SignOS
Enterprise-Grade Security

Your documents deserve more than a padlock icon

SignOS is built with security as a first principle — not an afterthought. From encryption key management to court-admissible audit certificates, here is exactly what we do to protect your documents and your signers.

Three layers of protection

Defense in depth — at rest, in transit, and at every action.

Encryption at Rest

AES-256-GCM

Every document, signature, and audit trail stored on SignOS is encrypted using AES-256-GCM. Encryption keys are managed via an envelope-encryption model with hardware-backed root keys — documents are never stored in plaintext.

Encryption in Transit

TLS 1.3

All data in transit between your browser, our API, signers, and WhatsApp delivery channels is protected by TLS 1.3 with HSTS enforced. Legacy TLS 1.0/1.1 and weak cipher suites are disabled at the network edge.

Immutable Audit Trail

SHA-256 + timestamps

Every action — document opened, field placed, signature captured, download requested — is cryptographically hashed and appended to an immutable audit log. The audit certificate PDF is signed with our root certificate and cannot be altered after generation.

Compliance & certifications

Built for the regulatory realities of India and Southeast Asia.

Audit in progress

SOC 2 Type II

Our controls for security, availability, and confidentiality follow AICPA Trust Service Criteria. SOC 2 Type II audit report is expected Q3 2026.

Compliant

GDPR

We process personal data lawfully under the GDPR. DPAs are available for EU/EEA customers and data processing is governed by standard contractual clauses.

Compliant

IT Act 2000

Signatures produced by SignOS satisfy the requirements of India's Information Technology Act 2000 and the IT (Amendment) Act 2008 for electronic signatures.

Compliant

PDPA (Singapore)

SignOS complies with Singapore's Personal Data Protection Act 2012. Data residency options are available for Singapore-based customers.

Audit Certificate

Court-admissible proof. Every time.

Every completed document automatically generates a PDF audit certificate. It contains a complete chain of custody — from the moment you uploaded the document to the instant the last signer tapped Sign. Admissible in Indian courts under IT Act 2000 and in Singapore under the Electronic Transactions Act.

Try it free

Certificate contains

  • Document SHA-256 hash (pre- and post-signature)
  • Signer full name and email address
  • IP address and geolocation at time of signing
  • Device type, OS, and browser fingerprint
  • ISO 8601 timestamp (UTC) of each action
  • WhatsApp message delivery and read receipts
  • Unique document envelope ID
  • SignOS certificate authority signature

Infrastructure you can trust

Best-in-class providers chosen for security, reliability, and regional data sovereignty.

Neon PostgreSQL

Serverless PostgreSQL with point-in-time recovery, automated daily backups, and branch-level isolation. Data at rest is encrypted by the provider using AES-256.

Cloudflare R2

Object storage for documents and audit certificates. R2 enforces server-side AES-256 encryption and never egresses data through Cloudflare's network unencrypted.

Vercel Edge Network

Application delivery via Vercel's global edge network with automatic TLS certificate management, DDoS protection, and zero-downtime deployments.

Security for developers

Every integration point is hardened by design.

API Key Security

API keys are SHA-256 hashed before storage. The plaintext key is shown exactly once at creation and never retrievable after that — similar to how GitHub personal access tokens work.

Webhook HMAC Signatures

Every outbound webhook payload is signed with HMAC-SHA256 using a per-endpoint secret. Verify the X-SignOS-Signature header in your receiver to prevent spoofed events.

OTP & Password Hashing

One-time passwords are hashed with bcrypt (cost factor 12) before storage. Passwords are hashed with Argon2id. Neither is ever logged or transmitted in plaintext.

Rate Limiting

All API endpoints enforce per-key and per-IP rate limits at the Cloudflare edge before requests reach application servers. Limits reset on a rolling 60-second window.

Found a security issue?

We take vulnerability reports seriously. Please email security@signos.io with a description and reproduction steps. We will respond within 48 hours and coordinate a responsible disclosure timeline with you.

Read our disclosure policy