← Sigil

Data Processing Addendum

Effective: 27 May 2026 · Version 0.1 (pre-launch)

This Data Processing Addendum (“DPA”) supplements Sigil’s Terms of Servicewhere the customer (“Controller”) uses Sigil (“Processor”) to process personal data on behalf of identified individuals.

Roles

  • For data the Controller’s users entrust to Sigil (credentials, audit logs, grants), the Controller is the data controller and Sigil is the data processor.
  • For data Sigil collects to operate the service (account identifiers, technical telemetry), Sigil is the controller for that processing.

Processing scope

Sigil processes personal data only to provide the contracted service: storing encrypted OAuth tokens, evaluating permission grants, proxying tool calls, and maintaining the audit log.

Security measures

  • Encryption of credentials at rest with per-user AES-256-GCM keys, master KEK in a hardware security module.
  • Authentication for staff access to production via passkey + MFA; principle of least privilege.
  • Append-only audit logging of every state change.
  • Annual penetration testing once revenue justifies it; quarterly internal review of access and roles meantime.

Sub-processors

Sigil’s current sub-processors are listed in our Privacy Policy. We’ll notify the Controller of any changes at least 30 days before they take effect.

International transfers

Personal data is held in the United Kingdom (Azure UK South) and the European Union (Auth0 EU, Sentry EU). Transfers outside these regions rely on the UK’s adequacy decisions and on each sub-processor’s standard contractual clauses where applicable.

Data subject requests

Sigil provides self-service export and deletion via the dashboard. The Controller may also instruct Sigil in writing to assist with a data subject request; we’ll respond within 14 days.

Audits

On reasonable written notice, the Controller may audit Sigil’s compliance with this DPA, no more than once per twelve months and subject to confidentiality. Where Sigil holds an independent attestation (SOC 2 once achieved), that report may be provided in lieu of an on-site audit.

Term and termination

This DPA remains in effect for the duration of any active customer contract. On termination, Sigil deletes or returns Controller data within 30 days unless retention is required by law.

Contact

Operational matters: dpa@joinsigil.com.

Pre-launch v0.1. A version reviewed by counsel and bound to our eventual legal entity will replace this before any business customer is onboarded.