Security & Compliance

Your Data Is Our Responsibility

SignShield is built from the ground up to protect sensitive waiver data. Every signature, video, and document is encrypted, isolated, and auditable.

256-bit AES Encryption
TLS 1.2+ In Transit
Row-Level Data Isolation
Full Audit Trail

Data Protection

Encryption & Isolation

Your waiver data is encrypted at every stage and completely isolated from other tenants.

Encryption at Rest

All stored files are encrypted using AWS KMS with AES-256 server-side encryption.

  • Signatures, videos, and PDFs encrypted with SSE-KMS
  • AWS-managed or customer-managed KMS keys
  • Archived waivers encrypted in Glacier Deep Archive

Encryption in Transit

All data transmitted between your browser and our servers is protected by TLS.

  • TLS 1.2+ enforced on all connections
  • HTTPS-only with automatic redirects
  • Secure cookies with SameSite and HttpOnly flags

Multi-Tenant Data Isolation

Every tenant's data is completely isolated at the database level.

  • Row-level tenancy with scoped queries
  • Automatic tenant filtering on all database operations
  • No shared data between organizations

Access Controls

Granular role-based permissions control who can access what within your organization.

  • Three roles: Owner, Admin, Staff
  • Token-based signing links (64-char, 30-day expiry)
  • Email verification on public signing links

Integrity

Verification & File Security

Multiple layers of validation ensure only legitimate, unaltered content enters the system.

Video Verification

Video consent creates irrefutable proof that the actual signer read and agreed to your terms.

  • Signer states name and consent on camera
  • Video stored alongside signed waiver as evidence
  • Prevents claims of "I didn't understand" or identity fraud

File Validation

Uploaded files are validated at multiple levels before being accepted into the system.

  • MIME type validated from file magic bytes, not extension
  • Server-side file size enforcement (configurable limits)
  • Content type allowlisting per attachment field

Operations

Data Lifecycle & Infrastructure

Configurable retention policies and hardened infrastructure protect data throughout its lifecycle.

Data Retention & Archival

Waiver data follows a transparent lifecycle from active use through permanent deletion.

  • Configurable retention: 3, 5, 7, or 10 years
  • Automatic archival to encrypted Glacier Deep Archive
  • On-demand restoration with temporary access windows
  • Permanent deletion with full audit trail

Infrastructure Security

Every layer of the stack is configured to minimize attack surface and prevent abuse.

  • Private S3 buckets with no public access
  • CSRF, XSS, and clickjacking protections enabled
  • Rate limiting on signing and verification endpoints
  • Stripe webhook signature verification

Compliance

Compliance Readiness

Built with regulatory requirements in mind, so you're ready when compliance matters.

Audit Logging

Every security-relevant action is recorded with timestamp, user, IP, and context. Immutable logs viewable in the admin dashboard.

GDPR Ready

Data subject rights supported: access, portability, and erasure. Configurable retention periods ensure data isn't kept longer than needed.

Legal Acceptance Tracking

Terms of Service and Privacy Policy acceptance is recorded with version, timestamp, and IP address for every user.

Questions About Security?

We're happy to discuss our security practices in detail.

Start Free Trial Contact Us