I really liked the Idea of signifyapp, the UI, processes and pricing from the start.
If you process signatures, especially for EU customers, you have to comply by the unfortunately very stringent EU GDPR Laws. However it gets complicated: if you process these personal information through an external provider like signifyapp, in order to remain compliant with obligations under the EU General Data Protection Regulation (GDPR), one requires a formal Data Processing Agreement (DPA) as mandated by Article 28 GDPR.
I was lured to believe by the extensive GDPR statement on their policy page, that more would follow in the account menu, once we got our premium account. Most providers offer legal DPAs for premium users downloadable from their account menu.
Unfortunately this is not the case with signifyapp. I am aware that Signify publishes a Privacy Policy and a list of sub-processors on their website. While this information is helpful for transparency purposes, a Privacy Policy is not a substitute for a DPA.
Here's why:
A Privacy Policy describes how Signify collects and uses data as a data controller (your relationship with your own users). A Data Processing Agreement governs the relationship between Signify as a data processor and our company/freelancer as the data controller — specifically when Signify processes personal data on our behalf (e.g., our clients' names, email addresses, and signatures). Under Article 28 GDPR, a DPA must include specific provisions such as:
The subject matter and duration of processing
The nature and purpose of processing
The type of personal data and categories of data subjects
The controller's rights and obligations
Signify's obligations regarding security measures, sub-processor approval, audit rights, and data deletion
Since Signifyapp operates out the EU (Georgia), it is not self evident, if compliance is a given or not. We even contacted the regulatory body responsible for our region, that basically confirmed our verdict.
Therefore in some occasions where a standard DPA is not available, it is possible to ask a provider if they would be willing to enter into a DPA based on the EU Standard Contractual Clauses or a mutually agreed template.
We did exactly that, tried to contact signifyapp through their support email address multiple times (since they dont have a hotline), and asked them exactly that. However Signifyapp did not answer to our requests by email. Eventually an external Whatsapp Support employee added us to our surprise and forwarded our request, just to tell us, that the Privacy Policy should suffice! Well, that is unfortunately not the case. And by then we could not request a refund (we missed that timeline) for the tier3 premium account.

Conclusion: If you are processing esignatures and personal data from EU customers, then unfortunately signifyapp is not yet compliant, although it might seem that way from their privacy policy page. That statement does not suffice for the processing purposes.