Signa processes publicly available trademark data from government registries. This page covers how Signa handles data privacy, what compliance measures are in place, and what responsibilities fall on you as a user of the API.
Public Data Processing
Trademark registrations are public records published by government intellectual property offices. Signa ingests, normalizes, and indexes this data to make it searchable and actionable.
What Signa Processes
| Data Category | Examples | Source |
|---|
| Mark identity | Mark text, images, Nice classifications, Vienna codes | Official registries |
| Filing details | Application/registration numbers, dates, status | Official registries |
| Owner information | Applicant/registrant name, address, country, entity type | Official registries |
| Attorney information | Attorney of record, law firm name | Official registries |
| Proceedings | TTAB decisions, oppositions, cancellations | Official registries |
| Corporate linkage | SEC (CIK), GLEIF (LEI), parent-subsidiary relationships | SEC EDGAR, GLEIF |
What Signa Does Not Process
- Private communications between applicants and offices
- Attorney-client privileged information
- Financial records or payment details of trademark holders
- Social media or web-scraped data about individuals
- Biometric or sensitive personal data
GDPR Compliance
Signa processes publicly available data from government registries. Under GDPR, this processing is based on the legitimate interest legal basis (Article 6(1)(f)) — the same basis used by established trademark intelligence services, official TMView/GBD databases, and legal research platforms.
Legal Basis
Signa’s processing of public trademark data relies on legitimate interest (Article 6(1)(f) GDPR):
- Purpose: Enabling trademark search, monitoring, and clearance — activities that serve the proper functioning of the trademark system
- Necessity: Trademark data must be aggregated across offices to be useful for cross-jurisdictional clearance and monitoring
- Balancing: The data is already public by design (trademark systems require public notice), and Signa does not enrich it with non-public personal information
Data Processing Agreement
Enterprise customers requiring a formal Data Processing Agreement (DPA) can request one by contacting legal@signa.so. The DPA covers:
- Data processing scope and purpose
- Sub-processor list and notification obligations
- Data transfer mechanisms (Standard Contractual Clauses where applicable)
- Incident notification procedures
- Audit rights
Right to Erasure
While trademark registry data is public, individuals whose personal data appears in trademark records (e.g., individual trademark owners) may have rights under GDPR. Signa handles such requests as follows:
- Requests about registry data: Signa reflects what the official registry publishes. If an individual’s data has been removed from the source registry, Signa will remove it during the next sync cycle.
- Requests about derived data: Entity resolution profiles, statistics, and corporate linkage derived from public data can be suppressed on request.
- Contact: Send erasure requests to privacy@signa.so with the relevant trademark ID(s) and your relationship to the data.
Erasure requests are processed within 30 days. Note that suppressing a record in Signa does not affect the underlying public registry data.
Attorney-Client Privilege
Signa does not access or store attorney-client privileged information. However, as a user of the API, be aware of the following:
Search Queries
API search queries are logged for rate limiting, abuse detection, and debugging purposes. These logs are retained for 90 days and then deleted. If your search queries could reveal privileged strategy (e.g., searching for marks your client intends to file), consider:
- Using generic API keys that are not tied to specific matters
- Reviewing your organization’s policies on using third-party search tools for privileged work
- Discussing with counsel whether search patterns constitute privileged work product
Portfolio Contents
Portfolios and watches you create in Signa are scoped to your organization and not visible to other API users. However, the existence and contents of portfolios are stored in Signa’s database. For highly sensitive matters:
- Use the
metadata field to store internal reference codes rather than matter names
- Consider whether portfolio membership itself reveals privileged strategy
Signa is a data platform, not a legal tool. It does not provide legal advice and is not covered by any attorney-client privilege. Consult your legal team about appropriate use of third-party data services in privileged matters.
Professional Liability
Signa’s Role
Signa provides normalized trademark data and computed insights (deadlines, status classifications, entity resolution). These are informational outputs, not legal opinions.
Your Responsibility
As an API consumer, you are responsible for:
| Area | Your Obligation |
|---|
| Verification | Cross-referencing Signa data with official registries for critical decisions |
| Legal advice | Engaging qualified trademark counsel for legal opinions |
| Deadline management | Using Signa’s computed deadlines as one input among several, not as a sole calendar |
| Data accuracy | Reporting discrepancies you discover to support@signa.so |
| Access control | Managing your API keys and organization membership appropriately |
Limitation of Liability
Signa’s terms of service limit liability for data accuracy. Computed fields (deadlines, entity resolution, status classification) are best-effort derivations from public data. Always verify critical data points against the source registry before acting.
Audit Trail & Compliance Logging
Request Logging
Every API request generates a request_id (e.g., req_abc123) that appears in every response. This ID can be used to:
- Trace a specific request through Signa’s systems
- Reference in support tickets
- Correlate with your own internal audit logs
Data Versioning
Trademark records are versioned internally. When a record changes due to a new sync, the previous version is preserved. The updated_at timestamp and data_freshness.source_data_date fields let you determine exactly when data changed and what the source was.
Event Stream
The Events API (GET /v1/events) provides an immutable log of all changes to trademark data. Use events to:
- Build an audit trail of what changed and when
- Trigger downstream compliance workflows
- Reconstruct the state of a trademark at any point in time
GET /v1/events?event_type=trademark.updated&since=2026-03-01
Security
Infrastructure
| Layer | Implementation |
|---|
| Encryption in transit | TLS 1.2+ on all API endpoints |
| Encryption at rest | AES-256 for all databases and object storage |
| Network isolation | VPC with private subnets for all data stores |
| WAF | AWS WAF with rate limiting, IP reputation, and managed rule sets |
| Secret management | AWS Secrets Manager for all credentials and API keys |
API Key Security
- Keys are SHA-256 hashed before storage — Signa never stores plaintext API keys
- Key rotation is supported via
POST /v1/api-keys/{id}/rotate with a configurable overlap period
- Keys can be scoped to specific permissions (see Authentication)
last_used_at tracking lets you identify unused keys for cleanup
SOC 2
Signa is working toward SOC 2 Type II certification. Current security controls include:
- Infrastructure-as-code (Terraform) for reproducible, auditable deployments
- Automated vulnerability scanning in CI/CD
- Access logging on all administrative operations
- Incident response procedures documented internally
SOC 2 Type II certification is in progress. Contact security@signa.so for the current status or to request a security questionnaire. Data Residency
Primary Region
Signa’s production infrastructure runs in AWS US East (N. Virginia) (us-east-1). All trademark data, API keys, and customer resources are stored in this region.
Data Transfer
Trademark data originates from government registries worldwide and is transferred to Signa’s US-based infrastructure for processing. For EU customers, this transfer is covered by:
- AWS’s participation in the EU-US Data Privacy Framework
- Standard Contractual Clauses (available in the DPA)
Enterprise Options
Enterprise customers with specific data residency requirements can discuss options including:
- Dedicated infrastructure in EU regions (
eu-west-1, eu-central-1)
- Data processing restrictions by jurisdiction
- Custom data retention policies
Contact sales@signa.so to discuss enterprise residency requirements.
| Topic | Contact |
|---|
| General privacy questions | privacy@signa.so |
| Data Processing Agreements | legal@signa.so |
| Security inquiries | security@signa.so |
| Data quality issues | support@signa.so |
