zsign
FeaturesPricingTemplatesSwitch
Use cases
E-SignaturesProposalsContractsDocument Sharing
Sign in

How we protect your documents.

Security is not an add-on. Here is how ZSign keeps your data safe.

Encryption

  • All data in transit is encrypted with 256-bit SSL (TLS 1.2+).
  • All data at rest is encrypted with AES-256 by our managed cloud database tier.
  • OAuth tokens (Salesforce, HubSpot, Google) are encrypted with AES-256-GCM in our database — even an exfiltrated DB dump leaks no usable credentials.
  • API keys are hashed with SHA-256 before storage. The plaintext key is shown exactly once at creation and never stored.

Legal compliance

  • ZSign signatures comply with the US ESIGN Act and UETA, which give electronic signatures the same legal standing as handwritten ones.
  • EU users: ZSign signatures qualify as Basic Electronic Signatures under eIDAS Art. 25 §1 — admissible as evidence of valid execution. Advanced and Qualified Electronic Signatures (eIDAS AES/QES) are on our roadmap.
  • Every signature carries a Certificate of Completion citing ESIGN §§7001/7006 and UETA §§7/9/12, exportable for legal discovery.
  • Electronic Records Consent Disclosure (ERCD) is captured before any signature, with the disclosed version logged into the audit trail.

Tamper-evident audit trail

  • Every signature event records the signer's IP address, timestamp, user agent, and signing method (draw / type / upload).
  • Every audit-log row carries a SHA-256 hash chained to the previous row's hash. Removing or modifying ANY past event breaks the chain — tampering is detectable, not just suspected.
  • The final signed PDF's bytes are hashed at delivery time. A nightly job re-fetches the artifact and re-computes the hash; bit-rot or silent corruption raises an alert before the next signer sees the doc.
  • The full audit trail is exportable as a byte-deterministic evidence bundle (manifest + audit-log JSONL + attestation + Certificate of Completion) — the same shape your counsel can drop into a discovery request.

Data hosting & durability

  • ZSign runs on enterprise-grade managed cloud infrastructure with row-level security enforcing tenant isolation. User A's documents are not reachable from User B's session, ever.
  • File storage uses S3-compatible object storage. Signed documents land in a WORM (write-once-read-many) Object Lock compliance-mode bucket — no one (including ZSign operators) can delete or overwrite them for 7 years.
  • Lifecycle policies are defined as code: signed-PDF retention, version-history pruning, and audit-log archival are version-controlled, peer-reviewed, and applied via deploy — not configured by hand in someone's console.
  • All infrastructure is served over HTTPS with HSTS enabled (Strict-Transport-Security).

Continuous security discipline

  • Every outbound HTTP fetch is routed through an SSRF guard — defends against cloud-metadata-endpoint exfiltration even when an authenticated user controls the URL. Enforced by a CI guard that fails the build if a raw fetch is added.
  • Every unauthenticated endpoint is rate-limited (login, public signing links, webhook receivers, OAuth callbacks). Coverage is enforced by a CI guard that audits every route on every PR.
  • OAuth flows are pinned to PKCE + cryptographically-random single-use state + redirect-uri allowlist. Tokens at rest are encrypted (above). Invariants are pinned by 42 test cases that block regressions.
  • Multi-tenant data-leak boundary is enforced by a static guard that fails the build if any new CRUD route reads or writes an org-scoped table without filtering by organization_id.

Trust & transparency

In progress

SOC 2 Type II

Audit in preparation. We're putting the evidence-collection automation in place and will engage a CPA firm before pursuing the Type I attestation. Buyers in regulated industries: ask for the latest controls matrix at security@getzsign.com.

In place

Responsible disclosure

security@getzsign.com — we acknowledge within 1 business day, triage in 5, and credit the reporter in our changelog (with consent). No bug-bounty program yet, but we'll discuss case-by-case.

In place

Data Processing Agreement (DPA)

Standard DPA available for any paid customer. Review the current DPA template or request a counter-signed copy via support.

In place

Multi-tenant isolation

Database-level row security enforces tenant boundaries. A static CI guard fails the build if any new CRUD route reads or writes an organization-scoped table without filtering by tenant — the canonical multi-tenant data-leak class. Every org-scoped table in the schema is under this guard.

Planned

Status page

Public uptime + incident history page is being set up. Until it's live, subscribe to security@getzsign.com for incident updates — we'll publish a post-mortem within 5 business days of any user-impacting incident.

In place

Sub-processors list

Disclosed in the Data Processing Agreement and on request to security@getzsign.com. Customers are notified at least 30 days before any sub-processor change.

Questions about security?

We are happy to answer any questions about how we handle your data, request a DPA, or discuss your compliance requirements.

security@getzsign.com