This Privacy Policy explains how TwoKeyOk processes, stores, and shares your personal information. You will be notified of any changes to this Privacy Policy. If any information regarding your service plan or settings is changed, we will notify you accordingly.
You can access all your account information from the TwoKeyOk portal. Any information shared with service providers (processors) will be kept secure and will only be used as outlined in this Privacy Policy. If you wish to obtain further information, you can contact us—see the "Contact Us" section below.
You can modify any information from the TwoKeyOk portal. Some information cannot be corrected as stated in this Privacy Policy.
You can request us to remove your account. Details are mentioned in "Account Deletion."
You can request us to restrict the processing of your account. See "Account Deletion, Restrict Processing."
You can request your data in a portable format. See the "Data Portability" section.
See the "Need More Information or Complaints" section.
We do not make automated decisions or profiling.
To provide you with document approval and sign-off services, TwoKeyOk requires certain personal identifiable information. This information is collected at registration and sometimes later. At all times, you can view and update your information via your TwoKeyOk account. Some information is mandatory, while other information is optional.
TwoKeyOk supports various authentication services, where we retrieve user data for enhanced security and login processes:
TwoKeyOk can use Basic Electronic Signatures, Advanced Electronic Signatures and/or Qualified Electronic Signatures – the choice will depend on your configured service plan. When using advanced and qualified signatures, each user has their own digital signature key and X.509 certificate. These can be stored locally by you on a smartcard/USB token (local signing) or securely by TwoKeyOk, e.g. in an HSM. When held remotely by TwoKeyOk, your access to your signing key is controlled through a secure Signature Activation Protocol (SAP) using your registered mobile device.
You can contact us for sales, support, partnership requests, or general feedback. In the contact us form, you need to provide basic mandatory information such as your Name, Email, Job Title, Company Name, and how you came to know about the TwoKeyOk service. Optionally, you can also provide your Phone details and any specific project requirements or systems used, which will help us respond to you in the most efficient way. If submitted, this information is also shared with our marketing and CRM platforms to enable our sales team to contact you accordingly and deal with your request. You can opt-out of our marketing emails by using the unsubscribe link.
This is identified automatically (when your browser communicates with our cloud servers). TwoKeyOk later processes the IP address to guide the user if their physical location has changed and hence prompts the user to automatically switch the country and time zone information. Change of time zone helps our users to view the dates shown inside the product using the user's time zone hence avoiding any confusion. This may also be used by our billing system to identify your country to let you enter your VAT information.
This information identifies the user's browser details, i.e., browser vendor, version, and layout engine used. This also helps us determine whether the user is using a desktop PC or a mobile device. This is useful meta-information about the signing process for audit purposes.
Information related to the ways in which you interacted with our services, such as: referring and exit pages and URLs, platform type, the number of clicks, domain names, landing pages, pages and content viewed, the amount of time spent on particular pages, the date and time you used the services, the frequency of your use of the services, and other similar information.
This includes Activity logs, Workflow history, and Workflow evidence report. The activity log contains user-initiated activities like login/logout, profile updates, settings changes, etc. Workflow history contains activities performed on a document. The workflow evidence report provides a detailed auditable report in PDF (digitally signed) on the activities performed on a document.
This is used at the time of signing and set inside the signature if a specific signature appearance was selected that shows country information. This helps the recipients know from which location the user has signed the document.
TwoKeyOk generates server-side logs which help administrators review any usage issues. Logs are kept for 30 days. Mobile app logs are also kept for 30 days.
Workflow users' Name, Email, Mobile Phone Number, User Agent, IP Address are also retained in the workflow evidence PDF report information which is then visible to the document owner. If the OTP option is not used, then the signer’s Mobile Phone Number is not recorded in the audit logs. The same information is also recorded in the workflow history XML data.
All of your personal data is stored in our database and system logs in a secure manner within the Microsoft Azure data centers running in the EU region. Backup of your data is also done within the EU region. All of your information is transferred from your machine to our servers over TLS, providing end-to-end confidentiality and data integrity protection, ensuring the information you sent to us is not intercepted by anyone in transit and arrives at the server accurately. This is also true for any personal data moving from our servers to any third-party service providers. We use modern and secure versions of TLS and hence SSL v2 and 3 are blocked. All user documents are encrypted with AES 256-bit encryption before being stored in the TwoKeyOk database.
We do not sell your information to anyone. We do not share your information with anyone other than the third parties as described in this section of the Privacy Policy. Sharing can be of a different nature; you can share your information yourself, information can be shared with your enterprise administrator, or we share your information with service providers as part of providing you a complete service. To be clear, when we share, the only purpose of sharing information is to assist you in performing the activities, giving you the best user experience, and fulfilling your document signing needs.
As part of your business requirements to have documents signed, you can share documents with other users as you desire.
We work with various service provider companies that help us run TwoKeyOk as an effective business service. These companies provide services such as processing card payments, sending marketing emails on our behalf, and sending SMS with OTP codes.
For more details on the privacy capability of these services, especially concerning GDPR, see the following links:
* Note TwoKeyOk does not store advertising cookies of any type.
We provide users with the ability to access and modify all of your account information, including your profile information, documents, activity logs, workflow history, evidence reports, notifications, billing information, and settings. You cannot change information that is automatically system-created, such as notifications, activity logs, workflow history, evidence reports, or actions on documents performed by users to whom the document is shared, or settings that your Enterprise admin has set for you, as these are centrally governed. Contact your Enterprise admin if you want changes in the information controlled by the Enterprise, such as Enterprise Templates, Enterprise Library, Enterprise Contacts, and Roles, etc.
If you are unable to modify any information, please contact us using the contact details below. We will review and respond within 3 working days on how to modify any inaccurate or incomplete information as per the laws. Note that your user ID (email) cannot be changed once an account is created, as this is your unique link to your account. If you wish to change this, you will need to create a new account with a different email address. You can then move your documents and configure the settings accordingly. Once done, you can contact us to delete the previous account.
We provide opt-out information in all marketing email messages we send via an “unsubscribe” link which is set at the bottom of the emails. If initiated, it may take a day to opt-out. You do not have the ability to opt-out of certain transactional messages related to the document signing service (e.g., signing notifications or account notifications) that the TwoKeyOk system will send if you are a registered user of our services or if you have engaged in transactions with us. If you also want to opt-out from these transactional messages, then the only way is to stop using the TwoKeyOk system.
TwoKeyOk will retain system transaction logs for 90 days to enable reporting on Enterprise, Operator, User, and Document related activities. All log records older than 90 days will be moved out of the TwoKeyOk system to archive storage. Information in archive storage older than 12 months will be permanently deleted. Users have the right at any time to request that their account and associated data be deleted. Even after account deletion, we may keep certain information, including name and email, which is required by other users of the system while viewing documents that you may have shared with them in the past or that others have shared with you. We may keep some information in the system logs which is automatically cleared in 30 days. If you were a paid customer, then relevant information will be kept for accounting purposes. Document deletion only occurs within the TwoKeyOk system and does not affect any information stored in your own cloud drive(s). Documents that you have shared with other TwoKeyOk users or business applications via APIs or connectors such as TwoKeyOk for SharePoint/Salesforce/Dynamics CRM, etc. will not be deleted automatically. Any TwoKeyOk apps you have installed on your mobile device or within business applications must be deleted manually when no longer required.
Any account deletion requests will be processed within 7 days. As per your request, we will delete all of your account information including your billing, documents, and activity logs. You will no longer receive any marketing or commercial emails. Any requests to restrict processing will be processed within 3 days. For account deletion or restricting the processing of your information, a formal request is required from you. You must send an email using the same email account which is configured in TwoKeyOk or in the future (when supported) could perform this task from the TwoKeyOk portal as well. You will be informed once your data is deleted.
If you need a copy of your personal information in a machine-readable format, then you must send an email using the email account which is configured in TwoKeyOk. We will process your request in 14 days and return the information in CSV format where possible. Certain data may still be in other formats, e.g., XML.
We employ physical, logical, and administrative measures to help prevent unauthorized access to your information. Each measure is applied based on the nature and sensitivity of the information. As a responsible entity, we work on all the possible areas that could impact user privacy. We closely monitor the GDPR standard and ensure our products and services abide by all the rules set forward. Having said that, we cannot 100% guarantee you that information we collect or store will be protected from all unauthorized access and thereby used in a manner that is inconsistent with this privacy policy.
In case we find a breach that impacts your personal data, we will investigate and inform you within 72 hours of us becoming aware of it. We will inform you about the issue and the details via your email.
We only provide service to you if you are at least 18 years of age (or, as applicable, the age of majority in the state or province in which you reside), and that you possess the legal right and ability to enter into this Agreement.
We reserve the right to amend this privacy policy as we add more features and to comply with laws or to provide better user protection. Kindly regularly check this page for any new changes. If we make any changes to this policy, we will post the changes here and will notify you by email once the changes take effect. Please review changes carefully. If you are continually using our service after receiving the email regarding the changes to this privacy policy, it will mean you consent to those changes.
If you have any queries, suggestions regarding our privacy policy, or complaints, you may contact us at [email protected]. We aim to respond to your complaints within 7 working days. You also have the right to lodge a complaint with a supervisory authority. You can also contact us by writing to: Surrey Research Park, 40 Occam Road, Guildford, GU2 7YG, United Kingdom. In case you want to be in touch with our Data Protection Officer, you can write to [email protected].
