At Penneo A/S (hereinafter “Penneo”, “we”, “us”, or “our”), we value your privacy and are committed to transparency about how we collect, use, and store your information. Penneo runs a public website as well as a SaaS platform and processes personal data through both the website and the Platform.

In the sections below you can read about the purpose of processing, the types of data processed, data retention if relevant, as well as the legal basis for processing for each of the different cases.

Penneo does not sell, trade, or otherwise attempt to monetise personal data that is processed through any of the processes mentioned in this privacy policy. Personal data is not processed in other ways than stated in this privacy policy.

If you do not agree with this privacy policy, please refrain from visiting our website and/or using our Platform.

Website visitor – penneo.com

Penneo operates the public website penneo.com for the purpose of sharing information about our organisation, products, values and a lot more. We use cookies to store website visitors’ preferences, keep our website operational, and gather analytical data about website visitors’ behavior. Penneo uses both functional and analytical cookies. Penneo will only set analytical cookies based on a website visitor’s consent. To read more about the cookies Penneo uses, see Penneo’s Cookie Policy.

Legal basis for cookies: Consent.

Job applicants

Penneo operates a career page which allows job applicants to submit one or more job applications. Penneo will process the personal data submitted by the job applicant for the purpose of evaluating the job applicant for a given position in Penneo.

Legal basis: Consent. Penneo will automatically delete job applications after 6 months unless the job applicant revokes consent earlier. To read more on data processing during recruitment, see Penneo’s recruitment privacy policy, which is shared during the application process.

Technical Support

Penneo offers technical support to anyone using its Platform(s). Requests for technical support can be submitted via Penneo’s request form. The types of data needed in a request are the name and email address of the requestor. Penneo will also process any further personal data that the requestor chooses to submit in the request form.

Penneo recommends requestors not to submit personal data other than the name and email address and especially no personal data of sensitive character (Art. 9 GDPR). Penneo will make best efforts to delete and/or redact any personal data not required for the processing of the request.

Legal basis: Fulfillment of contract. Penneo will automatically delete support requests after 2 years.

Newsletter

Penneo offers a free newsletter that anyone can sign up to. Penneo only sends out the newsletter to people who have actively subscribed to the newsletter. Subscribers can at any time opt out from receiving any more newsletters. Unsubscribing to the newsletter is done via the “unsubscribe” link in the newsletter. The types of data processed from subscribers are the name, company, email address and country.

Legal basis: Consent. Penneo will delete subscribers without undue delay after receiving a request to unsubscribe.

Contact information

Penneo processes contact information from customers, integration partners, webinar participants as well as potential customers. Contact information is processed for the purpose of sharing relevant information about an active subscription, product offers and/or platform(s) features. The types of data processed are the name, title, company and country.

Legal basis: Legitimate interest. Penneo will delete or update contact information without undue delay after receiving a request to do so.

Whistleblower

Penneo complies with EU’s whistleblowing directive (Directive (EU) 2019/1937), as implemented in Denmark in Lov om beskyttelse af whistleblowere, no. 1436. As a result, any person can report a relevant matter via Penneo’s whistleblowing reporting scheme. Reports can be submitted either anonymously or with contact details (name and email address). Submitted reports will be treated with utmost care and confidentiality and in compliance to applicable law. To read more, see Whistleblower Policy.

Legal basis: Legal obligation. Penneo will not store reports for longer than necessary in order to comply with the applicable laws. 

Secure processing of data outside Penneo’s Platform(s)

Penneo ensures that any personal data processed in any of the above cases is securely processed and stored. Penneo has both technical and organisational measures in place. Penneo applies the least privilege and need to know principles, which means only relevant Penneo employees will have access to any given information. Penneo ensures 2FA is activated on all systems that store any of the data, as described above, to prevent unauthorized access. Furthermore, Penneo only uses applications to store and process data that can continuously demonstrate adherence to best practices through relevant compliance documentation, e.g. ISO 27001 certification, SOC 2 reports or similar.

Penneo’s Platform(s)

Penneo processes personal data in the Penneo Sign Platform and/or Penneo KYC Platform.

Penneo enters into an Agreement with all its customers prior to offering the Platform(s) (hereinafter referred to as the “Customer”). The Agreement includes a data processing agreement that covers the use of the Platform(s) by the Customer and its employees. Data Processing Agreement can be found here: https://penneo.com/terms/. The legal base for processing data in the Platform(s) is the fulfillment of contractual obligation.

Types of users

• Penneo Sign users: Users whose accounts are managed by a Penneo customer and can create, modify and delete documents and signing requests in Penneo Sign.
• Penneo Sign end-users: An end-user in Penneo Sign can be a recipient of a signing request and/or recipient of a signed document. Penneo processes personal data of an end-user on the basis of the End-User License Agreement.
• Penneo KYC users: Users in Penneo KYC that can create, update and archive clients and client assessment information.
• Penneo KYC clients: Clients in that a Penneo user is performing a know your customer client assessment on.

Types of personal data based on user type

• Penneo Sign users and end-users: Name, email address, IP address
• Penneo Sign users and end-users – optional depending on the signing method selected: Job title,  phone number, electronic ID information, national identification number
• Penneo KYC user: Name, job title, email address, phone number, profile picture
• Penneo KYC client – the types of data process will depend on the information needed for the risk assessment: contact information (e.g. email address and phone number), job title, identification data (e.g. full name, date and place of birth, nationality, residential address), identification documents (e.g. copies of national ID, passport, driver’s licence and similar), electronic ID information, PEP status and family relations.

Data Controller and Processor

The Customer assumes the role of data controller. Penneo assumes the role of data processor.

Exception in the Penneo Sign archive: Penneo will assume the role as data controller In the cases where end-users have chosen to store signed documents in a personal archive.

Documents in Penneo Sign

Penneo does not have access to the content of documents sent for signing, as they are encrypted and remain inaccessible to Penneo.

Client documents and data in Penneo KYC

Client documents and sensitive data is end-to-end encrypted and therefore inaccessible to Penneo.

Duration of processing – Customers

Penneo will store Customer’s information either until the Customer deletes the data or until the end of the Agreement between Penneo and the Customer. Penneo will delete Customer’s data 90 days after the expiration of an Agreement with the Customer.

Duration of processing – End-users in Penneo Sign

End-users who have chosen to store their documents in a Penneo Sign archive can request to have their archive and all documents stored therein deleted. A deletion request should be sent to Penneo’s Support team.

Platform Security Measures

Penneo operates an Information Security and Privacy Management System to ensure the confidentiality and integrity of the processed data, as well as ensuring the availability and resilience of the Platform(s). Penneo determines the technical and organisational security measures required to establish the necessary level of information security. In any event, and as a minimum, Penneo ensures that the following security measures have been implemented:

C.1. Governance & Risk Management

Penneo’s information security and privacy policy has been approved by the management and is reviewed at least once a year. Penneo has also established a risk management procedure for identifying, assessing and addressing relevant risks. Both internal and external threats and vulnerabilities are considered in relation to the data processed and stored in Penneo’s Platform(s) on behalf of customers. Penneo has internal communication and reporting channels to ensure that executive management and the Board of Directors can take informed decisions.

C.2. External audit

Penneo engages an external auditor to conduct regular audits of Penneo’s Information Security and Privacy Management System, following best practices in accordance with ISO 27001 and ISO 27701 standards. 

C.3. Access rights and confidentiality

Penneo has implemented a formal Access Management policy ensuring that access rights to the Platform(s) as well as internal systems follow the “least privilege” and “need to know” principles. Penneo has implemented access management in Penneo’s joiner, mover, leaver processes and uses two factor authentication and single sign-on to further protect access to the systems used within the organisation.

Access to Penneo’s Platform(s) production environments is further restricted by additional technical measures, such as two factor authentication, VPN and role-based access, and unique user accounts. Access rights are reviewed at least annually. Penneo’s laptops are protected using passwords, screen lock policy and have enabled hard disk encryption.

C.4. Awareness and training

All new employees at Penneo must complete compliance awareness training covering information security and privacy practices and principles. In addition, all employees must complete an awareness training annually. Penneo provides role-specific  training for employees, focusing on areas such as engineering best practices, information security, and privacy.

C.5. Secure development and operations

Penneo has implemented a formal Software Development Life Cycle policy to ensure secure development. This includes defined measures such as forced peer review on code changes in production. Logically separated environments and micro-segmentation ensure that development and testing occur in non-production environments. This also ensures that components and data processed in production are protected. Customer’s data processed in the Platform(s) is stored in data centers in the EU.

C.6. Business continuity and disaster recovery

Penneo takes daily backups of storage and databases as part of its business continuity planning. Penneo has a disaster recovery plan, tested at least annually, ensuring that Penneo is ready to restore the Platform(s) and the Customer’s data in case of a disaster scenario. Post-test analysis is carried out to ensure continuous improvement of the business continuity management and disaster recovery plan.

C.7. Cryptography

The Customer’s data processed in the Platform(s) is encrypted in transit using TLS 1.2 or higher and at rest. Penneo ensures that employee laptops have hard disk encryption enabled.

C.8. Vendor management

Penneo has a Vendor Management policy to ensure that only trusted and reliable vendors are used to support Penneo’s organisation and Platform(s). Penneo performs an information security and privacy review of all vendors. Penneo also monitors the compliance of sub-processors authorised to process Customer’s data in the Platform(s). At least once a year, Penneo will request and review relevant compliance documentation from the sub-processors.

C.9. Vulnerability management

Penneo monitors vulnerabilities at technical, legal and compliance level. Penneo’s Legal and Compliance team continually assesses the privacy and information security landscape to ensure ongoing organisational compliance, including adherence to regulations such as the GDPR. Pennneo’s Product and Engineering team monitors the landscape for technical vulnerabilities to ensure any relevant vulnerabilities are addressed in a timely and appropriate manner. Penneo also engages external security penetration testers, at least annually, to test for vulnerabilities in the Platform(s).

What are your rights as a data subject?

As a data subject, you have a range of rights under the General Data Protection Regulation (GDPR) to ensure transparency and control over your personal data. All data requests shall be made to the Data Controller directly.  These rights include:

• The right to access your data, 
• The right to rectification if any of your personal data is inaccurate or incomplete, 
• The right to erasure, 
• The right to restrict processing, 
• The right to data portability, when technically feasible, 
• The right to object, 
• The right to withdraw consent, 
• The right to lodge a complaint.

You may exercise these rights directly to Penneo, when acting as data controller, in the following cases: 

• Website visitor 
• Job applicant
• Technical Support requestor
• Contact information owner
• Newsletter receiver
• Whistleblower reporter
• Penneo Sign archive user

All other requests relating to the Platform(s) shall be made directly to the Penneo Customer, acting as the data controller. 

We may update this Privacy Policy. Any changes will be posted on this page with an updated effective date. If you have any questions about this Privacy Policy or processing of personal data, please contact our DPO Christel Høst at compliance@penneo.com. 

Version 1.4 2025-03-18