VaseSignby Stars in a Vase Digital Trust
FeaturesIndustriesAI reviewEvidenceFeature ShopPartnersTrust CenterConnect
✦ Sign For Free. Forever.
Sign inStart signing

Trust Center

Subprocessors

Structured register of categories of providers that may process personal information on behalf of customers, with diligence notes and confirmation gates.

  • Overview
  • Legal alignment
  • Signature levels
  • Evidence pack
  • Security
  • Privacy & POPIA
  • Subprocessors
  • Data residency
  • Data retention
  • Incident response
  • Availability
  • Enterprise assurance
  • Vulnerability disclosure
  • Contact
VaseSignby Stars in a Vase Digital Trust

VaseSign by Stars in a Vase Digital Trust helps teams prepare, review, send, sign, verify and evidence important documents with ECTA-aware workflows, POPIA-aligned controls where configured, and optional higher-assurance paths through configured providers.

Product

  • Features
  • AI document review
  • Evidence-backed signing
  • Feature Shop
  • Partner Network
  • Marketplace
  • Developers
  • Trust Center

Industries

  • Legal & conveyancing
  • Property & rentals
  • HR & onboarding
  • Banking & insurance
  • Government & SMEs

Company

  • About & trust
  • Contact
  • OEM partners
  • White label
  • Partner portal
  • Careers

Legal

  • Trust Center
  • Privacy Policy
  • Terms of Service
  • POPIA (Trust)
  • ECTA alignment

2026 Stars in a Vase Digital Trust. All rights reserved. | ✦ Sign For Free. Forever.

Built in South Africa|ECTA-aware · POPIA-aligned where configured

Enterprise customers typically require visibility into subprocessors that may process personal information on behalf of the service. The table below summarises categories of providers and their roles. Specific vendor names, regions, and DPAs for your production stack are confirmed during enterprise onboarding and may evolve — VaseSign notifies customers of material changes according to contract.

Provider / categoryPurposeData categoriesLocation / regionSecurity notesStatus
Primary cloud hosting & platform servicesApplication runtime, storage, databases, backups, and operational tooling for the VaseSign production estate.Customer documents and envelopes, account profiles, authentication telemetry, audit logs, integration metadata.Deployment-specific. Authoritative region matrix for your workspace is confirmed during enterprise onboarding.Logical tenant isolation, encryption in transit, encryption at rest where enabled by platform configuration; access governed by VaseSign operational controls.Active
Email & transactional messaging providerDelivery of invitations, reminders, OTP or notification messages where email or SMS channels are enabled.Recipient identifiers (email address, phone number where used), message metadata, delivery status events.To be confirmed before enterprise onboardingTransport encryption for submission APIs; minimised payloads where product design allows; subprocessors listed under vendor DPAs.To be confirmed before enterprise onboarding
DNS, CDN, or edge protection servicesDNS resolution, static asset delivery, WAF or DDoS mitigation at the perimeter.Limited request metadata; typically no customer document payloads.Global edge presence; primary configuration disclosed under NDA.TLS termination at edge where configured; logging minimisation consistent with security monitoring needs.Conditional
Identity & federation (when SSO/MFA integrations are enabled)Authentication broker or SAML/OIDC federation when your organisation connects an external IdP.Authentication assertions, directory identifiers, session correlation tokens — not VaseSign document content unless explicitly routed.Determined by your IdP and federation configuration.Relies on customer-controlled identity posture; VaseSign receives only what the protocol requires for session establishment.Conditional
Trust service, DSS, or timestamp providers (when configured)Advanced or qualified signing, certificate issuance, PDF sealing, RFC 3161 timestamping, or validation services integrated per workspace.Document hashes, signing ceremony metadata, certificate handles — exact scope depends on provider contract.Provider-specific; EU QTSP processing may apply for QES routes.Integration boundaries documented per deployment; legal effect remains subject to applicable law and provider accreditation.Conditional
AI or document-assist vendors (when Feature Shop capabilities are enabled)Optional AI-assisted review or drafting features invoked by customer configuration.Document text or excerpts sent per feature design; may include prompts and model outputs under customer policy.To be confirmed before enterprise onboardingEnablement is configuration-driven; data minimisation and retention follow workspace settings and supplier terms.To be confirmed before enterprise onboarding
Billing & payment processingCard or payment instrument processing when customers purchase paid features.Payment instrument tokens, billing contact details, transaction references — not signing evidence contents.To be confirmed before enterprise onboardingPCI DSS responsibilities split per processor agreement; VaseSign avoids storing full card numbers where tokenisation applies.To be confirmed before enterprise onboarding
Observability, logging, or support ticketing (operational)Infrastructure monitoring, error tracking, or customer support case management.Operational logs, support ticket fields, redacted technical diagnostics — production document bodies excluded except where intentionally attached by users.To be confirmed before enterprise onboardingAccess restricted to authorised personnel; retention aligned to operational need and contractual commitments.To be confirmed before enterprise onboarding

Combine this register with Data residency and Privacy & POPIA for a complete diligence starter pack; authoritative schedules are attached under agreement.