Security

Encryption

• All data in transit is encrypted with TLS 1.2+.
• Documents are stored in encrypted cloud storage.
• Passwords are hashed with bcrypt (12 rounds).
• API keys are hashed with SHA-256 and only shown once upon creation.

Authentication

• Email/password authentication with strong password requirements.
• OAuth 2.0 sign-in with Google and Microsoft.
• Two-factor authentication (TOTP) for additional account security.
• Email verification required for new accounts.
• Rate limiting on authentication endpoints to prevent brute force attacks.

Tamper-Evident Audit Trail

Every document maintains a cryptographic audit trail using hash chaining. Each event (sent, viewed, signed, completed) is recorded with timestamps, IP addresses, and user agents. Each entry includes a SHA-256 hash of the previous entry, making it computationally impossible to alter the record without detection.

Infrastructure

• Hosted on Vercel with automatic SSL/TLS certificates.
• PostgreSQL database hosted on Neon with connection encryption.
• File storage on Vercel Blob with secure access controls.
• Security headers (HSTS, X-Frame-Options, CSP) on all responses.

Webhooks

Webhook payloads are signed using HMAC-SHA256 with a unique secret per endpoint, allowing you to verify that webhook deliveries originate from SignSteve.

Input Validation

All API inputs are validated using Zod schemas to prevent injection attacks and malformed data. File uploads are validated for correct MIME types and PDF structure.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it to security@signsteve.com. We take all reports seriously and will respond within 48 hours.