Trust centre
Plain answers about our security, privacy and legal posture.
Designed against OWASP ASVS and OWASP Top 10. Defence-in-depth controls across authentication, encryption, access and audit. Compliance certifications listed as they are achieved.
Security
Defence in depth, by default.
- Argon2id password hashing
- TOTP MFA with single-use recovery codes
- OIDC SSO with encrypted client secrets
- API keys (scoped, IP allow-listable, argon2id-hashed)
- HMAC-signed webhooks with retry + replay protection
- AES-256-GCM at rest with optional AWS KMS envelope encryption
- SHA-256 hash-chained audit log
- Login + MFA + API brute-force lockout
- Designed against OWASP ASVS and Top 10
- SAML 2.0 SSOroadmap
- WebAuthn / FIDO2 hardware keys
- SCIM 2.0 user provisioning
- GCP KMS / Azure Key Vault providers
- Annual third-party penetration testroadmap
Compliance
Strong controls today, certifications over time.
In place today
Electronic signature law
Standard electronic signatures under ESIGN, UETA, the Australian and UK Electronic Transactions Acts and eIDAS Article 25.1.
GDPR
Operational controls in place, with a Data Processing Agreement available.
Tamper-evident evidence
SHA-256 hash-chained audit trail and a certificate of completion on every completed document.
Encryption & key control
AES-256-GCM at rest, TLS in transit, and optional customer-managed keys (AWS, GCP, Azure).
Data subject rights
Access, export and deletion (subject to legal hold) with configurable retention periods.
Sub-processor transparency
Sub-processors listed publicly, with at least 30 days notice of any change.
Certifications on our roadmap
SOC 2 Type II
Controls designed; independent audit on the roadmap.
ISO 27001 / 27701
Controls designed to ISO principles; certification on the roadmap.
PCI DSS (payment fields)
Scoped; on the roadmap.
CSA STAR
Self-assessment on the roadmap.
HIPAA
Not currently offered — would require a BAA and risk assessment.
Privacy
Customer data is processed, not exploited.
We process customer documents and audit data solely to deliver the service. We do not sell customer data, and we do not use customer documents to train external AI models. Sub-processors are listed below.
- Right to access and export
- Right to deletion (subject to legal hold)
- Configurable retention periods
- Sub-processor change notifications
- GDPR Data Processing Agreement available
- Privacy dashboard for adminsroadmap
- Cryptographic erasure on key rotationroadmap
- PII detection and redaction toolingroadmap
Read the full Privacy Policy and Data Processing Agreement. Both are currently drafts pending counsel review.
Encryption
Strong defaults, optional managed keys.
In transit
TLS 1.2+ at the load balancer; HSTS recommended for production deployments.
At rest
AES-256-GCM via envelope encryption. Optional AWS KMS provider for KMS-wrapped DEKs.
Field-level
MFA secrets, OIDC client secrets and identity evidence encrypted with the same envelope before persistence.
Customer-managed keys
AWS KMS, GCP KMS and Azure Key Vault providers are available for field-level secrets. Document-level BYOK encryption is on the roadmap.
Tamper-evidence
SHA-256 hash chain across every audit event, recomputable on demand from the compliance centre.
Trusted timestamping
TSA integration is on the roadmap; for now signing events are anchored to the audit chain.
Data residency
Choose where your documents live.
Data residency options are on the Enterprise roadmap. The platform currently runs from a single deployment region. Per-tenant region pinning and backup region selection are planned for dedicated Enterprise deployments.
Standard plans run from our default region. Talk to sales if data residency is a contractual requirement for your use case.
Sub-processors
Who we rely on, and why.
| Sub-processor | Purpose | Region |
|---|---|---|
| Railway | Compute, managed PostgreSQL database and primary document storage | Single region |
| Cloudflare R2 | Automated off-volume encrypted backup of documents | Region-configurable |
| Resend | Transactional email delivery | US |
| Stripe | Payment processing for paid plans | US |
| Sentry | Error monitoring — engaged only when error reporting is enabled for the deployment | US |
| Persona | Government ID / identity verification — optional, only when a sender enables it | Per signer jurisdiction |
| QTSP partner — roadmap, not yet engaged | Qualified electronic signatures (eIDAS) — not currently offered | EU |
Primary documents are stored on the compute provider's managed volume, with automated off-volume encrypted backups to Cloudflare R2 (a separate cloud provider) for durability. ClamAV malware scanning runs as our own internal service, not a third-party processor. We notify subscribed customers of sub-processor changes at least 30 days in advance.
Incident response
Fast detection, faster disclosure.
We commit to notifying affected customers within 72 hours of confirming a security incident impacting their data, with status updates until resolution and a written post-mortem.
- Customer notification within 72 hours of confirmed breach
- Hash-chained audit log preserved through incident
- Pre-approved customer notification template
- Vulnerability disclosure programmeroadmap
- 24x7 on-call rotationroadmap
- Tabletop exercisesroadmap
Uptime + status
A public status page is on the way.
A public status page with historical uptime metrics will be published ahead of general availability. Uptime targets and any service credits are defined in customer master agreements rather than published here. Until the status page lands, customers can subscribe to incident notifications via the support channel in the agreement.
Penetration testing
Independent validation planned.
We are commissioning the first third-party penetration test ahead of public launch and will publish the summary letter (under NDA) once available. Subsequent tests are scheduled at least annually plus around significant releases, with remediation tracked in our internal backlog under severity-bound SLAs.
Business continuity
Backups and recovery planning.
Managed PostgreSQL backups cover database recovery, and completed documents are backed up off-volume to a separate cloud provider (Cloudflare R2) on a daily schedule, with restores tested. Disaster recovery drills with documented RTO and RPO targets are on the operational roadmap, and formal DR exercises have not yet been conducted.
Legal validity
Standard electronic signatures under applicable law.
SignMeHere provides standard (simple) electronic signature workflows with consent capture, optional identity evidence and a tamper-evident audit trail. These are designed to support standard electronic signing under ESIGN (US), UETA (US), the Australian and UK Electronic Transactions Acts and eIDAS Article 25.1 (simple electronic signatures). Advanced electronic signatures (eIDAS Article 26 / AdES) and qualified electronic signatures (QES) are not currently supported and are on the roadmap. The final legal weight of any signature depends on document type, jurisdiction and signer conduct. This is not legal advice, and SignMeHere does not guarantee that any signature or document will be enforceable. Customers should obtain independent legal advice for high-value or regulated agreements.
AI policy
No AI features are active today.
SignMeHere does not currently use AI to process, modify or analyse customer documents. Customer data is not used to train external AI models. If AI-assisted features are introduced in future, they will be clearly labelled, auditable and controllable by organisation administrators.