providers, such as for example hosting partners and system providers.
These service providers may only process your personal data on behalf of us and in accordance with our agreement with them, and never for their own purposes. SWESTEP ensures that all its service providers are bound by confidentiality terms and sign a non-confidentiality agreement (NDA) regarding information received from SWESTEP. SWESTEP enters into Data Processing Agreements (DPA) with all its service providers and conducts Data Protection Impact Assessment (DPIA) if the processing activity poses risk to the rights and freedoms of data subjects.
On the public part of SWESTEP.com domain SWESTEP may gather:
Information about the visit (page views, time, IP, browser, referring URL etc.)
Information provided by the user in any of the website’s forms
Such data may be used by SWESTEP:
For website statistics
To personalise the website when a visitor returns (e.g. language preference, customisations)
For marketing purposes (e.g. retargeting ads, email campaigns)
When you enter SWESTEP.com website, you have the option to read our Cookie Declaration and adjust your cookie preferences.
If you do not wish SWESTEP.com, or one of the services we use, to collect information about your visit you may enable the “Block cookies from third parties and advertisers” option in your web browser settings. This will still allow some “non-tracking” cookies to be stored on your computer, such as language preferences. You may also disable cookies altogether in your browser settings. This will, however, limit your web browsing experience and even stop some web services from working, including SWESTEP eSign.
DATA SUBJECT RIGHTS
What are your rights?
The GDPR provides the data subject certain rights with regards to your personal data.
Thus, you may make a request to the controller for:
access; i.e. a confirmation as to whether or not your personal data are being processed and, when that is the case, the provision of certain information about the processing
This is called a data subject rights (DSR) request. The controller is obliged to respond to a DSR-request as soon as possible and no later than within 30 days. If SWESTEP is the controller of personal data, the DSR requests to SWESTEP should be made by email, addressed to the Data Protection Officer at firstname.lastname@example.org.
Please note that in case you want to make a DSR-request, this must be directed to the controller and that SWESTEP cannot accommodate such a request where SWESTEP is the processor, or subprocessor.
Contact and questions
SWESTEP AB, org no 556898-9825, with registered address at Lillvägen 4, 59241 Vadstena, is responsible for the processing as described in this policy.
If you have any questions regarding how SWESTEP is processing your personal data, how functions within SWESTEP eSign can be used for different purposes in this regard, or would like to come in contact with our Data Protection Officer, do not hesitate to contact us at email@example.com.
Terms of Service
These terms of service (“Terms”) apply to the use of the electronic service (”Service” or “SWESTEP Access”) for accessing documents by different parties (either as a private person or as representative of a legal person) (“Parties”) developed and provided to you (“You” or “User”) by SWESTEP AB (“SWESTEP”). The Terms are an agreement between you (“You” or “User”) and SWESTEP. By using, creating an account and/or by logging into the Service (whether directly or indirectly), You accept and agree to the Terms. SWESTEP reserves the right to, without liability, at any time, amend, add or remove parts of these Terms. It is Your own responsibility to stay informed of any update of the Terms each time You use the Service. Your continued use of the Service after changes have been made in the Terms means that You accept and agree to those changes. You understand and agree that as a User of the Service You remain bound by and shall adhere to the Terms even though You may be contractually licensed to use the Service under any separate confirmed order or license agreement by and between the legal entity You represent (“Your Company”) and SWESTEP.
You are responsible for maintaining the confidentiality of, and protecting Your account information, including passwords. You are responsible for all activity on Your account. You shall immediately notify SWESTEP on suspicion of unauthorised use or attempted unauthorised use of Your account or Your code, or other security breach.
When You open an account in the Service, SWESTEP may contact you through the Service or through a representative, via Your phone or email in order to give you updates on our products or Service or other materials SWESTEP deems may be interesting to you. If You do not wish to receive our mailings via email, please send an email to firstname.lastname@example.org. Please note that SWESTEP will still need to communicate with You via email about Your transactions and other account related issues, and that these emails will not be eliminated by the above procedure as these communications are a part of the Service provided.
5. Proprietary Rights
You acknowledge and agree that (i) SWESTEP, and licensors to SWESTEP, own all property rights to the Service and all interests therein, including intellectual property rights contained in the Service (whether those rights are registered or not, and wherever in the world those rights may exist); (ii) You may not decompile, disassemble, or reverse engineer the Service, nor alter or duplicate any aspect of the Service except as explicitly permitted by SWESTEP; and (iii) unless otherwise agreed in writing with SWESTEP nothing in the Terms gives You the right to use any of the SWESTEP trade names, trademarks, logos, domain names or other distinguishing marks. SWESTEP acknowledges and agrees that SWESTEP under these conditions obtains no right, title or interest from You (or Your licensors) in or to any content You submit, post, transmit or display on or through the Service, including intellectual property rights which may subsist in that content.
No legal advice: It is Your responsibility to evaluate the accuracy, completeness, or usefulness of any information, opinions, advice, documents, contracts, or other content available through the Service. No part of the Service shall be regarded as legal advice. Neither SWESTEP nor its licensors and affiliates shall be liable for any errors or omissions in the content, or for the consequences of actions based on reliance on any content.
The Terms shall apply equally and without limitation in the event that You/Your Company have been granted a sublicensed right to use the Service under a separate agreement with a Reseller. In such event the Reseller shall be deemed to replace SWESTEP as the contractual counterpart wherever the context so requires. For the avoidance of any doubt; in the event that You/Your Company uses the Service via a Reseller, SWESTEP’s role is delimited to being the licensor of the Service to Reseller, and SWESTEP shall never be deemed to have any contractual relationship with, nor liabilities to, You/Your Company on the basis of the Terms.
The conditions of this section of the Terms shall apply as an integrated part of Your/Your Company’s license agreement with SWESTEP unless and to the extent that; (i) Your Company’s separate valid license agreement with SWESTEP includes conditions addressing substantially the same subject matters as covered in this section, in which case such other conditions of the License Agreement shall prevail; or, alternatively (ii) Your Company has a valid sublicensing agreement with a Reseller that includes conditions addressing substantially the same subject matters as covered in this section, in which case the conditions of such separate agreement shall prevail.
This English version of these Terms shall be deemed as the original, governing version. SWESTEP may make the Terms available in other languages for convenience and information purposes on its website or elsewhere. In the event of any conflict between the English language version of the Terms and any subsequent translation into any other language, the English language version shall govern and control.