Security & trust
Your documents are legal records. We treat them that way.
SignLab is built with security at its core — from how we store your documents to how we authenticate users and protect data in transit.
Encryption
Data at rest
All documents, signatures, and audit data stored on SignLab's infrastructure are encrypted using AES-256 — the same standard used by financial institutions.
Data in transit
All communication between your browser and SignLab's servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints with HSTS.
Passwords
User passwords are never stored in plain text. We use bcrypt hashing with a per-user salt. SignLab staff cannot read your password.
Document security
Tamper-evident PDFs
Every signed document is cryptographically sealed. A SHA-256 hash of the document is recorded at signing. Any modification to the PDF afterwards is detectable.
Isolated storage
Documents are stored in isolated cloud storage with access controls. No document is publicly accessible without a time-limited, authenticated URL.
Document hashing
We record a cryptographic hash of the original document before any signatures are collected, and a second hash of the final signed document.
Access controls
Staff access
SignLab staff access to customer data is strictly limited. No staff member can read the content of your documents in the normal course of their work.
Principle of least privilege
Internal systems are designed on a least-privilege basis — each system component only has access to the data it needs to function.
Multi-factor authentication
MFA is available for all SignLab accounts and is strongly recommended. Enterprise customers can enforce MFA for all users.
Infrastructure
Hosting
SignLab's application runs on enterprise-grade cloud infrastructure with redundant systems and automated failover.
Document storage
Documents are stored using enterprise cloud object storage with redundant copies and server-side encryption for all stored files.
Data location
SignLab's application and database are hosted in the EU. Documents are stored in the EU by default, so EU/EEA customers' documents stay within the EEA. US-based storage is available on request.
Backups
Customer data and signed documents are backed up daily with point-in-time recovery available. Backups are encrypted and stored separately from primary systems.
Incident response
SignLab maintains an incident response plan covering:
- Detection and classification of security incidents
- Containment and mitigation procedures
- Customer notification within 72 hours of a confirmed personal data breach (as required by GDPR)
- Post-incident review and remediation
To report a security vulnerability or suspected incident, contact security@signlab.app. We acknowledge all reports within 24 hours.
Vulnerability disclosure
SignLab welcomes responsible disclosure of security vulnerabilities. If you have discovered a potential issue:
- Email security@signlab.app with a description of the vulnerability
- Allow us reasonable time to investigate and remediate before public disclosure
- Do not access, modify, or delete data that does not belong to you
We will not pursue legal action against researchers who follow responsible disclosure guidelines.
Compliance
| Framework | Status | Notes |
|---|---|---|
| UAE PDPL | Compliant | Personal data processed per Federal Decree-Law No. 45 of 2021 |
| GDPR (EU) | Compliant | SCCs in place for international transfers |
| ESIGN Act (US) | Compliant | Designed to meet ESIGN technical requirements |
| eIDAS (EU) | SES level | Simple Electronic Signature; AES/QES on roadmap |
| UAE Electronic Transactions Law | Compliant | Federal Decree-Law No. 46 of 2021 |
| PCI-DSS | Via Stripe | Card data processed by Stripe; SignLab holds no card data |
| SOC 2 Type II | In progress | Audit planned; controls in implementation |
| ISO 27001 | Roadmap | Targeted for Year 2 |
Security team
Security reports: security@signlab.app — response within 24 hours
General: support@signlab.app · SignLab, Dubai, United Arab Emirates
Get started free