Encryption, tamper-evident PKCS#7 sealing, OTP identity verification, and an append-only audit trail — with signed documents and signer data stored in Canada.
See the architecture →Documents move over TLS and are stored encrypted. The signing link itself is a short-lived, single-envelope token — not a shared password.
Signers verify with an email one-time passcode (SMS optional), so the signing session is tied to a contactable identity, with a lockout after repeated failures.
A SHA-256 hash is captured on upload. The completed document is sealed with a service-level PKCS#7 digital signature, so any later byte change is detectable in any PDF reader.
Every event is written to a hash-chained log where each row depends on the one before it — tampering with any entry breaks the chain. UPDATE and DELETE are revoked at the database grant level.
Every query is scoped by application and tenant, so one customer’s documents can never surface in another’s account. Isolation is tested adversarially, not just on the happy path.
Signed documents and signer data are stored in Canada, with a configurable retention policy that purges the file while preserving the verifiable audit record.
Security is layered: TLS in transit and encryption at rest, short-lived tokenized signing links, OTP identity verification, a PKCS#7 seal that makes tampering detectable, and an append-only hash-chained audit log enforced at the database grant level. Data is stored in Canada.
Yes. Signed documents and signer data are stored in Canada, which simplifies privacy reviews for Canadian organizations and many public-sector procurement requirements. See the data residency page for details.
After all signers finish, the document is sealed with a service-level PKCS#7 digital signature covering the entire file. If a single byte changes afterward, the signature becomes invalid and standard PDF readers flag it. The integrity of the seal is verified by an automated mutation test.
Signers complete an email one-time-passcode challenge before signing (SMS OTP is available as an option). This ties each signing session to a contactable identity and is recorded in the audit trail.
Retention is configurable per tenant. After the retention window, the sealed PDF blob is purged from storage, but the document record and the hash-chained audit log are kept so the executed record stays verifiable.
No. Every data-access query is scoped by application and tenant. Cross-tenant isolation is a top-priority concern and is tested adversarially. Internal products that use GetSigned are treated as ordinary tenants, not special-cased.
Related: Security architecture · Secure document signing (overview) · Digital signature / PKCS#7 · Canadian data residency · Audit trail
Free to start. Encrypted, sealed, audit-logged, and stored in Canada.
Get started free →