Trust centre
Plain answers about our security, privacy and legal posture.
Architected against OWASP ASVS and OWASP Top 10. Designed to support SOC 2 Type II, ISO 27001, ISO 27701 and HIPAA-ready deployments. Final certifications listed as they are achieved.
Security
Defence in depth, by default.
- Argon2id password hashing
- TOTP MFA with single-use recovery codes
- OIDC SSO with encrypted client secrets
- API keys (scoped, IP allow-listable, argon2id-hashed)
- HMAC-signed webhooks with retry + replay protection
- AES-256-GCM at rest with optional AWS KMS envelope encryption
- SHA-256 hash-chained audit log
- Login + MFA + API brute-force lockout
- OWASP ASVS L2 and Top 10 reviewed
- SAML 2.0 SSOroadmap
- WebAuthn / FIDO2 hardware keys
- SCIM 2.0 user provisioning
- GCP KMS / Azure Key Vault providers
- Annual third-party penetration testroadmap
Compliance
Built so we can certify, then certified.
SOC 2 Type II
Architected, on the roadmap
ISO 27001
Architected
ISO 27701
Architected
GDPR
Operational controls in place
HIPAA + BAA
Workflow + BAA template available
PCI DSS (payment fields)
Scoped, on the roadmap
CSA STAR
Self-assessment on the roadmap
eIDAS / ESIGN / UETA
Configurable per tenant
Privacy
Customer data is processed, not exploited.
We process customer documents and audit data solely to deliver the service. We do not sell customer data, and we do not use customer documents to train external AI models. Sub-processors are listed below.
- Right to access and export
- Right to deletion (subject to legal hold)
- Configurable retention periods
- Sub-processor change notifications
- GDPR Data Processing Agreement available
- Privacy dashboard for adminsroadmap
- Cryptographic erasure on key rotationroadmap
- PII detection and redaction toolingroadmap
Read the full Privacy Policy and Data Processing Agreement. Both are currently drafts pending counsel review.
Encryption
Strong defaults, customer-controlled keys.
In transit
TLS 1.2+ at the load balancer; HSTS recommended for production deployments.
At rest
AES-256-GCM via envelope encryption. Optional AWS KMS provider for KMS-wrapped DEKs.
Field-level
MFA secrets, OIDC client secrets and identity evidence encrypted with the same envelope before persistence.
Customer-managed keys
AWS KMS, GCP KMS and Azure Key Vault providers ship today. Bring your own key, rotate or revoke at any time.
Tamper-evidence
SHA-256 hash chain across every audit event, recomputable on demand from the compliance centre.
Trusted timestamping
TSA integration is on the roadmap; for now signing events are anchored to the audit chain.
Data residency
Choose where your documents live.
Available on Enterprise as a dedicated single-tenant deployment pinned to one of: Australia, United States, European Union, APAC. Backup region is selectable. Cross-region replication is opt-in.
Region selection is set at deployment time and cannot be changed without a documented migration. Standard multi-tenant plans run from our default region; talk to sales if data residency is a contractual requirement.
Sub-processors
Who we rely on, and why.
| Sub-processor | Purpose | Region |
|---|---|---|
| AWS / GCP / Azure | Compute, storage, KMS | Selectable per tenant |
| Postmark or AWS SES | Transactional email | US / EU |
| Datadog / Sentry | Observability and error tracking | US / EU |
| Persona | Government ID verification (add-on) | Per signer jurisdiction |
| QTSP partner (roadmap) | Qualified electronic signatures (eIDAS) | EU |
Incident response
Fast detection, faster disclosure.
Our incident response runbook follows a pager-first model. We commit to notifying affected customers within 72 hours of confirming a security incident impacting their data, with status updates every 24 hours until resolution and a written post-mortem within 14 days.
- 24x7 on-call rotation
- Pre-approved customer notification template
- Hash-chained audit log preserved through incident
- Tabletop exercises every six months
- Forensic snapshot capability with documented chain of custody
- Vulnerability disclosure programme published
Uptime + status
A public status page is on the way.
A public status page with historical uptime metrics will be published ahead of general availability. Uptime targets and any service credits are defined in customer master agreements rather than published here. Until the status page lands, customers can subscribe to incident notifications via the support channel in the agreement.
Penetration testing
External experts, every release cycle.
We are commissioning the first third-party penetration test ahead of public launch and will publish the summary letter (under NDA) once available. Subsequent tests are scheduled at least annually plus around significant releases, with remediation tracked in our internal backlog under severity-bound SLAs.
Business continuity
Backups, restores and DR drills.
Customer data is backed up with point-in-time recovery for at least 35 days. We run quarterly disaster recovery drills with documented RTO and RPO targets. Backup region is configurable per tenant.
Legal validity
Designed for global e-signature law.
SignMeHere produces standard and advanced electronic signatures today. Qualified electronic signatures are on the roadmap via a QTSP partner. Workflows can be configured to satisfy ESIGN, UETA, eIDAS Articles 25-26, UK e-signature requirements and the Australian Electronic Transactions Act. Final legal weight depends on document type, jurisdiction and signer behaviour. Customers should retain qualified counsel for high-value or regulated agreements.
Responsible AI
AI assists, never overrides.
- AI does not modify documents without an explicit user action
- AI outputs are clearly labelled as suggestions
- AI does not provide legal advice
- AI activity is recorded in the audit trail
- Customer documents are not used to train external models
- Enterprise admins can disable AI globally