Signom privacy policy

Updated 18.10.2022

1. Introduction

twoday Oy has committed to protecting the privacy of the users.

The purpose of this document is to inform the users about the collection of personal data according to General Data Protection Regulation (“GPDR”) (EU 2016/679) 12 article.

This document is also a record of processing of personal data in accordance with article 30 of EU GDPR.

2. Data controller

Data controller is Keskinäinen Eläkevakuutusyhtiö Ilmarinen that has purchased the service.

twoday Oy operates as a data processor.

Contact information:

twoday Oy
Keskuskatu 3
00100 Helsinki

Email address for inquiries:support.signom@twoday.com

3. Name of the register

twoday Oy user register

4. Purposes of processing personal data

The purposes of processing personal data in the user file are:

  • Providing the services described in chapter 5.
  • Organizing support services for the users, tracking contacts to customer support and ensuring the quality of customer service.
  • Sending marketing messages to users via email, if the user has specifically given permission to send marketing messages.
  • Organizing user surveys to improve the quality of the services.
  • Tracking the use of the service for billing purposes and processing service use payments.
  • Preventing and investigating problems with the service and abuse of the system.
  • Ensuring the legal rights of the customers and twoday Oy.
  • Performing the obligations that are based on law or official orders.

By registering to the service the user consents to collecting the personal data of the user for the purposes listed in this privacy policy.

5. Services

5.1 Authorization management service

Service description

Based on the use case of identification service, information about corporate roles and/or credit information of the user can be attached to the identification information.

User can review and accept the identification information that is transferred.

Personal data collected in the authorization management service

  • Information about main users
    • Name, email address and national identification number
    • Identification number of the company
  • Information about authorizations
    • Name of the authorized person, email address and national identity number
    • Identification number of the company that the authorization is related to
    • Additional information about the authorization
  • Information about identification and login events

Use and transfer of personal data

The information in authorization management service are used in the identification service and in the signature service.

Period for which personal data is stored

The information is stored until further notice.

Accessing personal data

Users can log in to the authorization management service to access their personal information.

Correcting personal data

If a granted authorization is not valid, users should contact the main user who granted the authorization.

5.2 Signature service

Service description

Signom signature service is a service for electronically signing PDF-files. A web-form solution can be attached to the signature service. A web-form solution means that a user first fills a web form, and the information is then transferred to a PDF document, which is then signed.

Collected personal data

Personal data collected in the signature service

  • National identification number of the user
  • Information about identification and login events
  • Contact information
    • Email addresses
    • Postal address
    • Phone number
  • For each company role, the following information is collected from trade register
    • Position in the company
    • Identification number of the company
    • Rules of representation of the company
  • Metadata about documents
    • Information about document parties
      • Name
      • Email address
      • Role in the document
    • State of the signing process
    • Event log for the signing process
    • For each document file
      • User who uploaded the file
      • File name
      • File size
      • File hash code (SHA-256 and SHA-512)

Use and transfer of personal data

The personal data is used to create electronic signatures and to verify them later.

In signature service all parties to a document can see the details of the document, but users cannot see the national identification number or identification details of other users.

In a corporate implementation of signature service the authorized main users can add other users to the service and define permissions to access the corporate documents.

Period for which personal data is stored

The documents are stored in the service until all signatories have signed the document. After this the documents are available for a service-specific period (1-90 days), after which they are deleted. During this period the signatories should save the signed PDF-file. After the period, the files are deleted from the service.

Document metadata (listed above in chapter “Collected personal data”) is stored until further notice.

Accessing personal data

User of signature service can log in to the service and access his/her personal data and information about signed contracts.

Correcting personal data

To change the documents before signing them, users should contact the creator of the document.

Signed documents cannot be changed. If a signed document contains an error, users must create a new document.

5.3 Identification service

Service description

In the identification service the user is identified as a represantive of a company, and information about the represented company is sent to an e-Service. For the avoidance of doubt, the service is not an identification relay service defined in electronic identification law (617/2009).

Collected personal data

  • Name and national identification number of the user
  • Information about identification and login events
  • For each company role, the following information is collected from the Finnish trade register
    • Position in the company
    • Identification number of the company
    • Rules of representation of the company
  • Information about which company the user represents in an identification transaction

Use and transfer of personal data

The information is used for corporate identification and to verify the identification transactions later.

Period for which personal data is stored

Information about identification transactions is stored for 5 years.

Accessing personal data

User can contact Signom customer service at support.signom@twoday.com to access his/her own data.

Correcting personal data

If the user's corporate role information is incorrect, the user can contact support.signom@twoday.com to correct the role information.

6. Transfer of personal data

Personal data can be transferred to third parties for providing the service or providing a joint service. The third parties do not process personal data for any other purpose than providing the services. The third parties are bound to non-disclosure agreements.

Signom can share statistical information about the use of services with for example potential partners or advertisers. Individual users cannot be identified from the statistical information

If the user has subscribed to a paid service, Signom can transfer personal data to a payment processor to collect the agreed service charges.

Signom can transfer personal data to authorities when required by an applicable law, for example to prevent and investigate system abuse and criminal activity.

If the business related to a certain service is transferred to a third party, Signom will transfer personal data to the new owner of the service. In this scenario, Signom will ensure the equivalent protection of personal data with contracts.

twoday Oy will not transfer personal data outside the European Union or the European Economic Area.

7. Protection of data

Personal data is stored to servers that are protected with firewalls and other best practices of the industry. The communication with the service happens through encrypted TLS-connection.

Right to process personal data is limited to only those employees of twoday Oy that have a need to access the information. Information about accesses to personal data is saved to a log file.

Malicious third parties might try to deceive users by creating phony sites that imitate the service site. Because of this risk it is important the users of the service always ensure that the site that they visit is in the domain https://www.signom.com.

8. Rights of users

This chapter explains the user rights. For exercising the rights, users are adviced to contact Signom customer service at support.signom@twoday.com.

Right of access

Chapter 5 contains per-service description, how the user can access his/her personal data.

Right to correction

Chapter 5 contains per-service description, how the user can correct his/her personal data.

Right to object

User can object to process of personal data for direct marketing and surveys. Each marketing and survey message that twoday Oy sends has instructions and a link to cancel such messages.

Right to data portability

User has right to receive his/her personal data, in a structured, commonly used and machine-readable format.

Right to erasure

User can request closing of the account by contacting Signom customer support.

9. Personal data breach

If twoday Oy becomes aware of a personal data breach that is likely to seriously risk the privacy of the users, twoday Oy will notify the affected users by email without undue delay.

The notification includes what personal data records are concerned, what are the likely consequences of the data breach, and what measures twoday Oy has taken to address the data breach.

10. Cookies

A cookie is a small text file that a browser stores in the user’s device. User can prevent the storing of cookies in the settings of the internet browser.

Services use cookies to identify the user during a session. It is not possible to use the services, if the cookies are not allowed.

Services use cookies to verify the strong identification of the user. With the saved identification cookie it is possible to verify the user has performed strong identification on the same device, so that the user can log in using only Signom-credentials. The identification cookie does not contain identifiable information about the user.

Services use cookies to collect statistics about the use of service using Google Analytics. The information collected for statistics include the device type, operating system, browser software, language settings and the site that transferred user to the service. The statistics information is collected anonymously so that individual users cannot be identified.

11. Changes

twoday Oy reserves a right to change this privacy policy. A notification about the changes is published on the twoday Oy’s website

12. Applicable law and supervisory authority

The processing of personal data is governed by Finnish Data Protection Act (1050/2018) and EU General Data Protection Regulation (GDPR).

The supervisory authority is Finnish Data Protection Ombudsman.