Subprocessors
Last updated 2026-05-03
eSigKit uses the following third parties (“subprocessors”) to run the Service. Each is bound by a written agreement that obligates them to handle customer data consistently with our Privacy Policy and applicable data- protection law (GDPR Art. 28 / UK GDPR / CCPA).
Active subprocessors
| Subprocessor | Service provided | Data processed | Region |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Compute (Lambda), storage (DynamoDB, S3), authentication (Cognito), email delivery (SES), encryption (KMS), CDN (CloudFront) | Organization profile, employee records, rendered signatures, audit logs, transactional email content | US-West-2 (Oregon) primary; US-East-1 (N. Virginia) DR |
| Stripe, Inc. | Subscription billing, Stripe Tax, Customer Portal | Billing email, billing address, payment-method tokens, invoice line items, subscription state. We do not store card numbers; Stripe holds them under PCI-DSS. | United States |
| Cloudflare, Inc. | DNS, WAF, Pages hosting (dashboard + marketing site), edge cache | IP address, request URL, browser headers (operational metadata for the duration of the request) | Global edge network |
| Google LLC | Google Workspace Admin SDK — used only when the customer authorizes the bulk Gmail signature deploy feature | Per-employee Gmail send-as signature settings. We do not access mail content, contacts, calendars, or drives. | United States |
Sub-subprocessors
Each subprocessor above may engage sub-subprocessors (for example, AWS relies on its own internal infrastructure providers). We do not separately list those because they are governed by the parent subprocessor’s published lists, which we monitor:
How we notify of changes
When we add or replace a subprocessor, we update this page and notify organization administrators by email at least 30 days before the change takes effect. If you object to a new subprocessor on legitimate grounds, you may terminate your subscription before the change takes effect; we will refund any prepaid amount for the unused portion of your term.
Subscribe to subprocessor announcements by emailing privacy@esigkit.com with the subject “Subprocessor notifications.”
Need our DPA?
If your organization needs a signed Data Processing Agreement under GDPR Article 28 or UK GDPR, email legal@esigkit.com and we will send you our standard DPA, which incorporates the EU Standard Contractual Clauses (SCCs) for international transfers.