Security

How we protect your documents and data

Infrastructure

SignovaX runs on industry-leading cloud infrastructure designed for security and reliability.

  • Hosting: Vercel (SOC 2 Type II compliant) with automatic global CDN and DDoS protection.
  • Database: Neon PostgreSQL (SOC 2 Type II compliant) with encryption at rest and automated backups.
  • File storage: Vercel Blob with private access controls. Uploaded documents are never publicly accessible.
  • Payments: LemonSqueezy (Merchant of Record) handles all payment processing. SignovaX never stores credit card information.

Encryption

All data is encrypted both in transit and at rest.

  • In transit: All connections use TLS 1.2+ (HTTPS). No unencrypted traffic is accepted.
  • At rest: Database and file storage are encrypted using AES-256 by our infrastructure providers.
  • Passwords: User passwords are hashed with bcrypt and never stored in plain text.

Document Integrity

Every signed document is protected with a cryptographic integrity hash to ensure it has not been modified after signing.

  • SHA-256 hash: When all parties sign a document, SignovaX generates the final PDF, calculates its SHA-256 hash, and stores it in the database.
  • Independent copies: The hash is sent to all parties (sender and every signer) via email, creating independent records that no single party can alter.
  • Public verification: Anyone can verify a signed PDF at /verify by uploading the file. SignovaX recalculates the hash and compares it to the stored original.
  • Stored originals: The final signed PDF is stored securely and served as-is on download, ensuring the file you receive is identical to the one that was hashed.

Audit Trail

Every document includes a complete, tamper-evident audit trail that records every action from creation to final signature.

  • Tracked events: Document creation, signer email delivery, document viewed, signature submitted, document completed.
  • Recorded data: Timestamps (UTC), IP addresses, and user agent strings for every event.
  • Embedded certificate: The signed PDF includes an Audit Trail Certificate as the final page, providing a self-contained record of the signing process.
  • Signer identity: Signers are identified by email address and verified through unique, single-use signing links.

Access Controls

  • Authentication: Email and password with mandatory email verification for all accounts.
  • Document access: Only the document owner and designated signers can access a document. Signers receive unique, single-use tokens.
  • No shared access: Signers do not need to create an account. Their access is limited to the specific document they were invited to sign.
  • Session management: Secure, HTTP-only session tokens with automatic expiration.

Legal Compliance

SignovaX electronic signatures are designed to comply with major e-signature laws worldwide.

  • ESIGN Act (United States): Electronic signatures are legally valid for most contracts and agreements.
  • eIDAS Regulation (European Union): SignovaX supports Simple Electronic Signatures (SES) as defined under eIDAS.
  • GDPR: User data is processed in accordance with the General Data Protection Regulation. Users can request data export or deletion at any time.

The audit trail — including timestamps, IP addresses, email verification, and the complete sequence of signing events — provides the evidentiary foundation required by these laws.

Error Monitoring

SignovaX uses Sentry for real-time error tracking and performance monitoring. Sentry may process minimal technical data (error messages, stack traces, browser information) to help us identify and fix issues. No document content or personal data is sent to Sentry.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@signovax.com. We take all reports seriously and will respond promptly.

Questions

For security-related questions, contact us at security@signovax.com.