Loading...
New: API Access + Custom Branding now available on Business. Upgrade now β
Loading...
Every signed document on SignBolt is protected by industry-standard encryption, cryptographic verification, and a complete audit trail β designed to meet the standards enterprise and regulated-industry clients expect.
All data transmitted between your browser and SignBolt's servers is encrypted using TLS 1.2 or TLS 1.3 β the same standard used by financial institutions. Our HSTS policy with a two-year max-age and preload flag means browsers will always enforce HTTPS, even on first visit.
Documents stored in our infrastructure are encrypted at rest using AES-256, the encryption standard mandated by the US National Institute of Standards and Technology (NIST) and widely accepted by government and financial regulators globally.
When a document is signed on SignBolt, we compute a SHA-256 cryptographic hash of the completed PDF. This hash acts as a tamper-evident fingerprint: if a single byte of the document is altered after signing, the hash will no longer match, making any tampering immediately detectable.
The hash is recorded in the document's audit trail alongside the timestamp, signer's email, IP address, and user agent. This creates a verifiable, immutable chain of custody that can be produced as evidence in legal proceedings.
SignBolt's audit trail captures every significant action taken on a document β from creation and viewing through to signing and downloading. Each event is timestamped to millisecond precision and associated with the authenticated user or signer responsible.
The following data points are recorded per signing event:
Audit logs are accessible from your SignBolt dashboard and can be exported as a PDF signing certificate β suitable for attachment to contracts stored in your own document management system.
SignBolt uses email-verified accounts β no account can be activated without completing email verification. This satisfies basic identity assurance requirements and prevents automated account creation.
Additional protections applied to every authentication flow:
For Business plan API access, all keys are stored as SHA-256 hashes β the raw key is shown only once at creation time and cannot be retrieved. Keys support scoped permissions (read / write / admin), expiry dates, and can be rotated or revoked instantly from your dashboard.
SignBolt is deployed on Vercel's global edge network β the same infrastructure trusted by companies like GitHub, Washington Post, and Twilio. Vercel operates data centres in North America, Europe, and Asia-Pacific (including Australia), ensuring low-latency access and built-in redundancy.
SignBolt does not sell, share, or use your documents for any purpose other than delivering the service. Your documents are yours β we do not train machine learning models on your content.
For enterprise clients with specific data residency requirements, please contact our team to discuss your requirements.
Electronic signatures created on SignBolt are legally binding under the following legislative frameworks:
Federal US law enacted in 2000. Establishes that electronic signatures carry the same legal weight as handwritten signatures for most contracts. SignBolt's signature capture, audit trail, and signer consent flow satisfy the ESIGN requirements for attribution and record retention.
State-level companion to ESIGN. Adopted in 49 US states. Confirms that electronic records and signatures are enforceable in commerce and legal proceedings. SignBolt's timestamped, identity-linked audit trail directly supports UETA record-keeping requirements.
Federal Australian law that gives electronic signatures the same legal status as wet signatures, provided the method identifies the signatory and indicates their approval. SignBolt satisfies both requirements through verified email identity and explicit signer action captured in the audit trail. State equivalents (e.g. NSW Electronic Transactions Act 2000) align with this federal framework.
SignBolt produces Simple Electronic Signatures (SES) under the eIDAS framework β legally valid for the majority of commercial agreements within the EU. For documents requiring Advanced or Qualified Electronic Signatures (AES/QES) under specific EU regulations, we recommend consulting a legal adviser.
Important: Certain document types (wills, certain real estate transactions, deeds, and court documents) may require wet signatures or notarisation under applicable law. This page is informational and does not constitute legal advice. Consult a solicitor or attorney for document-specific requirements.
If you discover a security vulnerability in SignBolt, please report it to us responsibly before public disclosure. We take all reports seriously and aim to acknowledge receipt within 48 hours.
Please do not access, modify, or delete data belonging to other users. Limit testing to your own accounts and documents.
We believe in transparency. SignBolt is a lean, focused product and we will not mislead enterprise buyers with certifications we don't hold.
βSOC 2 Type II: Not currently certified. Our architecture is designed with SOC 2 principles in mind, but formal audit has not been completed.
βHIPAA: SignBolt is not a HIPAA-covered entity and does not offer a BAA. Do not use SignBolt for Protected Health Information (PHI) without independent legal review.
βISO 27001: Not certified. Our information security practices align with ISO 27001 principles but have not been formally assessed.
We are committed to pursuing formal certifications as the business scales. If specific compliance requirements are blocking your procurement process, get in touch β we're happy to discuss our controls in detail.
Enterprise and government procurement teams are welcome to request a security questionnaire response, architecture overview, or vendor assessment conversation.