Encryption
All traffic is served over TLS. Documents are stored encrypted at rest and are served only through short-lived, single-use links — never from a public, guessable URL.
Signer tokens
Each signing link carries a 256-bit token. We store only a hash of it, never the token itself, so a database snapshot cannot be used to sign. Tokens are single-use, tied to one recipient and one document, expire on a sender-controlled schedule, are revoked when an envelope is voided, and are consumed on completion.
Tamper-evident audit trail
Every action on a document — viewed, signed, completed, declined, voided — is written to an append-only audit chain, where each entry cryptographically references the previous one. Any alteration to the history breaks the chain. To prove the record wasn’t rewritten by us, we anchor it externally: the chain head and the SHA-256 of the sealed file are included in the completion email and timestamped with an independent authority, and a public verification page lets anyone confirm a document’s integrity.
Access control
Authorization is centralized and deny-by-default: every request to your data passes through a single set of guards, so there is one audited implementation rather than scattered checks. Vendor accounts use least privilege and two-factor authentication.
Reliability and backups
The database supports point-in-time restore, file storage is versioned, and we keep independent backups so a mistake or vendor incident is recoverable.
Engineering practices
- Structured logging with personal data scrubbed from log lines.
- Typed, validated configuration; secrets are never committed to source control.
- Dependency review in continuous integration; the PDF toolchain is version-pinned and gated on integrity tests.
What we don’t offer (yet)
We believe in being clear about scope. Evenseal does not currently provide qualified electronic signatures (QES), identity verification, HIPAA/BAA coverage, single sign-on (SSO), or a public API, and we are not yet SOC 2 or ISO 27001 certified. We keep the operational evidence these standards rely on, so certification later is a business decision rather than a rebuild.
Reporting a vulnerability
If you believe you’ve found a security issue, email support@evenseal.com. We welcome good-faith research, will acknowledge your report, and will not pursue legal action for testing that respects our users’ data and avoids privacy violations, service disruption, or data destruction.