Central email signature management routes employee data, recipient addresses and mail content through an external platform every second. That isn't trivial under data-protection law — even though the mail industry likes to suggest it is. Here are the five GDPR-relevant questions every data protection officer should put to a signature vendor.
1. Where is data processed?
The hosting location decides which authority is competent in a dispute and which legal basis is required for third-country transfers. With US vendors (or UK since Brexit) you need standard contractual clauses plus a transfer impact assessment — the ECJ Schrems II decision fundamentally changed the playing field.
Vendors based in Germany or at least the EU save you the transfer paperwork. Important: don't just ask about the company's headquarters, ask where the data centres physically are. Microsoft 365, for example, is often sold as "EU hosting" even though maintenance operations and logs regularly flow to the USA.
2. Is mail content stored?
Most signature vendors process mail in-memory only. Persisting would be nonsensical anyway. Still, explicitly require in the contract: mail content, subject and recipient addresses are not persisted. What does get persisted is the audit log — message-id, tenant, rule, timestamp. Borderline under data-protection law because message-IDs allow correlation, but pragmatically necessary.
Ask the vendor about: maximum audit-log retention, deletion routines, who has access, and whether you as tenant admin can delete entries.
3. What does the DPA look like?
A data processing agreement (DPA) under Art. 28 GDPR is mandatory. No "later", no "covered by our T&Cs". Six points should be in there: nature and purpose of processing, type of personal data, categories of data subjects, technical and organisational measures (TOM appendix), subprocessor list with contact details, deletion / return obligation after contract end.
If a vendor takes more than three weeks to provide the DPA template, that's a red flag.
4. Who are the subprocessors?
Every cloud vendor has subprocessors. Pay particular attention to US cloud providers (AWS, GCP, Azure) for the Schrems II problem, monitoring/APM tools that often transmit performance metrics including personal details, and mail-delivery subprocessors that process recipient addresses.
5. What about click tracking in banners?
Concerns: IP storage on click (anonymisation via /24 subnet truncation is mandatory), cookies (consent required — not available from recipients, so cookieless tracking required), conversion tracking on landing pages with Google Analytics (just relocates the problem).
What's different at SignatureHub
We process 100% in Germany (Münster), persist no mail content, and only enable click tracking without cookies and with IP truncation. The DPA is provided as a PDF template, TOMs as an appendix. The subprocessor list is open in the Trust Center.
Bottom line
GDPR-compliant email signature management is achievable — but not automatic. These five questions help you separate the wheat from the chaff before you sign.