Privacy Policy for ExSign for Microsoft 365

Hosting Controller Inc. ("we," "our," "us") is committed to protecting the privacy and personal data of users of ExSign for Microsoft 365 ("ExSign"). This Privacy Policy explains how we collect, use, store, and protect personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws.

Data Controller and Data Processor Roles

Customers (you) act as the Data Controller, determining the purposes and means of processing personal data within ExSign.

Hosting Controller Inc. acts as the Data Processor, processing data on your behalf in accordance with your instructions and the Data Processing Agreement (DPA).

What Information Do We Collect?

We may collect and store personal data about you (referred to throughout this privacy policy as Personal Information). The Personal Information we collect includes the following categories:

• Email Address
• Email Unique Id
• Email Subject
• Email Contents (for any failure in delivery, we need to store email content for some time for the final delivery.)

Purpose and Legal Basis of Processing

We process Personal Information solely for the following purposes:

• To generate and apply email signatures and disclaimers in line with your configuration.
• To provide, maintain, and improve ExSign services.
• To ensure system security, fraud prevention, and compliance with legal obligations.
• To provide customer support and resolve technical issues.

The legal basis for processing includes:

• Performance of Contract (Art. 6(1)(b) GDPR) – delivering the ExSign service.
• Legitimate Interests (Art. 6(1)(f) GDPR) – ensuring service reliability, fraud prevention, and security.
• Legal Obligations (Art. 6(1)(c) GDPR) – compliance with applicable regulations.

Data Retention

• Customer data is retained for 90 days after service termination, after which it is securely deleted.
• If a customer deletes their tenant from ExSign, an instant (soft) delete is performed.
• System and security logs may be retained for a limited period (as required for compliance and auditing).

Data Sharing and Subprocessors

We may engage trusted subprocessors (such as Microsoft Azure) to host and process data securely. Subprocessors are bound by contractual agreements ensuring GDPR compliance.

We do not sell, rent, or trade personal data with third parties. Data is only shared when required by law or with your explicit consent.

International Data Transfers

In the course of providing the ExSign service for Microsoft 365, Customer Data may be transmitted solely between the service components of ExSign, as necessary for the provision of the Services. Such transfers are strictly limited to internal communication between ExSign service components and shall never be transferred, disclosed, or made accessible outside of the ExSign service infrastructure, regardless of circumstance or reason.

The components of the ExSign cloud service may reside in diverse geographical regions; however, any transfer of Customer Data remains confined to the secure boundaries of the ExSign service components. Hosting Controller shall implement and maintain appropriate technical and organizational measures to ensure that all such transfers are secure, controlled, and fully compliant with applicable data protection legislation, including the GDPR.

Security of Personal Information

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Data encryption in transit and at rest.
• Role-based access control.
• Regular audits, monitoring, and vulnerability management.
• High availability and redundancy through Azure infrastructure.

Data Subject Rights

As a data subject, you (or your end-users) have the following rights under GDPR:

• Right of access – obtain a copy of personal data processed.
• Right to rectification – correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten").
• Right to restriction of processing.
• Right to data portability.
• Right to object to processing.
• Right to lodge a complaint with a Data Protection Authority.

Requests should be directed to your organization as the Data Controller. Hosting Controller will assist the Data Controller in fulfilling these requests.

If a data subject request or other communication regarding the processing of customer data is made directly to us, we will promptly inform you and will advise the data subject to submit their request to you. You will be solely responsible for responding substantively to any such data subject requests or communications involving customer data.

Cookies and Tracking

By default, we only use cookies that are strictly necessary for the proper functioning of our Billing Portal and ExSign Portal. These cookies enable essential features such as secure login and session management.

We may also use functional cookies to support specific site functionalities—for example, remembering your language preferences or interface settings. These cookies remain active to ensure a consistent user experience but do not store any personally identifiable information.

Functional cookies are stored on your device only with your prior consent. You can withdraw your consent or modify your cookie preferences at any time through your browser settings.

Changes to this Privacy Policy

We may update this Privacy Policy to reflect service improvements, legal requirements, or other factors. Updates will be posted on our website with a revised "Last Updated" date.