Trust is the key to our product
Everything we do is in order to maximise trust
We aim to hold the minimum amount of information required to allow us to provide our services
We never release, copy-to, or otherwise provide your information to any third party unless absolutely required to to provide our service to you, or by New Zealand law or that of another state with jurisdiction
Any person about which we hold information has the absolute right to ask us to amend, modify, or permanently erase their information. We will comply with their request as soon as possible
Personal information we hold
Prior to 8:00am 4 October 2020 UTC
We store email addresses for document creators, referred to as editors. Editors' email addresses are used to identify the editor and provide their information when requested by the app
We also store email addresses for signatories when a document Editor chooses Single Signature. Editors provide the signatory's email address along with any request for a signature. We use this email address to notify the signatory that a signature has been requested, and as a unique identifier to provide the correct information
Long term, we store these email addresses in an encrypted, unreadable format with the hash of the document that was signed. Being encrypted, they can not be read. When a document is verified, they are decrypted and presented along with the signature's time stamp as credence for the verification - you can see that the details match the document being verified
We temporarily store full names of signatories when a document Editor chooses Single Signature. Editors provide a full name along with any request for a signature. This name is appended to the signature that is eventually created
After 8:00AM 4 October 2020 UTC
No private information is held long-term under normal circumstances
Where information is required to be stored long-term, that information is placed in Forms and/or Sheets owned by the user.
Where "Email them for me" is chosen, we send an invitation email on behalf of the person requesting the signature. This is a core element of the product as it ensures that only the intended recipient can sign by virtue of their control of the destination email address.
The invitation email (sent to the signatory) and email confirmation of completed signing (sent to the person requesting the signature) are "trashed" immediately but remain in our system for 30 days. This is to allow us to alert the person requesting the signature that the invitation email was rejected or the recipient address does not exist or other similar matters (delivery troubleshooting).
Those emails are only used for those and materially similar purposes. After 30 days they are erased permanently.
Multiple Signatures (Classic) - signature image and metadata - sporadically
Multiple Signatures (Classic) may store signature images and associated metadata (possibly name and or email, or other details as generated by the signatory) temporarily when there's a problem adding them to their respective Sheets.
Any such records are deleted periodically by us. The owner of these records can use "Dashboard" functions to delete them also.
Update 27 July 2021: We want to clarify Single Signatures. "No private information is held under normal circumstances" has been updated to "No private information is held long-term under normal circumstances". The "Single Signatures" subheading and content has been added. Summary of changes: We temporarily hold signatory details in order to provide the core invitation delivery and troubleshooting service.
Why information is held/Purpose for data retention
If the Principal add-on user is involved in Education
The principal add-on user is the person that uses the add-on while editing their Form to enable signing features via the add-on.
All retained information is retained for education purposes. Specifically, to enable the principal add-on user to use the add-on to facilitate their educational purposes.
All other cases
All retained information is retained in order for the add-on to provide the core add-on services.
Added 25 October 2021
How long information is held for
Prior to 8:00am 4 October 2020 UTC
Editor email addresses
Human-readable Editors' email address are held until the editor requests that it is deleted. We also periodically delete inactive records without notice. If an Editor's record is deleted and they return, a new record is created for them
We keep this human-readable to allow quicker support and troubleshooting if required
Only the Director of Gigaccounting Ltd is able to see these addresses
Signatories' names and email addresses
Human-readable details are collected when provided by the Editor on requesting a signature using the Single Signature product
No signatory details are held for the Multiple Signatures product - we do however maintain a "bot" account which can read the Form's Response Sheet, including responses and signatory details. This is to enable us to re-verify any previous signature. The "bot" account is unmanned and only accessible by the Director of Gigaccounting Ltd. if absolutely required
As above, these are kept human-readable to allow quicker support and troubleshooting
When the Single Signature has been completed
we permanently delete the name
we store an encrypted (unreadable) copy of the email address against the hash of the signature
When an Editor cancels a signature request, both the name and email address are permanently deleted
In these cases, the deletions and encryption are done immediately by the program
After 8:00AM 4 October 2020 UTC
Where "Email them for me" is chosen, we send an invitation email on behalf of the person requesting the signature. This is "trashed" immediately but remains in our system for 30 days to allow for delivery troubleshooting and alerting.
Multiple Signatures (Classic) - signature image and metadata
Any stored information is deleted at times determined by us. Typically, we review the stored records every two months.
Update 27 July 2021: Clarifying Single Signatures. "Single Signatures" subheading and content added. Summary of changes: We temporarily hold signatory details in order to provide the core invitation delivery and troubleshooting service.
Where is information held
We store all data in Google products, so information is stored in Google servers internationally
We are absolutely confident in Google's data privacy policies
Any data is stored in an account that can be accessed only by the Director of Gigaccounting Ltd.
For signatures made with the Multiple Signatures products, we maintain access to data via a "bot" account. The data is owned by, and stored with the Form's Editor's Google products
Who has access
In normal circumstances, no person will view personal information
Where it is necessary for a manual change to be made, for instance if you ask us to delete your information, this will be done by the Director of Gigaccounting Ltd.
The Director will also be the person who liaises with you about the manual change
A legitimate legal authority who has jurisdiction over us or you may also demand information. We will comply to the extent we are required to
We use Stripe to process payments
When you purchase more signatures, we provide Stripe your email address. This is to ensure that when payment is made, the purchased signatures can be applied to your account. We don't provide any other personal details to Stripe
Similarly, Stripe don't provide us any personal information other than the email address we provided them. We never see anything to do with your credit card
Amend or delete
Any person about which we hold information has the absolute right to ask us to amend or delete their information, and we will comply with their requests as soon as possible
We use email addresses as true identities. You simply need to email us from the account about which the change is regarding
Identify a data breach
All information is held within Google products, so any potential breach is limited to account access/sign in. All sign-in attempts require two-factor authentication.
We make use of Google's standard sign-in alerts to detect any unapproved sign-attempts. All sign-in attempts will be reviewed taking in to account the frequency, source, and device type where those details are available. The Director is aware of all legitimate sign-in's, and any access not known to the Director is considered a breach.
We have assessed that because all products with access to data are within the Google platform, relying on the Google security auditing tools is the best option.
Where Google itself has a data breach, we defer to their own policies entirely.
Determine an appropriate response
Any breaches will trigger a full breach response, starting with logging all relevant details about the unapproved sign-in from Google's security tools. The log will be reviewed to assess how this attempt relates to others which may indicate special steps are taken to prevent further attempts.
If the attempt was unsuccessful, no further steps will be required to be taken but the Director may choose to change passwords and MFA devices.
Immediately contain and stop the spread of a breach
If a sign-in was successful, the Director will use the Google administrator account to remove access for the unapproved device, and will set a new strong password for the related account. The MFA device that authorised the sign-in will be de-authorised.
If a breach is discovered to be caused by any entity within the control of the Director, that entity's access will be revoked immediately.
Evaluate the effects of a breach
Products that have built-in change monitoring (Google Drive, Sheets) will be reviewed for access and changes. Items that have been accessed in any form not clearly known to the Director will be considered potentially breached.
Products that don't have built-in change monitoring (Google Firebase, Forms) will all be considered potentially breached.
Where relevant account has access is limited to only some products or items, only those items will be considered potentially breached.
Built-in change monitoring, where available, will be utilised to assess if any unauthorised changes have been made to data content and/or sharing policies for each item.
All potentially effected items will be assessed for what types of data that may have been breached; their general contents. Where the contents are unknown it is assumed they contain personal information. We will not access any items that aren't specifically relevant to the running of the add-on to make this assessment (i.e. the primary add-on user's account with us).
Discover the cause of a breach
Logs and alerts of sign-in and other activity will be assessed to determine the cause of a breach. Relevant data will include the offending IP address, device and time of day log among others.
Notify effected individuals
"Data Controllers", "Form Owners", or other names may relate to the principal user of the add-on. This is the person that uses the add-on to activate signing for their Forms. The principal add-on users will be notified by email within 24 hours of any potential breach that is relevant to them and their data items.
Where a breach extends to sources of data that contain or may contain information about other people, we will not make direct contact with those people unless the principal user of the add-on requests it.
Follow-up email contact will be made as appropriate to aid understanding.
Improve security after a breach
Accounts, passwords and multi-factor authentication devices will be reviewed and updated or removed if necessary.
Commercial partners' (currently just Google) security policies will be reviewed for appropriateness and those relationships may be updated, changed, or those partners may be replaced.
If the cause can't be found: all device permissions will be reset, all passwords changed, and a new multi-factor device and/or method will be used.
This policy will be updated to clarify or amend any clauses as we deem necessary.
Added 25 October 2021