Security & trust

Your documents are legal records. We treat them that way.

SignLab is built with security at its core — from how we store your documents to how we authenticate users and protect data in transit.

Encryption

Data at rest

All documents, signatures, and audit data stored on SignLab's infrastructure are encrypted using AES-256 — the same standard used by financial institutions.

Data in transit

All communication between your browser and SignLab's servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints with HSTS.

Passwords

User passwords are never stored in plain text. We use bcrypt hashing with a per-user salt. SignLab staff cannot read your password.

Document security

Tamper-evident PDFs

Every signed document is cryptographically sealed. A SHA-256 hash of the document is recorded at signing. Any modification to the PDF afterwards is detectable.

Isolated storage

Documents are stored in isolated cloud storage with access controls. No document is publicly accessible without a time-limited, authenticated URL.

Document hashing

We record a cryptographic hash of the original document before any signatures are collected, and a second hash of the final signed document.

Access controls

Staff access

SignLab staff access to customer data is strictly limited. No staff member can read the content of your documents in the normal course of their work.

Principle of least privilege

Internal systems are designed on a least-privilege basis — each system component only has access to the data it needs to function.

Multi-factor authentication

MFA is available for all SignLab accounts and is strongly recommended. Enterprise customers can enforce MFA for all users.

Infrastructure

Hosting

SignLab's application runs on enterprise-grade cloud infrastructure with redundant systems and automated failover.

Document storage

Documents are stored using enterprise cloud object storage with redundant copies and server-side encryption for all stored files.

Data location

SignLab's application and database are hosted in the EU. Documents are stored in the EU by default, so EU/EEA customers' documents stay within the EEA. US-based storage is available on request.

Backups

Customer data and signed documents are backed up daily with point-in-time recovery available. Backups are encrypted and stored separately from primary systems.

Incident response

SignLab maintains an incident response plan covering:

  • Detection and classification of security incidents
  • Containment and mitigation procedures
  • Customer notification within 72 hours of a confirmed personal data breach (as required by GDPR)
  • Post-incident review and remediation

To report a security vulnerability or suspected incident, contact security@signlab.app. We acknowledge all reports within 24 hours.

Vulnerability disclosure

SignLab welcomes responsible disclosure of security vulnerabilities. If you have discovered a potential issue:

  • Email security@signlab.app with a description of the vulnerability
  • Allow us reasonable time to investigate and remediate before public disclosure
  • Do not access, modify, or delete data that does not belong to you

We will not pursue legal action against researchers who follow responsible disclosure guidelines.

Compliance

Framework Status Notes
UAE PDPL Compliant Personal data processed per Federal Decree-Law No. 45 of 2021
GDPR (EU) Compliant SCCs in place for international transfers
ESIGN Act (US) Compliant Designed to meet ESIGN technical requirements
eIDAS (EU) SES level Simple Electronic Signature; AES/QES on roadmap
UAE Electronic Transactions Law Compliant Federal Decree-Law No. 46 of 2021
PCI-DSS Via Stripe Card data processed by Stripe; SignLab holds no card data
SOC 2 Type II In progress Audit planned; controls in implementation
ISO 27001 Roadmap Targeted for Year 2

Security team

Security reports: security@signlab.app — response within 24 hours

General: support@signlab.app · SignLab, Dubai, United Arab Emirates

Get started free