Reporting channel
Suspected security incidents affecting VaseSign production services should be reported promptly to security@vasesign.co.za with a concise description, timestamps, affected workspaces or correlation identifiers if known, and contact details for follow-up. Operational customer issues that are not security-sensitive may continue through normal support channels.
Severity levels
Events are triaged into operational severity bands — for example low (limited impact, contained), medium (customer-visible degradation without confirmed data exposure), high (significant impact or credible confidentiality breach), and critical (active exploitation or widespread compromise risk). Exact criteria and escalation ladders are maintained internally and aligned to enterprise playbooks under NDA where contracted.
Notification approach
VaseSign coordinates notifications with affected customers when incidents materially impact their data or service use. Timelines depend on incident facts, regulatory obligations, and the terms of your agreement — this public page does not create SLAs beyond those contracts. Regulators or data subjects may need separate notifications handled by the appropriate controller.
Evidence preservation
Logs, configuration snapshots, and forensic artefacts relevant to root-cause analysis are preserved according to legal and operational retention policies. Preservation balances integrity of investigation with minimisation — scope is reviewed with counsel when litigation or regulatory inquiry is anticipated.
Customer communication process
Customer security and administration contacts named in enterprise agreements receive structured updates for qualifying incidents: acknowledgement, intermediate findings, containment actions, and closure summaries where appropriate. VaseSign may convene a technical bridge with customer security teams for coordinated containment when integrations are implicated.
Coordinated vulnerability reports from researchers are handled under our Vulnerability disclosure policy.