Privacy Policy | sign2.me

Soublox Tecnologia LTDA – sign2.me

Last Updated: February 2026

IMPORTANT NOTICE REGARDING DATA STORAGE

1. Introduction

1.1 Soublox Tecnologia LTDA (“we”, “us”, “our”), trading as sign2.me, is committed to protecting and respecting your privacy. We are registered as a Software Development company in Brazil under CNPJ 20.353.430/0001-02.

1.2 About sign2.me: sign2.me is a Salesforce AppExchange application that enables electronic signature workflows within Salesforce organizations. Our product is installed directly into our customers’ Salesforce orgs, and all signature data, documents, and end-user information remain within the customer’s Salesforce environment.

1.3 Data Controller vs. Data Processor: It is important to understand our role in data processing:

(a) For most data: We act as a Data Processor on behalf of our customers (the Data Controllers). All signature documents, recipient data, and workflow information are stored exclusively in the customer’s Salesforce org.
(b) For specific services: We act as a Data Controller for limited data processed through our CPF Validation Service and Email Delivery Service, as described in Sections 5 and 6.

2. Data Storage Model

2.1 Customer Data Remains in Salesforce: sign2.me operates as an AppExchange application installed directly within our customers’ Salesforce organizations. We do NOT store, access, or retain the following data:

(a) Signature documents and contracts uploaded by customers
(b) End-user (signer) personal information such as names, email addresses, phone numbers
(c) Signature images, timestamps, or audit trails
(d) Any workflow or transaction data related to the signature process

All such data remains exclusively within the customer’s Salesforce org and is subject to the customer’s own data protection policies and Salesforce’s security infrastructure.

2.2 Subdomain Service: We provide customers with a custom subdomain (e.g., customername.sign2.me) that redirects to their Salesforce org. This subdomain does not store any data; it serves solely as a branded entry point to the customer’s Salesforce environment.

2.3 Data We Process: We only process and temporarily store data for two specific add-on services:

(a) CPF Validation Service (Brazil only) – See Section 5
(b) Email Delivery Service – See Section 6

3. CPF Validation Service

3.1 Service Description: The CPF Validation Service is an optional add-on available to customers in Brazil. This service validates Brazilian taxpayer identification numbers (CPF) against official government databases to verify signer identity.

3.2 Data Processed: When a customer uses this service, we receive and process the following personal data:

(a) CPF number (Cadastro de Pessoas Fisicas)
(b) Date of birth

3.3 Purpose of Processing: The data is used solely to query official Brazilian government databases and return validation results to the customer’s Salesforce org.

3.4 Data Retention for CPF Service:

(a) Processing Storage: CPF and date of birth are stored only for the duration necessary to process the validation request (typically seconds to minutes).
(b) Log Retention: We retain minimal transaction logs (without CPF or date of birth) for 30 days for service monitoring and troubleshooting purposes.
(c) No Long-term Storage: We do NOT maintain a database of CPF numbers or associated personal data.

3.5 Legal Basis: Processing is based on the customer’s legitimate interest in verifying signer identity and compliance with Brazilian regulations for electronic signatures.

4. Email Delivery Service

4.1 Service Description: The Email Delivery Service is an optional add-on that allows customers to send signature request emails and notifications through our email infrastructure, rather than using Salesforce’s native email capabilities.

4.2 Data Processed: When a customer uses this service, we process the following data:

(a) Recipient email addresses
(b) Email content (subject, body text)
(c) Sender identification information
(d) AWS SES delivery status and response data (bounce, delivery, open, click tracking)

4.3 Data Retention for Email Service:

(a) Primary Storage: Email data (content, recipient addresses, delivery status) is retained for 30 days from the date of sending.
(b) Backup Storage: Backup copies are retained for an additional 7 days.
(c) Total Retention Period: Maximum of 37 days from the date of email sending.
(d) Automatic Deletion: After the retention period expires, all email data is permanently deleted from our systems.

4.4 Email Infrastructure: Emails are sent through Amazon Web Services (AWS) Simple Email Service (SES). AWS may process and store email data in accordance with their own privacy and data processing terms. For more information, please refer to the AWS Privacy Notice.

4.5 Legal Basis: Processing is necessary for the performance of the contract between us and our customer, and is based on the customer’s legitimate interest in communicating with their signers.

5. Website Visitor Data

5.1 Data We Collect: When you visit our website (sign2.me), we may collect:

(a) Information about your computer and visits (IP address, geographical location, browser type and version, operating system)
(b) Information you provide when contacting us (name, email address, company name)
(c) Information when subscribing to newsletters (name and email address)

5.2 Purpose: This data is used to:

(a) Administer our website and business
(b) Respond to inquiries and provide customer support
(c) Send newsletters and marketing communications (with your consent)
(d) Improve our website and services

5.3 Cookies: Our website uses cookies to distinguish you from other users. For detailed information, see Section 12 (Cookies).

6. Legal Basis for Processing

6.1 We process personal data based on the following legal grounds under GDPR and LGPD:

(a) Contract: Processing is necessary for the performance of our contract with customers (providing the sign2.me application and associated services)
(b) Legitimate Interests: Processing is necessary for our legitimate interests in operating our business, providing customer support, and improving our services
(c) Consent: Where you have given clear consent for specific purposes (e.g., marketing communications)
(d) Legal Obligation: Processing is necessary for compliance with applicable laws and regulations

6.2 As a Data Processor for Salesforce-hosted data, we process data in accordance with our customers’ instructions and applicable Data Processing Agreements.

7. Your Data Protection Rights

7.1 Under GDPR and LGPD, you have the following rights regarding your personal data:

(a) Right to Access: Request copies of your personal data that we hold
(b) Right to Rectification: Request correction of inaccurate information
(c) Right to Erasure: Request deletion of your personal data (subject to retention requirements)
(d) Right to Restrict Processing: Request limitation on how we use your data
(e) Right to Object: Object to processing based on legitimate interests
(f) Right to Data Portability: Request transfer of your data to another organization

7.2 Important Note on End-User Data: If you are an end-user (signer) whose data was collected through a customer’s use of sign2.me, your data is stored in that customer’s Salesforce org, not in our systems. To exercise your data protection rights regarding:

(a) Signature documents and workflow data: Contact the organization that requested your signature
(b) CPF validation data: Contact us directly (we retain minimal data)
(c) Email delivery data: Contact us directly (retained for 37 days maximum)

7.3 How to Exercise Your Rights: To exercise any of these rights regarding data we hold, please contact us using the details in Section 15.

7.4 Complaints: You have the right to lodge a complaint with the relevant supervisory authority:

(a) In Brazil: National Data Protection Authority (ANPD) – www.gov.br/anpd
(b) In the EU: Your local data protection authority

8. Data Security

8.1 Technical and Organizational Measures: We implement appropriate security measures to protect personal data:

(a) Encryption: All data in transit is encrypted using TLS 1.3
(b) Access Controls: Strict access controls limiting data access to authorized personnel only
(c) AWS Security: Our email service operates on AWS infrastructure with SOC 2, ISO 27001, and GDPR compliance certifications
(d) Regular Security Reviews: Periodic assessment of our security practices

8.2 Salesforce Security: Data stored in customer Salesforce orgs benefits from Salesforce’s enterprise-grade security infrastructure, including encryption, access controls, and compliance certifications. For details, refer to Salesforce’s Trust and Compliance documentation.

8.3 Data Breach Notification: In the event of a personal data breach affecting data we control, we will:

(a) Notify the relevant supervisory authority within 72 hours of becoming aware
(b) Notify affected individuals without undue delay if high risk

9. Third Party Service Providers

9.1 We use the following third-party service providers:

(a) Amazon Web Services (AWS): Provides cloud infrastructure for our email delivery service. AWS may process data in the United States and other regions. AWS is certified under the EU-US Data Privacy Framework.
(b) Salesforce: Hosts the core sign2.me application and all customer data within customer Salesforce orgs.

9.2 We have appropriate data processing agreements in place with all third-party providers to ensure compliance with GDPR, LGPD, and other applicable data protection laws.

10. International Data Transfers

10.1 Email Service Data: Data processed through our Email Delivery Service may be transferred to and processed in the United States through AWS infrastructure. We ensure appropriate safeguards are in place, including:

(a) Standard Contractual Clauses (SCCs) approved by the European Commission
(b) AWS certification under the EU-US Data Privacy Framework

10.2 CPF Validation Data: CPF validation queries are processed within Brazil and do not involve international transfers.

10.3 Salesforce Data: Data stored in customer Salesforce orgs is subject to Salesforce’s data processing and international transfer mechanisms. Customers should refer to their Salesforce agreement for details.

11. Data Retention

11.1 Retention Periods: We retain personal data only for as long as necessary for the purposes for which it was collected:

Data Type	Retention Period	Notes
Email Delivery Data	37 days maximum	30 days primary + 7 days backup
CPF Validation Logs	30 days	Transaction logs only, no CPF data
Website Contact Forms	2 years	Or until request is resolved
Marketing Preferences	Until withdrawn	Or until account closure
Account Information	Duration of contract + 2 years	For customers with direct accounts

11.2 Salesforce-Hosted Data: Data stored in customer Salesforce orgs is subject to the customer’s own retention policies and Salesforce’s data retention terms.

11.3 Data Deletion: Upon expiration of the retention period, data is permanently deleted using secure deletion methods. Backup data is automatically purged according to the schedules above.

12. Cookies

12.1 Our website uses cookies to distinguish you from other users and provide a better browsing experience.

12.2 Types of Cookies:

(a) Essential Cookies: Required for the operation of our website (e.g., session management)
(b) Analytics Cookies: Help us understand how visitors interact with our website (e.g., Google Analytics, Microsoft Clarity)
(c) Marketing Cookies: Used to deliver relevant advertisements (only with your consent)

12.3 Managing Cookies: You can control cookies through your browser settings. Blocking cookies may affect the functionality of our website.

12.4 Third-Party Analytics: We use Microsoft Clarity to capture behavioral metrics, heatmaps, and session replays to improve our website. For more information, visit the Microsoft Privacy Statement.

13. Amendments

13.1 We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

13.2 We will notify you of significant changes by:

(a) Posting the updated policy on our website with a revised “Last Updated” date
(b) Sending an email notification to customers with direct accounts

13.3 We encourage you to review this policy periodically to stay informed about how we protect your data.

14. Data Protection Officer

14.1 We have appointed a Data Protection Officer (DPO) responsible for overseeing data protection matters.

14.2 Contact the DPO:

Email: [email protected]
Postal Address: See Section 15.1

15. Contact Information

15.1 If you have any questions about this Privacy Policy or our data practices, please contact us:

Company: Soublox Tecnologia LTDA (trading as sign2.me)

CNPJ: 20.353.430/0001-02

Registered Address:

Avenida Paulista 1636 Conj 5, Bela Vista, São Paulo SP

01310-200, Brazil

Email:

General Inquiries: [email protected]
Privacy Matters: [email protected]
Data Protection Officer: [email protected]

Phone: +55 11 4118-6883

Website: https://sign2.me/

— End of Privacy Policy —