Trust Center
CertaintySign is built on a foundation of security, privacy, and compliance. Learn how we protect your data and maintain the highest standards of trust.
Compliance Certifications
SOC 2 Type II
Annual audit of security, availability, and confidentiality controls
HIPAA
Healthcare data protection with BAA availability
GDPR
European data protection and privacy standards
ESIGN Act & UETA
US electronic signature legal framework
eIDAS
EU electronic identification and trust services
Security Architecture
Encryption at Rest
All data stored in our systems is encrypted using AES-256 encryption. Database fields containing sensitive information use additional application-level encryption with customer-specific keys.
Encryption in Transit
All data transmitted between clients and servers uses TLS 1.3 with perfect forward secrecy. We enforce HSTS and support only modern cipher suites rated A+ by SSL Labs.
Key Management
Encryption keys are managed through AWS KMS with automatic rotation. Customer data encryption keys are unique per tenant and never stored alongside encrypted data.
Access Control
Role-based access control (RBAC) with principle of least privilege. All administrative access requires multi-factor authentication and is logged for audit purposes.
Network Security
Production infrastructure is isolated in private VPCs with network segmentation. Web application firewalls (WAF) protect against OWASP Top 10 vulnerabilities.
Monitoring & Detection
24/7 security monitoring with automated threat detection. Security Information and Event Management (SIEM) correlates logs across all systems for anomaly detection.
Data Retention Policies
| Data Type | Retention Period | Description |
|---|---|---|
| Signed Documents | 7 years | Retained for legal compliance and audit trail integrity |
| Audit Logs | 7 years | Complete signing event history for legal defensibility |
| RON Session Recordings | 10 years | Video recordings per state notary regulations |
| Account Data | Duration of account + 90 days | Deleted upon account closure after grace period |
| System Logs | 1 year | Application and infrastructure logs for troubleshooting |
| Backup Data | 30 days | Point-in-time recovery backups with automatic expiration |
Penetration Testing & Audits
Testing Cadence
- Annual Penetration Tests
Third-party security firm conducts comprehensive penetration testing
- Quarterly Vulnerability Scans
Automated scanning of all external-facing systems
- Continuous Dependency Monitoring
Real-time alerts for vulnerable dependencies
- Bug Bounty Program
Responsible disclosure program for security researchers
Audit Reports
Enterprise customers can request copies of our security audit reports under NDA. Reports include SOC 2 Type II, penetration test summaries, and compliance attestations.
Request Audit ReportsIncident Response
Our incident response plan follows industry best practices and regulatory requirements. We maintain a dedicated security team available 24/7 to respond to potential incidents.
Detection
< 15 minutes
Automated monitoring detects potential security incidents
Triage
< 1 hour
Security team assesses severity and impact
Containment
< 4 hours
Isolate affected systems and prevent spread
Notification
< 72 hours
Affected customers notified per regulatory requirements
Remediation
Varies
Root cause analysis and permanent fixes implemented
Post-Incident Review
Within 2 weeks
Lessons learned documented and controls improved
Sub-processors
We carefully vet all third-party service providers and require them to maintain security standards equivalent to our own. All sub-processors are contractually bound to protect customer data.
| Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | United States | All customer data |
| Stripe | Payment processing | United States | Payment information |
| SendGrid | Transactional email delivery | United States | Email addresses, notification content |
| Twilio | SMS notifications and verification | United States | Phone numbers, SMS content |
| OpenAI | AI document analysis features | United States | Document content (opt-in only) |
HIPAA & Business Associate Agreements
CertaintySign offers HIPAA-compliant plans for healthcare organizations that handle protected health information (PHI). Our Business Associate Agreement (BAA) establishes the required safeguards and responsibilities for PHI protection.
BAA Coverage Includes:
- Administrative, physical, and technical safeguards
- Breach notification procedures
- Subcontractor compliance requirements
- PHI use and disclosure limitations
- Audit and compliance verification rights
Request a BAA
Healthcare organizations on our Healthcare or Enterprise plans can request a Business Associate Agreement. Contact our compliance team to initiate the process.
Security Questions?
Our security team is available to answer questions about our security practices, compliance certifications, or to discuss your organization's specific requirements.