StubSign
Sign In
Acceptable Use PolicyCookie PolicyData ProcessingDisclaimerPrivacy PolicyTerms of Service

Data Processing

Effective date: April 8, 2026

1. Overview

This Data Processing addendum explains how StubSign Inc. handles personal data when you use our payroll documentation platform. This document supplements our Privacy Policy.

The Service is currently in beta. Our data processing practices may evolve as the platform matures.

2. Roles

  • You (Data Controller): You determine what data to enter into StubSign and direct us to process it for payroll documentation purposes.
  • StubSign (Data Processor): We process personal data only according to your instructions and solely for the purpose of providing the Service.

3. Data We Process

Data CategoryWhat We StoreWhat We Do NOT Store
Worker IdentityFirst name, last name, SSN/ITIN last 4 digitsFull SSN, full ITIN
Employment DataPay rate, pay type, filing status, department, job title, worker type (1099)-
Address DataStreet address, city, state, ZIP code-
Financial DisplayBank name, account last 4 digitsFull account numbers, routing numbers
Company DataBusiness name, EIN, state, address-
Verification DataVerification status (pass/fail), timestamp, masked identifiersFull TIN/SSN used for verification

Critical: No Full SSN/ITIN Storage

We never store full Social Security Numbers or Individual Taxpayer Identification Numbers. When IRS TIN matching is performed at your direction, identification numbers are transmitted directly to IRS-authorized systems for cross-checking and are not retained in our databases. Only the last four digits are stored for pay stub display.

4. Processing Activities

We process data exclusively for:

  • Pay stub generation: Creating PDF pay stubs and earning statements based on data you provide
  • IRS TIN/EIN matching: Cross-checking worker and business identity with IRS records at your direction, as a measure to help prevent fraudulent pay stub generation
  • Secretary of State verification: Confirming business registration status at your direction
  • Account management: Maintaining your user profile and preferences
  • Service improvement: Anonymized, aggregated analytics to improve performance and usability

5. Data Retention

  • Active accounts: Data is retained for the duration of your account
  • Deleted accounts: Personal data is deleted within 30 days of account deletion, except where retention is required by law
  • Pay stub records: Generated pay stub metadata and PDF records are retained as long as your account is active
  • Verification logs: Records of IRS and SOS verification requests are retained for audit and fraud prevention purposes
  • Analytics data: Aggregated, anonymized usage data may be retained indefinitely

6. Infrastructure and Sub-Processors

We rely on the following categories of third-party services to operate the platform:

CategoryPurpose
Cloud database and authenticationSecure data storage, user authentication, row-level access control
IRS-authorized verificationTIN/EIN matching for fraud prevention
Secretary of State APIsBusiness entity verification
Address servicesStreet address autocomplete and validation
Analytics and monitoringAggregated usage analytics and performance monitoring
PDF generationServer-side pay stub PDF rendering

All sub-processors are contractually bound to maintain appropriate security standards.

7. Security Measures

We implement the following technical and organizational measures:

  • Encryption in transit: TLS 1.2+ for all API and web traffic
  • Encryption at rest: All stored data is encrypted at the infrastructure level
  • Database-Level Access Controls: Strict database policies ensuring users can only query their own data - no cross-account access is possible
  • Explicit column selection: All database queries retrieve only required fields, preventing internal schema exposure
  • Authentication: Session-based authentication with secure token management
  • Minimal data collection: We collect only the data necessary to provide the Service - notably, we do not collect or store full SSN/ITIN numbers
  • Access controls: Role-based access limiting internal access to production data

8. Data Breach Notification

In the event of a data breach involving personal data, we will:

  • Notify affected users without undue delay, and no later than 72 hours after becoming aware of the breach
  • Provide details of the nature of the breach, the data affected, and the measures taken
  • Cooperate with relevant authorities as required

9. International Processing

Data is stored and processed in the United States. If you access the Service from outside the United States, you acknowledge that your data will be transferred to and processed in the US.

10. Contact

For data processing inquiries, contact privacy@stubsign.com.

For general support, contact support@stubsign.com.