Compliance and Data Security
Signable complies with e-signature laws set by the US. We meet and exceed all of the regulations regarding accepting and processing documents as set out by the ESIGN and UETA acts which recognize esignatures as legal under U.S. law. These include but are not limited to:
256-bit SSL encryption on all pages, including signing
Detailed audit log stored for each signature action
Identification of users verified before permitted to send documents
Document integrity checked every step of the way
Unique salted fingerprints for each document
Secure storage of documents and data
Signatory identity verified via email address, timestamps and geo-tracking
All data stored and processed within Signable is within the UK. Our infrastructure is hosted in the Amazon AWS data center in London. This region is also used by many of the top Internet companies and fully complies with all the major certifications. More information on its compliance can be found here. Backups are taken continuously for our key data stores which includes our main databases and documents.
All data stored by Signable is encrypted at rest and during transport. The keys required to encrypt and decrypt the data are stored in an HSM provided by AWS and restricted to the minimum number of required people.
Access to the data that we hold on behalf of our customers is tightly controlled and regulated by an auditable system and process. We ensure that only the minimum number of people required have full access to the infrastructure and your data is never exposed to third parties. Data access is highly controlled via your account and every action is logged and recorded. Internally, members of the Signable team are unable to access the documents from within your account. If you do require support and assistance which relates to a specific document, you must first grant permission for us to access your documents. Until then, access is locked down and restricted.
Third party access
Your data, including names, address details and the documents itself are never exposed to third parties. Where third party contractors are used, we heavily vet and regulate them and if data is required for them to perform their role, sample data is provided.
Depending on the type of disaster we have plans to handle the procedure when dealing with unexpected issues. All include the following:
Prompt and effective communication to customers on the situation, communicated via Signable’s status page
Key people assigned as ‘in charge’ of coordinating the response and reaction
Effective gathering of data and logs required to determine the root cause to help diagnose the problem and work towards a solution
Feedback loops in place at every stage so learnings can be made for future events
For issues that affect the availability of the Signable service, we communicate them via our status page. We have the ability to regenerate our whole infrastructure, within a different AWS region or datacentre within a few minutes with backups taken from our backup facilities.
The Signable infrastructure is scanned on a daily basis against the OWASP top 10 security issues and any issues highlighted to the Signable development team. Our infrastructure is also scanned on a quarterly basis to comply with our PCI-DSS certification.
“End of business” plans
In the highly unlikely event that Signable is unable to continue trading, all previously signed documents will be provided in an archive file along with any information required to prove that the documents were signed legally and correctly.