Trust Center
Legal · Sub-processors
Sub-processor list
Every third party that may Process customer Personal Data, with purpose, legal entity, regions of operation, and current certifications. We notify customers at least 30 days in advance of any new sub-processor or material change.
Last updated: 23 April 2026 · 12 active sub-processors
Infrastructure
| Sub-processor | Purpose | Region(s) |
|---|---|---|
Amazon Web Services Amazon Web Services, Inc. (USA) / AWS EMEA SARL (LU) SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, PCI DSS | Primary cloud hosting, object storage, KMS | us-east-1, eu-central-1, ap-south-1 |
Microsoft Azure Microsoft Corporation (USA) / Microsoft Ireland Operations Ltd SOC 2 Type II, ISO 27001, FedRAMP, HIPAA | Secondary infrastructure, AKS for control-plane services | EU North, India South |
Cloudflare Cloudflare, Inc. (USA) SOC 2 Type II, ISO 27001, PCI DSS | Edge CDN, DNS, WAF, DDoS protection | Global edge network |
AI inference
| Sub-processor | Purpose | Region(s) |
|---|---|---|
OpenAI OpenAI, L.L.C. (USA) / OpenAI Ireland Ltd SOC 2 Type II · zero-retention enterprise API tier · DPA signed | AI inference for clause extraction, summarization, drafting assistance | Customer-region pinned (US, EU) |
Anthropic Anthropic, PBC (USA) / Anthropic Ireland Ltd SOC 2 Type II · zero-retention API · DPA signed | AI inference for review-side reasoning and risk surfacing | US, EU |
Communications
| Sub-processor | Purpose | Region(s) |
|---|---|---|
Resend Resend, Inc. (USA) SOC 2 Type II | Transactional email delivery (signing requests, notifications) | EU |
Twilio Twilio Inc. (USA) / Twilio Ireland Ltd SOC 2 Type II, ISO 27001, HIPAA-eligible | SMS / WhatsApp delivery for OTP, signing reminders | Global; routed by recipient region |
Identity
| Sub-processor | Purpose | Region(s) |
|---|---|---|
WorkOS WorkOS, Inc. (USA) SOC 2 Type II | SSO (SAML/OIDC) and SCIM provisioning for enterprise tenants | US |
Stripe Identity Stripe, Inc. (USA) / Stripe Payments Europe Ltd SOC 2 Type II, ISO 27001, PCI DSS Level 1 | Identity verification for high-assurance signing flows | Customer-region routed |
Observability
| Sub-processor | Purpose | Region(s) |
|---|---|---|
Datadog Datadog, Inc. (USA) / Datadog France SAS SOC 2 Type II, ISO 27001, HIPAA | Application performance monitoring, infrastructure metrics, error tracking | EU; metadata only, no customer document content |
Sentry Functional Software, Inc. dba Sentry (USA) SOC 2 Type II, ISO 27001 | Error and exception tracking (stack traces, no document content) | EU |
Payments
| Sub-processor | Purpose | Region(s) |
|---|---|---|
Stripe Stripe, Inc. / Stripe Payments Europe Ltd / Stripe India SOC 2 Type II, ISO 27001, PCI DSS Level 1 | Subscription billing and payment processing | Customer-region routed |
Notification & objection process
- 1. ZiaSign publishes intended additions or replacements to this page and notifies all subscribed customers by email at least 30 days before the change takes effect.
- 2. Customers may object on reasonable data-protection grounds within the 30-day window by emailing privacy@ziasign.com.
- 3. If we cannot resolve the objection, the customer may terminate the affected portion of the Service with prorated refund.
- 4. Emergency replacements (e.g. a sub-processor going bankrupt) may shorten the notice window; in such cases we notify as far in advance as commercially possible.