Trust Center
Verifiable security.
Honest about what's in audit.
One page for everything procurement, security and legal teams ask. Standards link to their source. Audit status is current, not aspirational. The DPA, sub-processor list and AI policy are public.
01 · System status
All systems operational
Component health refreshed every 60 seconds. A dedicated status page with incident history is mirrored at status.ziasign.com for procurement-required external verification.
- API (api.ziasign.com)SLA 99.99%Operational
- Web app (ziasign.com)SLA 99.95%Operational
- Signing serviceSLA 99.99%Operational
- AI inferenceSLA 99.9%Operational
- Webhook deliverySLA 99.95%Operational
- Email deliverySLA 99.9%Operational
Subscribe to incident notifications: status@ziasign.com
02 · Compliance & attestations
Standards, not stickers.
Each entry below states what is active, what is in progress, and which standard it maps to. We do not display certifications we do not hold.
SOC 2
Type II
Type I controls implemented and operating. Type II audit period commenced with a Big-Four-affiliated CPA firm. Auditor name and report available under NDA upon request.
ISO 27001
Controls
Annex A control set implemented and mapped against our ISMS. External certification audit scheduled following SOC 2 Type II closure.
GDPR
Compliant
Article 28 Data Processing Agreement available below. Standard Contractual Clauses (SCCs 2021/914) included for international transfers. EU data residency available.
DPDP Act
India
Designed for the Digital Personal Data Protection Act 2023. Indian data residency, consent-management primitives, and Significant Data Fiduciary obligations supported.
eIDAS
Advanced
Advanced Electronic Signature (AdES) implementation aligned to Regulation (EU) 910/2014. Qualified signatures (QES) via partner Qualified Trust Service Providers on enterprise plans.
ESIGN · UETA
US
Compliant with the Electronic Signatures in Global and National Commerce Act (ESIGN, 15 U.S.C. § 7001) and the Uniform Electronic Transactions Act (UETA) as adopted by 49 US states.
HIPAA
Aligned
Administrative, physical and technical safeguards aligned to 45 CFR §§ 164.308–312. Business Associate Agreement available on enterprise plans.
RFC 3161
TSA
Every envelope anchored to an RFC 3161 trusted timestamp authority. Tokens persisted with each PDF/A-3 export for independent third-party verification.
03 · Security controls
Defense in depth, by default.
Encryption at rest
AES-256-GCM via cloud-provider KMS. Per-tenant data keys with envelope encryption.
Encryption in transit
TLS 1.3 only on all public endpoints. HSTS preload, perfect forward secrecy, modern cipher suites.
Key management
BYOK / customer-managed keys (CMK) on enterprise plans. Annual key rotation, audited.
Access control
SSO via SAML 2.0 / OIDC, SCIM provisioning, granular RBAC, IP allow-listing, step-up MFA on signing events.
Audit logging
Tamper-evident, append-only audit log of every access and signing event. Exportable in CEF, JSON and CSV.
Data residency
Tenant-pinned residency in US (us-east-1), EU (eu-central-1) and India (ap-south-1). No cross-region replication without consent.
Penetration testing
Annual third-party penetration test by an independent CREST-accredited firm. Executive summary available under NDA.
Vulnerability program
Continuous SCA + SAST + DAST. Dependency patching SLA: critical < 24h, high < 7d. Responsible disclosure at security@ziasign.com.
04 · AI safety & data handling
Your contracts will not train anyone's model.
AI is the third rail of enterprise procurement in 2026. Here is exactly what we do and do not do — contractually guaranteed in our DPA.
We do not train on your data
Customer documents, signatures, audit logs and metadata are never used to train foundation models — ours, our vendors', or anyone else's. This is contractually guaranteed in our DPA and enforced via zero-retention API agreements with our model providers.
Inference is region-pinned
AI inference for an envelope runs in the customer's tenant region. EU tenants do not see their data routed to US inference endpoints. Region routing is enforced at the edge.
No persistent context
AI context windows are scoped to a single request and discarded immediately. We do not maintain persistent embeddings of customer contracts unless the customer explicitly enables semantic search (and even then, embeddings live in the tenant's region only).
Frozen, version-pinned models
We pin to specific model snapshots (e.g. gpt-4.1-2025-04, claude-sonnet-4-5-20250929). Upgrades require change management and customer notification on enterprise plans.
Human-in-the-loop for material changes
AI cannot finalize, send for signature, or execute a contract without explicit human approval. AI is an assistant, not an actor.
Model provider contracts: we operate on the zero-retention API tier with OpenAI and Anthropic, and have signed enterprise DPAs with both. Customer prompts and completions are not retained beyond the request lifecycle and are not eligible for model training.
05 · Data processing
DPA, SCCs and customer rights.
Data Processing Agreement
Our DPA is GDPR Article 28 compliant and incorporates the European Commission's 2021 Standard Contractual Clauses for international transfers. It governs the processing of personal data when you use ZiaSign as a Processor.
- GDPR Art. 28 compliant
- SCCs 2021/914 included
- UK IDTA addendum on request
- DPDP Act (India) provisions
- CCPA/CPRA service-provider terms
- Sub-processor flow-down
06 · Sub-processors
Who touches your data.
We disclose every sub-processor that may process customer personal data. Customers can subscribe to change-notifications and have a 30-day objection window before any new sub-processor goes live.
| Processor | Purpose | Regions |
|---|---|---|
| Amazon Web Services (AWS) | Primary cloud infrastructure | us-east-1, eu-central-1, ap-south-1 |
| Microsoft Azure | Secondary infrastructure, AKS for control-plane services | EU North, India South |
| OpenAI | AI inference (clause extraction, summarization) | Customer-region routing, no training opt-in |
| Anthropic | AI inference (review-side reasoning) | US, EU; zero-retention API tier |
| Resend | Transactional email delivery | EU |
| Cloudflare | Edge CDN, WAF, DDoS protection | Global |
07 · Responsible disclosure
Find a vulnerability? Tell us first.
Acknowledge
< 24h
Initial response from a security engineer
Triage
< 72h
Severity assigned, repro confirmed, ticket opened
Patch SLA
Critical < 24h
High < 7d · Medium < 30d · Low next release
Report security issues to security@ziasign.com. PGP key available on request. We commit to non-retaliation against good-faith researchers and will credit reporters in our hall of fame on request.
08 · Contact
Get in touch.
security@ziasign.com
Security & vulnerability disclosure
privacy@ziasign.com
Privacy, GDPR & DPDP requests
legal@ziasign.com
Counter-signed DPA, MSA, BAA
trust@ziasign.com
Vendor security questionnaires
Last reviewed: 23 April 2026 · Page is updated within 5 business days of any material change.