Security & compliance
A signature is only worth as much as the evidence behind it. Here's exactly what SignedBy records, how your documents are protected, and how anyone can independently check that a signed document is genuine.
Legally binding by default
Documents signed with SignedBy are electronic signatures under the U.S. ESIGN Act and UETA. What makes one hold up isn't the look of the mark — it's the record of intent behind it, which we capture on every document, on every plan.
- Every action is timestamped
- Creating, sending, opening, signing, declining, and voiding a document each write an immutable audit event with the exact time it happened.
- IP address and device recorded
- Each signing event captures the signer's IP address and browser user-agent, so a signature can be tied to when and where it was made.
- Explicit consent, captured
- A signer must actively tick a consent box confirming they intend to sign electronically before they can submit — the deliberate act that makes an e-signature binding.
- Certificate of Completion
- Every completed document gets a certificate listing the document ID, each signer with their signing time and IP, and the document's cryptographic fingerprint.
Anyone can verify a document — free, no account
When a document completes, we take a SHA-512 fingerprint of the final signed PDF and print it on the Certificate of Completion. Change so much as one character of that PDF and the fingerprint no longer matches.
That means a counterparty, an accountant, or a court doesn't have to take your word for it — or ours. Anyone holding the file can check it themselves, without a SignedBy account and without contacting us.
Verify a document →How your documents are protected
- Encrypted in transit and at rest
- Documents travel over TLS and are stored encrypted.
- Isolated per workspace
- Row-level security is enforced in the database, so one workspace's documents, signers, and audit history can't be read by another.
- Unguessable signing links
- Signers don't need an account. Each signer gets their own long, unguessable link that only opens their fields — never another signer's.
- API keys stored hashed
- API keys are hashed before storage, so the full key exists only in your hands. Regenerating instantly invalidates the previous one.
Data protection and where your data lives
SignedBy is operated by SPRK10 B.V., a company registered in the Netherlands, and processing is kept within the European Economic Area. We use a small, named set of sub-processors — hosting, storage, email, payments, and the AI provider behind our AI-assisted features (Mistral AI, based in France). They're each listed, with what they do and where they sit, in our Data Processing Agreement.
Our Privacy Policy sets out exactly what we collect from senders and signers, why, and how long we keep it.
What we don't claim
SignedBy produces what eIDAS calls a Simple Electronic Signature: identity is established by control of the email address the document was sent to, backed by the audit trail above. That is valid and enforceable under ESIGN and UETA, and for the great majority of business agreements it's exactly what's used.
We don't currently offer Advanced or Qualified Electronic Signatures (AES/QES), which add per-signer certificates and government-ID verification. Some documents also can't be signed electronically at all in many jurisdictions — wills, certain family-law papers, and some property and hazardous-goods documents. If your matter needs one of those, use a provider or process built for it.
Questions from a security or procurement review? Email security@signedby.ai and we'll answer directly.