#gdpr
← All tagsUK GDPR — the retained version of the EU GDPR, now supplemented by the Data (Use and Access) Act 2025 — governs how organisations process personal data. Email signature management tools that route outbound email through third-party cloud infrastructure are data processors under Article 28, requiring a written Data Processing Agreement. Understanding which architectural model your signature tool uses determines what your compliance obligations are.
- WiseStamp Alternatives for Business Teams: What to Consider in 2026 WiseStamp's browser-extension model is increasingly blocked by IT departments, and its product focus has narrowed since the vCita acquisition. Here's what business teams need instead.
- Email Signature Tools and GDPR: Server-Side vs Add-In Architecture Explained What data each email signature architecture processes, what a compliant DPA must cover, and what ‘emails never leave Microsoft infrastructure’ means.
- Email Signature Tools and GDPR: What Your DPO Needs to Know (2026) Email signature tools often route outbound email through third-party servers. Here's what UK GDPR Article 28 requires and what your DPA must cover.
- Does Your Email Signature Tool Route Your Emails Through Third-Party Servers? (A GDPR Question Worth Asking) Many email signature tools route your emails through their own servers. Under UK GDPR that makes them a data processor. Here's what to ask.
- Exclaimer Alternatives: An Honest Comparison for Microsoft 365 Teams (2026) Looking for Exclaimer alternatives? Compare CodeTwo, Letsignit, Rocketseed and WiseStamp - honest assessment of pricing, deployment models and who each tool suits.
- Email Signature Software Pricing: Every Major Tool Compared (2026) Email signature management software costs $0.81–$3.50 per user per month. Compare Exclaimer, CodeTwo, Letsignit, WiseStamp and Rocketseed on pricing.
- Email Signature Management for Microsoft 365: Server-Side vs Add-In — What's the Difference? Server-side and add-in email signature tools differ significantly on GDPR, mobile support, and the compose experience. What IT admins need to know.
- Centralised Email Signatures in Microsoft 365: The Complete Guide (2026) Everything IT admins need to know about centralised email signatures in Microsoft 365 — native options, their limits, and how third-party tools compare.
- How to Manage Email Signatures Across a Company: What IT Admins Actually Need to Know Standardising company email signatures? This guide maps deployment options, technical tradeoffs, and questions to ask before choosing a tool.
Further reading
- UK GDPR guidance for organisations — ICO The Information Commissioner's Office hub for UK GDPR guidance, including controller and processor obligations.
- UK GDPR Article 28 — legislation.gov.uk The full statutory text of Article 28, setting out the requirements for contracts between controllers and processors.
Frequently asked questions
Does my email signature tool need to be listed as a data processor under UK GDPR?
If your email signature tool processes the personal data contained in your employees' outbound email — names, contact details, recipient addresses, email body content — then yes, the vendor is a data processor under UK GDPR Article 28. You must have a Data Processing Agreement in place and list them in your records of processing activities. Whether a tool processes this data depends on its architecture: server-side tools route email through the vendor's infrastructure and do process it; add-in tools that inject signatures at compose time may not.
What does UK GDPR Article 28 require for data processors?
Article 28 requires that any third party processing personal data on your behalf does so only under a written contract — a Data Processing Agreement — that specifies the subject matter, duration, nature, and purpose of the processing. The DPA must also confirm the processor's obligations around security measures, sub-processor restrictions, data subject rights assistance, and deletion or return of data after the contract ends.
Are server-side email signature tools a GDPR risk?
Server-side tools route your organisation's outbound email through the vendor's cloud infrastructure before delivery to the recipient. This means email content, attachments, and metadata leave your Microsoft or Google environment and pass through a third party. Under UK GDPR, this makes the vendor a data processor, requiring a DPA and due diligence on their security practices and sub-processor arrangements. The ICO's guidance on controllers and processors sets out what that due diligence should cover.