Last updated: 24 June 2026
This Data Processing Agreement ("DPA") is entered into between Sigil ("Processor") and the customer who has accepted the Sigil Terms of Service ("Controller"). It forms part of the agreement between the parties and applies wherever Sigil processes personal data on behalf of the Controller in connection with the Sigil phone verification service.
Terms used in this DPA have the meanings given in Regulation (EU) 2016/679 (GDPR) and, where applicable, the UK GDPR. "Personal data," "processing," "controller," "processor," "data subject," and "supervisory authority" each have the meaning given in the GDPR.
Sigil processes personal data submitted by the Controller via the Sigil API for the purpose of delivering one-time SMS verification codes to phone numbers provided by the Controller. Processing activities include:
The phone number is written to Cloudflare KV edge storage in two forms with limited TTLs: embedded in the OTP key for up to 5 minutes while the verification is active, and within the rejection token payload for up to 24 hours to allow the data subject to block the attempt. Both entries are deleted immediately on use or on expiry. The phone number is never written to the relational database (D1) and never appears in usage logs.
| Category | How it is handled |
|---|---|
| Phone number | Transmitted to SMS gateway. Written to Cloudflare KV edge storage for up to 24 hours (within the rejection token payload) and up to 5 minutes (within the OTP key). Deleted immediately on use or expiry. Never written to the relational database or usage logs. |
| SHA-256 hash of phone number | Stored in usage logs for billing and audit. Cannot be reversed to obtain the original number. |
| IP address of end user | Used for rate limiting only. Stored in Cloudflare KV with a TTL matching the relevant rate-limit window: 10 minutes for verification sends, 15 minutes for login attempts, 1 hour for account registration. Not written to a database. |
Processing takes place for the duration of the Controller's active Sigil account. On account deletion, all personal data linked to the account is permanently removed. Usage logs are anonymised (phone hashes replaced with "deleted") and retained for audit purposes.
Sigil processes personal data only on documented instructions from the Controller, as expressed through use of the Sigil API. Sigil will inform the Controller if it believes an instruction infringes applicable data protection law, unless prohibited from doing so by law.
Sigil ensures that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Sigil implements appropriate technical and organisational measures to protect personal data, including:
Sigil uses the following sub-processors to deliver the service. The Controller hereby provides general authorisation for their use. Sigil will notify the Controller of any intended changes to sub-processors with reasonable notice.
| Sub-processor | Location | Purpose |
|---|---|---|
| Cloudflare, Inc. | USA (EU data processed on EU edge nodes) | Infrastructure, edge compute, KV storage, DDoS protection |
| Postmark (Wildbit LLC) | USA | Transactional email delivery (verification, alerts) |
| SMS gateway operator | Denmark | Delivery of SMS verification codes to phone numbers |
Each sub-processor is bound by data protection obligations no less protective than those in this DPA.
Where personal data is transferred outside the European Economic Area, Sigil ensures an adequate level of protection through standard contractual clauses, adequacy decisions, or other lawful mechanisms as required by GDPR Chapter V.
Sigil will assist the Controller in responding to requests from data subjects exercising their rights under the GDPR, taking into account the nature of the processing. The Controller remains responsible for receiving and handling such requests. Sigil will promptly notify the Controller of any data subject request it receives directly.
Sigil will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting data processed under this DPA. Notification will include the information required by Article 33(3) GDPR to the extent available at the time.
Taking into account the nature of the processing and the information available, Sigil will assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation).
At the choice of the Controller, Sigil will delete or return all personal data after the end of the provision of services, and delete existing copies unless applicable law requires retention.
Sigil will make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller. The Controller agrees to give reasonable notice of any audit and to conduct it in a way that causes minimal disruption to Sigil's operations.
Each party's liability under this DPA is subject to the limitations set out in the Sigil Terms of Service. Nothing in this DPA limits a party's liability for damages caused by its own wilful misconduct.
This DPA is governed by the laws of Denmark. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the Danish courts.
Data protection enquiries: [email protected]