Zero-custody architecture

What "zero-custody" means

Zero-custody is not the claim that SignaTrust has never seen the bytes of your document. We sign and anchor it; the bytes pass through our service. Zero-custody is the claim that we do not retain a copy after delivery is confirmed.

When you enable Bring-Your-Own-Storage (BYOS), every signed envelope lands in your S3, Dropbox, Google Drive, OneDrive, or Box account. SignaTrust holds a working copy in our buffer only long enough to confirm that the document reached your storage and that every party who needs the file has fetched it. Then the buffer copy is purged. Your storage provider is the only persistent copy.

The dual-predicate purge

A buffer entry is deleted when both predicates evaluate to true:

Both must be true. A buffer entry that is past its retention floor but has not yet been delivered is held — we do not delete documents that recipients have not yet fetched. A buffer entry that is delivered but inside its retention floor (because the customer set a non-zero floor) is held — we honour the legal hold.

What the audit trail records

Every purge emits a BUFFER_PURGED audit event with the envelope id, the purge timestamp, and the predicate path that triggered it (dual_predicate_met for the normal path; safety_net_90dwhen the safety net fired). The event lands in the customer's exportable audit log alongside ENVELOPE_DELIVERY_ACKNOWLEDGED and the per-party download events.

An auditor who needs to prove that a specific envelope is no longer in SignaTrust storage queries the audit log for the envelope id and looks for BUFFER_PURGED. The presence of the event, the timestamp, and the predicate path together constitute the evidence.

What this is not

• —Not end-to-end encryption. The signing service decrypts the document to sign it. End-to-end encryption is a separate property; see the cryptography reference guide for the threat model that zero-custody does and does not address.
• —Not a substitute for a BAA. If the document contains protected health information, you still need a Business Associate Agreement covering the time SignaTrust held the buffer copy. Zero-custody reduces the duration but does not eliminate the BAA.
• —Not automatic for non-BYOS envelopes. Customers on the default SignaTrust S3 path have the standard 7-year retention. Zero-custody is the BYOS path specifically.

If you need to verify this yourself

1. Sign in to your SignaTrust account on a BYOS-enabled plan and send an envelope to two test recipients. Confirm both fetch it.
2. Wait for the standard delivery-confirmation window (typically minutes for programmatic fetchers; up to an hour for human signers).
3. Open the envelope's audit-log export. Look for BUFFER_PURGED with predicate: dual_predicate_met.
4. Open the file in your storage provider. Confirm the SHA-256 hash matches the hash anchored on Solana for that envelope.

Expected result: the SignaTrust buffer no longer has a copy; your storage provider has the only persistent copy; the blockchain anchor proves the file is unaltered.