VaseSign's security posture combines platform controls and how your organisation configures identity, integrations, and data flows. This overview describes practices commonly applied in production deployments; exact measures are confirmed during enterprise diligence and may vary by tier or hosting choice.
Encryption in transit and at rest
Traffic between clients and VaseSign uses modern TLS configurations appropriate to the deployment edge. Data at rest relies on provider-managed encryption for underlying storage where enabled; customer-managed keys may apply in dedicated arrangements described under contract.
Role-based access control (RBAC)
Organisations assign roles and permissions so users access only documents and administrative functions required for their duties. Administrative actions are restricted to authorised operators according to internal VaseSign access policies.
MFA and SSO where configured
Multi-factor authentication and single sign-on integrate with your identity provider when enabled. Password-only access remains subject to your organisation's password policy and risk appetite.
Audit logging
Security-relevant events — including authentication, administrative changes, and sensitive document actions where instrumented — are recorded for operational investigation and customer export where the product supports it. Log retention follows deployment configuration and applicable agreements.
Tenant isolation
Customer data is partitioned logically so one tenant cannot access another's envelopes under normal operation. Cross-tenant access requires deliberate super-administrative tooling governed by policy and audit.
Secret management
API keys, signing secrets for webhooks, and integration credentials are stored using managed secret mechanisms rather than embedded in source code. Rotation and distribution follow operational procedures reviewed during enterprise assurance.
Vulnerability management
Dependencies and infrastructure components are monitored for known vulnerabilities; patches are prioritised by severity and exploitability. External researchers may report issues through the coordinated disclosure channel — see Vulnerability disclosure.
Backups and recovery
Production data is backed up according to operational objectives for the deployment tier. Recovery time and recovery point objectives are discussed with enterprise customers under NDA rather than asserted generically on this page.
Secure software development lifecycle
Changes flow through code review, automated checks where configured, and controlled releases. Production access is limited and monitored; separation between development and production environments reduces accidental exposure.
VaseSign avoids substituting marketing superlatives for evidence. Reviews should validate configuration for your workspace, identity integration, and subprocessors — see Subprocessors and Enterprise assurance.