Enterprise-Grade Security, Built for Trust
Your documents are protected by military-grade encryption, hosted exclusively in the UK, and backed by comprehensive compliance certifications.
Compliance & Certifications
Industry-leading compliance standards to protect your business and data.
GDPR Compliant
Full compliance with EU General Data Protection Regulation. Your data rights are protected with lawful processing, consent management, and data portability.
HIPAA Ready
Health Insurance Portability and Accountability Act safeguards for protected health information in medical and healthcare contracts.
PCI DSS
Payment Card Industry Data Security Standard compliance for secure handling of payment data during subscription and checkout processes.
ADA Compliant
Americans with Disabilities Act compliance ensuring our platform is accessible to all users, with WCAG 2.1 AA accessibility standards.
How We Protect Your Data
Six layers of security, each independently audited and continuously monitored.
AES-256-GCM Encryption at Rest
Military-grade file encryption for every document
Every document uploaded to Signie is encrypted using AES-256-GCM before being written to disk. Each file gets a unique cryptographic nonce, ensuring that even identical files produce different ciphertext.
AES-256-GCM authenticated encryption for all stored files
Unique nonce per file prevents pattern analysis
Environment-isolated encryption keys with rotation support
Encrypted at rest — files are never stored in plaintext
Automatic encryption/decryption transparent to users
Authentication & Session Security
Multi-layered identity verification and session management
Passwords are hashed with bcrypt (work factor 12). JWT tokens use SHA-256 versioning for instant revocation. Sessions auto-expire after 30 minutes of inactivity with real-time activity tracking.
bcrypt password hashing with configurable work factor
SHA-256 token versioning for instant session revocation
Automatic session timeout after 30 minutes of inactivity
Secure cookie storage with SameSite strict policy
Two-factor authentication (2FA) support
Rate Limiting & DDoS Protection
Intelligent traffic management to prevent abuse
Every API endpoint has configured rate limits — login attempts are capped at 5 per minute, general API calls at 100 per minute. IP-based throttling and automatic lockout protect against brute-force and denial-of-service attacks.
Login: 5 attempts/minute with automatic lockout
API: 100 requests/minute per authenticated user
IP-based throttling prevents distributed attacks
Automatic temporary bans for suspicious activity
Real-time monitoring and alerting on anomalies
Content Security Policy & Headers
Defence-in-depth HTTP security headers
Comprehensive security headers protect against XSS, clickjacking, MIME sniffing, and other web-based attacks. Strict CORS policies ensure only authorised origins can communicate with our API.
Content Security Policy (CSP) with strict directives
HTTP Strict Transport Security (HSTS) enforced
X-Frame-Options DENY prevents clickjacking
CORS whitelisting — only approved origins accepted
X-XSS-Protection and X-Content-Type-Options
Role-Based Access Control (RBAC)
Granular permissions with complete tenant isolation
Organisation-scoped permissions ensure users only access their own data. Prisma middleware enforces tenant isolation at the database layer, making cross-tenant data access architecturally impossible.
Admin, Member, and Viewer role hierarchy
Prisma middleware enforces tenant isolation at DB level
Organisation-scoped permissions for all resources
API-level authorisation checks on every request
Audit logging of all permission changes
Audit Trail & Cryptographic Evidence
Immutable proof of every signature and action
Every document signing event is recorded with IP address, device fingerprint, geographic location, and timestamp. SHA-256 document hashes ensure tamper detection — any modification is instantly detectable.
SHA-256 document hashing for tamper detection
IP address and geographic location logging
Device fingerprint and browser metadata captured
Cryptographic timestamps for legal evidence
Compliant with eIDAS and ESIGN Act requirements
UK Data Residency
Your data never leaves the United Kingdom. Full sovereignty and compliance guaranteed.
UK-Hosted Infrastructure
All servers and databases are hosted exclusively within United Kingdom data centres, ensuring full compliance with UK data sovereignty requirements.
Data Never Leaves the UK
Your documents, signatures, and personal data are processed and stored entirely within UK jurisdiction. No cross-border data transfers.
GDPR Article 44 Compliant
Full compliance with GDPR data transfer restrictions. UK adequacy decision ensures equivalent protection standards for EU-origin data.
Security by the Numbers
Enterprise infrastructure built for performance and reliability.
Your Security Is Our Priority
Join thousands of businesses trusting Signie with their most important documents.
No credit card required • 14-day free trial • Cancel anytime