Terms
Last updated on 19 FEB 2024
Privacy Notice

Twala Privacy Notice

Your privacy is our top priority. 

We at Twala, process personal information for our business purposes, on behalf of our customers, and ultimately for you. This privacy notice details how Twala is processing personal information relating to customers and prospects, as well as how personal information is being processed within Twala’s services (including, but not limited to, Twalasign and TwalaID).

What is personal information?

The RA 10173 or the Data Privacy Act of 2012 defines personal information as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual”. The individual, such as yourself, is referred to as a “data subject” and you may be identified (or are identifiable) via information like your name, your identification number but also via e.g. an IP-address, device information etc.

“Sensitive personal information” is by its nature, particularly sensitive for you. It requires specific protection to avoid significant risks to your fundamental rights and freedoms. This includes, among other things, personal information revealing racial or ethnic origin, political opinions, and religious or philosophical beliefs.

Data privacy law

As a Filipino company (Ohelio Inc.), Twala is governed by the laws of the Philippines, the Data Privacy Act of 2012 (RA 10173).

RA 10173 describes how organizations, such as Twala, must “process” (collect, handle and store) personal information. Rules on data privacy apply regardless of whether personal information is stored electronically, on paper or on other materials. Organizations that process your personal information are obliged to do that in accordance with strict regulations. An organization that determines the purposes of the processing is called a “personal information controller“, whereas an organization that the controller has engaged to assist in the processing is called a “personal information processor”.

 

Processing within Twala’s services

How does Twala process your personal information?

Twala offers its services through different business models, and the responsibility for the processing of personal information depends on which services we provide, how the services are provided, and to whom. 

Twalasign

Twalasign is a cloud-based software as a service solution (SaaS) for digital/electronic signatures of documents.

Twala’s responsibility for the different categories of data subjects that may take part in an electronic signature process within Twalasign (“Twalasign workflow”) is as described below:

(i) Twala Users: representatives of Twala customers with an individual admin or user account registered in Twalasign subject to a valid license agreement between Twala and the Twala customer.

Twala Users may initiate Twalasign workflows, receive invitations to take part in Twalasign workflows initiated by a third party, and retain their signed documents and templates in their cloud storage within Twalasign. 

Twala may contact Twala Users through Twalasign or through a representative, via phone or email in order to give updates on our products, services or concerning other account-related issues.

Twala is a processor on behalf of Twala’s customers. The legal basis for processing personal information of Twala Users is the necessity to provide the services under an agreement between Twala and the Twala customer.

(ii) Representatives of Twala resellers’ customers: representatives of Twala resellers’ customers with an individual admin or user account registered in Twalasign subject to a valid sub-license agreement with an authorized reseller of Twalasign.

Representatives of Twala resellers’ customers may initiate Twalasign workflows, receive invitations to take part in Twalasign workflows initiated by a third party, and retain their documents in their cloud storage within Twalasign.

Twala is a subprocessor of the Twala reseller who in turn processes personal information on behalf of their customer. Twala may contact representatives of Twala resellers’ customers through Twalasign or through a representative, via phone or email in order to give updates on our products, services or concerning other account-related issues.

The legal basis for processing Twala reseller customer representatives’ personal information is to provide the services under an agreement between Twala and the reseller.

(iii) Private account holders: individuals that have opted in for a limited, cost-free account in Twalasign.

Twala provides private account holders with cost-free accounts to let the private account holder try out Twalasign for free. In letting private account holders try out the Twalasign service, Twala hopes to be able to convert some of these private account holders into paying customers. If you are a private account holder, Twala may therefore contact you with offers and marketing. 

When a private account holder signs a document in Twalasign, this will be retained within that party’s own cloud storage within Twalasign.

Private account holders may only initiate Twalasign workflows through Twalasign subject to such restrictions for cost-free accounts as Twala maintains from time to time.

For private account holders, Twala acts as the controller of your contact details and as a processor of the personal information included in documents being signed in Twalasign. Twala reserves the right to terminate the account of an inactive private account holder. In case of such termination, Twala will provide due pre-warning to the email registered in the account and enable the private account holder to offboard the contents or their account prior to final deletion thereof.

The legal basis to process Twala Private account holders’ personal information is to provide the services under the Terms of Service that the private account holder agreed to before creating a Twala account.

(iv) External Twalasign users: individuals that have received an invitation message to review or sign a document made available through Twalasign, and that have no account of their own within Twalasign. (An external Twalasign user may opt in to become a private account holder in Twalasign.)

External Twalasign users only take part in a Twalasign workflow when so invited.

Twala remains a processor, or subprocessor, on behalf of the customer that initiated the specific electronic signature process.

The legal basis to process External Twalasign users’ personal information is to provide the services under an agreement between Twala and the controller.

Note that should Twala itself be the initiator of the Twalasign workflow, then Twala is the controller, in which case the legal basis is the necessity for the performance of a contract between Twala and the recipient of the Twalasign workflow.

Processing of personal information within Twalasign

When Twala acts as the processor (or subprocessor) on behalf of a customer using the Twala service, the customer is responsible for the processing of your personal information and the legal basis of processing.

If you have an individual account with Twalasign, Twala is processing the following personal information in relation to you:

  • name and email address (mandatory)
  • mobile phone number (optional)
  • ID number and other details for verified identity via e-KYC (Optional)
  • position with your employer (optional)
  • company details (name, address, organization number and country)
  • Business KYC - business name, email, contact number, address, officials etc.

This information is necessary for us to process for the purpose of the performance of the contract with you/the company you represent. Without this information, we will not be able to provide the Twala Service to you. We keep this information for the duration of our agreement with you/your employer and up to 100 days thereafter.

Regardless of what data subject category you belong to, Twala processes the following information regarding you:

  • your communication and behaviour in Twalasign, for example IP-addresses, digital timestamps, security settings, digital ID (private and public keys) and digital fingerprints that can strengthen the legal position of the parties to a document in a Twalasign workflow, typically disclosed in the audit trail;
  • your usage of the twala service (including user statistics such as the number of documents sent/signed by you);
  • your interactions with us, including emails and support tickets
  • This information is necessary for us to process the performance of the agreement with you/the company you represent and to provide you with support in relation to Twala services. We keep this information for as long as you/the company you represent retain your documents within the cloud storage of Twalasign. However, in an anonymized format, we also process some of your interactions with us to understand how you use the Twala service in order to improve the service for the benefit of all our customers.

For further details about information handling within Twalasign, please refer to the Twala Terms of Service.

Integrations to third-party service providers

Twala offers integrations to third-party systems, for the purposes of

  1. importing documents to sign in Twalasign,
  2. exporting documents from Twalasign that have already been signed, and
  3. auto-populating documents with information from external sources.

The use of integrations requires Twala’s customer to have its own contractual relationship with the third-party service provider. The importing of personal information from or exporting of personal information to a third-party service provider through an integration only takes place on behalf of Twala’s customers. Per default, no integrations are active.

Twala ID

Twala ID is a decentralized cloud-based software as a service solution (SaaS) used for the main purposes of performing and/or enabling access to various methods for identification and authentication of a person’s identity, verification of a person’s details such as name, email address, home address or age, and electronic and/or digital signatures.

How and for what purpose your personal information is being processed within Twala ID is determined by i) the relying party (i.e. Twala’s customer) and ii) each identity provider, respectively.

Example

A Twala customer is using Twala ID in order to provide secure login functionality to its services. The Twala customer has asked Twala to enable login with an identity provider such as Google or Microsoft or a government agency. If you choose to login with Google or Microsoft or a government agency, Twala, and Twala’s customer will all be processing your information in order to provide you with the login functionality.

Is my information secure with Twala?

Security is a core value of Twala. Ensuring the security of customer and company information is important as our customers, employees, and partners hold us in a position of trust with their confidential information. Twala applies the principles of Privacy by design and Privacy by default in developing, maintaining, and providing the Twalasign service, as well as in the handling of personal information for other purposes.

Twala takes all appropriate legal, technical, and organizational measures to ensure that your personal information is handled securely and with an adequate level of protection. This applies both internally, by means of Twala’s implemented information security management and data protection policies covering i.a. acceptable use, access control, operations, technology, applications, information management, business continuity and physical security and when transferring your personal information to or sharing information with selected third parties to provide our services. The rules and controls within these policies are considered the security baseline for information assets owned/controlled or otherwise processed by Twala. Such policy documentation may be provided upon request.

What security measures has Twala implemented?

Twala continuously educates staff on security. 2FA login, VPN, individual accounts, and activity logging are implemented as appropriate for employees with access to Twala’s infrastructure and for employees with customer support tasks in the system. Access to systems is given to employees on a need-to-have basis only and is governed by an approval process. Testing and production environments are separated, and data is never transferred between them.

For the actual servers, Twala has firewalls, anti-virus and encrypted communication where feasible and reasonable. All documents are individually encrypted with keys stored in a different geographical site from the documents and the key storage itself is also encrypted. The security of the system as a whole is regularly tested by means of penetration tests performed by a third party.

The data centers used by Twala have appropriate levels of security and are certified with ISO-27001, amongst other standards (Amazon Web Services).

Processing outside of Twala’s services

How does Twala process personal information outside of Twala’s services?

Twala acts as a personal information controller when we process personal information outside of Twala services, as described below:

Processing for invoicing and payment purposes

Twala processes the following information regarding you:

Information related to invoices, such as name, billing address and similar.

This information is necessary for us to process due to legal requirements, such as book-keeping/financial laws that Twala is subject to. This information is kept for as long as the law requires.

Processing for marketing purposes

Based on our legitimate interest in marketing our products and services, Twala seeks out new potential customers through various public and commercial sources such as LinkedIn and similar. Twala may also collect information directly from you from events, fairs or our website using cookies or forms based on your consent. The information that Twala collects for marketing purposes are:

  • Name, title, company affiliation
  • Email
  • Phone number
  • Number of employees
  • Industry
  • Turnover
  • Information collected through cookies (Cookie Declaration)

We keep such information for twenty four months unless you before that time become a customer, qualify as an opportunity or subscribe to information of Twala.

You can at any time ask us to stop processing your personal information for marketing purposes. To make such a request, please see our contact information at the end of this privacy notice.

Processing of information provided to us for recruitment purposes

Twala will process the information you provide to us for a job application, for recruitment purposes during the specific recruitment process and up to two years from the end of such recruitment process.

Twala will also process the information you send in any open applications via the links provided on our website for recruitment purposes in relation to any relevant positions for one year from the submission of your application. 

Both types of applications will be processed via a candidate profile which brings together the information you provided. Your candidate profile may be of interest for Twala in other recruitment processes, which means that if your candidate profile matches other vacant positions than the position you have applied for, we may contact you to see if you find interest in other recruitment processes.

The legal basis for processing information provided in both types of applications is your consent.

Processing for support purposes

Twala acts as either a controller or a processor when we process personal information for support purposes, as described below:

When you contact Twala for a support request as a non-customer, we process any information you provide to us as a controller, in order to assist you with your request or to refer you to the relevant department at Twala. We may contact you multiple times in relation to your request. The legal basis for such processing is your consent.

When you contact Twala for a support request as a Twala User or private account holder, we process any information you provide to us as a processor, in order to assist you with your request or to refer you to the relevant department at Twala. We may contact you multiple times in relation to your request. The legal basis for such processing is the agreement between Twala and you/the company you represent.

Third country transfers

Some of the service providers that Twala utilizes for marketing purposes keep their information located outside of the Philippines. When personal information is transferred to these service providers, Twala takes all appropriate legal, technical and organizational measures to ensure that the personal information is handled securely and with an adequate level of protection based on industry standards and best practices.

Sharing your personal information

Twala does not share your personal information except, in the following cases:

Others in Twalasign workflow

Irrespective of if you are a sender or receiver of a document in a Twalasign workflow, you and the other party/-ies invited to that workflow receives information on the other party/-ies taking part in that workflow. Such information is necessary for the execution of the workflow, to identify/authenticate the individuals taking part in accordance with the methods as configured in the Twalasign service by the sender, and to enable Twala to produce the evidence package (including an audit trail) that is attached to each document signed through Twalasign. Thus, such information typically includes names, emails, mobile phone numbers, title, company details, and IP-addresses. In addition, this may also include drawn signature (added by a party), evidence of ID authentication (including digital ID - public keys) when and as required for a stronger authentication.

Service providers

In order to be able to provide the Twala services or support services, conduct marketing or administer our finances, Twala employs several service providers, such as hosting partners and system providers.

These service providers may only process your personal information on behalf of us and in accordance with our agreement with them, and never for their own purposes. Twala ensures that all its service providers are bound by confidentiality terms and/or sign a non-confidentiality agreement (NDA) regarding information received from Twala. Twala enters into Data Protection Agreements (DPA) with all its service providers and conducts Privacy Impact Assessment (PIA) if the processing activity poses risk to the rights and freedoms of data subjects.

Use of cookies on the twala.io or twalasign.io website

A cookie is a small text file that a website saves on a user’s computer. The text file contains information the website may use when the visitor returns to the website. Twala.io or twalasign.io may use cookies to collect and use information from its visitors in the manners explained below.

On the public part of twala.io and twalasign.io domain Twala may gather:

  • Information about the visit (page views, time, IP, browser, referring URL etc.)
  • Information provided by the user in any of the website’s forms

Such information may be used by Twala:

For website statistics

To personalise the website when a visitor returns (e.g. language preference, customisations)

For marketing purposes (e.g. retargeting ads, email campaigns)

When you enter twala.io or twalasign.io website, you have the option to read our Cookie Declaration and adjust your cookie preferences.

How to further restrict/block use of cookies:

The first time you visited twala.io or twalasign.io, you were given the option to accept or reject non-necessary cookies. You are at any time able to update these settings by clicking on the link below. 

Data subject rights

What are your rights?

The Data Privacy Act provides you with certain rights with regards to your personal information. 

Thus, you may make a request to the controller for:

  • access; i.e. a confirmation as to whether or not your personal information are being processed and, when that is the case, the provision of certain information about the processing
  • rectification of personal information
  • erasure of personal information (“right to be forgotten”)
  • restriction of processing
  • information portability
  • object to processing
  • withdrawal of consent

This is called an data subject rights (DSR) request. The controller is obliged to respond to a DSR-request as soon as possible and no later than within 30 days.

If Twala is the controller of your personal information, the DSR-request to Twala should be made by email, addressed to our Data Protection Officer at dpo@twala.io.

Please note that in case you want to make a DSR-request, this must be directed to the controller and that Twala cannot accommodate such a request where Twala is the processor, or subprocessor.

In addition, you have the right to lodge a complaint to the National Privacy Commission (NPC), the government agency responsible for implementing the Data Privacy Act.

If you have a complaint about our use of your information, you can contact the National Privacy Commission via their website at https://privacy.gov.ph/ or write to them at:

National Privacy Commission
5th Floor Delegation Building, PICC Complex, Roxas Blvd. Pasay, Metro Manila
Email: complaints@privacy.gov.ph

If you have any questions regarding how Twala is processing your personal information, how functions within Twalasign can be used for different purposes in this regard, or would like to come in contact with our Data Privacy Officer, do not hesitate to contact us at privacy@twala.io.