Enterprise customers typically require visibility into subprocessors that may process personal information on behalf of the service. The table below summarises categories of providers and their roles. Specific vendor names, regions, and DPAs for your production stack are confirmed during enterprise onboarding and may evolve — VaseSign notifies customers of material changes according to contract.
| Provider / category | Purpose | Data categories | Location / region | Security notes | Status |
|---|---|---|---|---|---|
| Primary cloud hosting & platform services | Application runtime, storage, databases, backups, and operational tooling for the VaseSign production estate. | Customer documents and envelopes, account profiles, authentication telemetry, audit logs, integration metadata. | Deployment-specific. Authoritative region matrix for your workspace is confirmed during enterprise onboarding. | Logical tenant isolation, encryption in transit, encryption at rest where enabled by platform configuration; access governed by VaseSign operational controls. | Active |
| Email & transactional messaging provider | Delivery of invitations, reminders, OTP or notification messages where email or SMS channels are enabled. | Recipient identifiers (email address, phone number where used), message metadata, delivery status events. | To be confirmed before enterprise onboarding | Transport encryption for submission APIs; minimised payloads where product design allows; subprocessors listed under vendor DPAs. | To be confirmed before enterprise onboarding |
| DNS, CDN, or edge protection services | DNS resolution, static asset delivery, WAF or DDoS mitigation at the perimeter. | Limited request metadata; typically no customer document payloads. | Global edge presence; primary configuration disclosed under NDA. | TLS termination at edge where configured; logging minimisation consistent with security monitoring needs. | Conditional |
| Identity & federation (when SSO/MFA integrations are enabled) | Authentication broker or SAML/OIDC federation when your organisation connects an external IdP. | Authentication assertions, directory identifiers, session correlation tokens — not VaseSign document content unless explicitly routed. | Determined by your IdP and federation configuration. | Relies on customer-controlled identity posture; VaseSign receives only what the protocol requires for session establishment. | Conditional |
| Trust service, DSS, or timestamp providers (when configured) | Advanced or qualified signing, certificate issuance, PDF sealing, RFC 3161 timestamping, or validation services integrated per workspace. | Document hashes, signing ceremony metadata, certificate handles — exact scope depends on provider contract. | Provider-specific; EU QTSP processing may apply for QES routes. | Integration boundaries documented per deployment; legal effect remains subject to applicable law and provider accreditation. | Conditional |
| AI or document-assist vendors (when Feature Shop capabilities are enabled) | Optional AI-assisted review or drafting features invoked by customer configuration. | Document text or excerpts sent per feature design; may include prompts and model outputs under customer policy. | To be confirmed before enterprise onboarding | Enablement is configuration-driven; data minimisation and retention follow workspace settings and supplier terms. | To be confirmed before enterprise onboarding |
| Billing & payment processing | Card or payment instrument processing when customers purchase paid features. | Payment instrument tokens, billing contact details, transaction references — not signing evidence contents. | To be confirmed before enterprise onboarding | PCI DSS responsibilities split per processor agreement; VaseSign avoids storing full card numbers where tokenisation applies. | To be confirmed before enterprise onboarding |
| Observability, logging, or support ticketing (operational) | Infrastructure monitoring, error tracking, or customer support case management. | Operational logs, support ticket fields, redacted technical diagnostics — production document bodies excluded except where intentionally attached by users. | To be confirmed before enterprise onboarding | Access restricted to authorised personnel; retention aligned to operational need and contractual commitments. | To be confirmed before enterprise onboarding |
Combine this register with Data residency and Privacy & POPIA for a complete diligence starter pack; authoritative schedules are attached under agreement.