Security-first architecture

Security at ContractSign

Your contracts contain sensitive business information. We built ContractSign with security at every layer — from encryption and access control to audit logging and compliant infrastructure.

Encryption

All data is encrypted both in transit and at rest to protect your contracts and personal information.

TLS encryption on every connection — no unencrypted traffic
Strict Transport Security (HSTS) enforced with long-duration policy
Passwords hashed with bcrypt using adaptive cost factors

Authentication & access

Multiple authentication methods with role-based access control to ensure only authorized users can access your data.

Email-based authentication with secure session management
SMS OTP verification for contract signing
API key authentication with SHA-256 hashed storage
Role-based access control (owner, admin, member) per organization

Audit trail

Every action on a contract is recorded with an immutable audit trail for compliance and accountability.

Timestamped entries for creation, viewing, signing, and sealing
IP address and user agent captured for each action
Authentication method and evidence recorded per signature

Document integrity

Signed contracts are sealed with tamper-evident certificates that prove document authenticity.

Signed PDFs include a certificate page with full audit evidence
Document hash verification to detect any post-signing modifications
Original and signed versions stored separately and immutably

Infrastructure

Deployed on a global edge network with enterprise-grade reliability and data residency controls.

Edge computing with automatic DDoS protection and traffic filtering
EU-based database with encrypted connections and daily backups
Rate limiting on all endpoints to prevent abuse

Security headers

Every response includes hardened security headers to protect against common web vulnerabilities.

Content-Type sniffing prevention (X-Content-Type-Options)
Clickjacking protection (X-Frame-Options)
XSS filtering enabled on all pages
Strict referrer policy to prevent information leakage

GDPR & compliance

Built for European data protection standards from day one. Your data rights are respected by design, not as an afterthought.

GDPR-compliant data processing with lawful basis for every operation
Data stored in the EU with clear retention policies
Right to access, rectify, and delete your personal data
Multi-tenant isolation — organizations cannot access each other's data
Minimal data collection — we only store what is necessary for the service
Transparent sub-processor list available on request

Responsible disclosure

Found a vulnerability? We take security reports seriously. Please reach out to our security team and we will respond promptly.

security@contractsign.net