Security and Data Processing in Pactly

This page explains how Pactly works with security, data processing, document protection and service providers.

Pactly is provided by:

1. Purpose

Pactly handles private agreements, signing data and personal data. Trust, privacy and security are therefore fundamental to the service.

Our goal is to make digital signing simple, safe and understandable for private individuals, while protecting documents and personal data through appropriate technical and organizational measures.

2. Data processed by Pactly

Pactly may process the following types of data:

1. documents uploaded or created in the service;
2. names, email addresses and phone numbers of senders and signers;
3. signing status and signing timestamps;
4. electronic identity confirmation from eID or signing providers;
5. technical logs related to security and documentation;
6. payment and receipt information;
7. information entered into the AI assistant;
8. support requests and administrative communication.

3. Security principles

Pactly's security work is based on the following principles:

1. data minimization;
2. access only when needed;
3. encrypted data transmission;
4. secure storage of documents and metadata;
5. logging of important security events;
6. use of established eID, payment and signing providers;
7. clear deletion routines;
8. regular assessment of risk and improvement of security measures.

4. Encryption and transmission

Data sent between the user's browser and Pactly should be transmitted over encrypted connections.

Documents and personal data should be stored in a way that reduces the risk of unauthorized access. Where technically and practically possible, encryption or equivalent security measures are used for stored documents and sensitive data.

5. Access control

Internal access to documents and personal data should be limited to people and providers who need access to deliver, secure or support the service.

Access may be granted, for example, for:

1. technical troubleshooting;
2. customer support after a user request;
3. security incidents;
4. legal requirements;
5. operation and maintenance of the service.

Pactly works to ensure that internal access is logged and limited to what is necessary.

6. Electronic identity and signing

Pactly may use external eID and signing providers to identify signers and complete electronic signing.

This may include Nordic and European eID solutions such as BankID, MitID, Swedish BankID, Finnish Trust Network or other providers, where available in the service.

Pactly does not normally store secret eID information such as passwords, one-time codes or BankID secrets. Such information is handled by the eID provider.

The type of electronic signature used, and its legal effect, may depend on the selected signing method, provider, country and document type.

7. Payment

Payment is handled by external payment providers.

Pactly does not normally store full card numbers or card security codes. Such data is processed by the payment provider.

Pactly may store payment status, amount, currency, VAT, receipt reference and other information necessary to document the purchase and comply with accounting requirements.

8. Document storage and deletion

By default, signed documents may be available for download for up to 90 days after signing is completed, unless another period is shown in the service or agreed.

After the availability period expires, the document may be deleted, anonymized or made unavailable.

Unsigned, cancelled or expired signing requests may be deleted earlier.

Backups may contain documents or metadata for a limited period after deletion from active systems, before they are overwritten or deleted according to ordinary routines.

The user is responsible for downloading and storing completed signed documents before the availability period expires.

9. AI and document content

If you use the AI assistant in Pactly, the text you enter may be processed to generate agreement suggestions.

We recommend that you do not enter sensitive personal data, national identity numbers, health data, payment card data, passwords, secrets or other information that is not necessary for the agreement.

Pactly does not use private documents for marketing. Pactly will not use private documents to train public AI models without express consent.

AI-generated content must always be reviewed by the user before it is used or signed.

10. Logs and signing evidence

Pactly may process technical logs to document the signing process, prevent misuse and secure the service.

This may include:

1. time of creation of the signing request;
2. time of sending the invitation;
3. time of opening, signing or rejection;
4. IP address or technical metadata;
5. selected signing method;
6. status for each signer;
7. document signing evidence or signature certificate.

Logs are not used for unnecessary monitoring, but for security, documentation, troubleshooting and misuse prevention.

11. Service providers

Pactly may use service providers to deliver the service.

Typical categories of service providers include:

1. cloud hosting and storage;
2. eID and signing providers;
3. payment providers;
4. email and SMS providers;
5. AI providers;
6. analytics and error reporting;
7. customer support;
8. security and monitoring;
9. accounting and administration.

Service providers should only receive access to data necessary to deliver their part of the service.

Where providers process personal data on behalf of Pactly, a data processing agreement or equivalent legal basis should be in place.

12. Controller and processor roles

For ordinary use of Pactly by private individuals, CMO Partners AS is normally the data controller for personal data processed to provide the service.

The sender is responsible for ensuring that personal data entered into documents or sent to other parties can be lawfully processed and shared.

If Pactly later offers business accounts, API access, team features or processing on behalf of business customers, CMO Partners AS may act as a data processor for certain processing activities. In such cases, a separate data processing agreement should be entered into.

13. Transfers outside the EEA

Pactly will, where practically possible, use providers with processing in Norway or the EEA.

Where personal data is transferred outside the EEA, the transfer will be carried out in accordance with applicable data protection rules, for example through the European Commission's Standard Contractual Clauses, an adequacy decision or another valid transfer mechanism.

14. Incident handling

If Pactly discovers a security incident, we will assess the risk, limit harm, investigate the cause and take necessary measures.

If an incident creates a risk to personal data, Pactly will notify affected individuals and/or the Norwegian Data Protection Authority where required by applicable law.

15. Availability and operation

Pactly works to provide stable operation, but no digital service can guarantee full availability at all times.

The service may be unavailable due to maintenance, technical errors, security incidents, errors from service providers or circumstances outside Pactly's control.

For planned maintenance that may materially affect users, Pactly will try to provide notice in an appropriate way.

16. User security responsibilities

As a user, you are responsible for:

1. checking that recipients' email addresses and phone numbers are correct;
2. protecting your email account, phone and eID;
3. not sharing signing links with unauthorized people;
4. not uploading illegal or unnecessarily sensitive documents;
5. downloading and storing signed documents before the availability period expires;
6. contacting Pactly if you suspect misuse or errors.

Pactly will never ask you to share your BankID password, one-time codes or secret eID information directly with Pactly.

17. Accessibility

Pactly works to make the service usable by as many people as possible.

We aim to follow relevant requirements and recommendations for accessibility of digital services, including WCAG principles for contrast, keyboard navigation, clear error messages, screen reader support and understandable forms.

If you experience accessibility issues, contact us at support@pactly.no.

18. Contact

If you have questions about security, privacy, legal matters or customer support, contact us: