SignedByBetaSign in

Security & compliance

A signature is only worth as much as the evidence behind it. Here's exactly what SignedBy records, how your documents are protected, and how anyone can independently check that a signed document is genuine.

Legally binding by default

Documents signed with SignedBy are electronic signatures under the U.S. ESIGN Act and UETA. What makes one hold up isn't the look of the mark — it's the record of intent behind it, which we capture on every document, on every plan.

Every action is timestamped
Creating, sending, opening, signing, declining, and voiding a document each write an immutable audit event with the exact time it happened.
IP address and device recorded
Each signing event captures the signer's IP address and browser user-agent, so a signature can be tied to when and where it was made.
Explicit consent, captured
A signer must actively tick a consent box confirming they intend to sign electronically before they can submit — the deliberate act that makes an e-signature binding.
Certificate of Completion
Every completed document gets a certificate listing the document ID, each signer with their signing time and IP, and the document's cryptographic fingerprint.

Anyone can verify a document — free, no account

When a document completes, we take a SHA-512 fingerprint of the final signed PDF and print it on the Certificate of Completion. Change so much as one character of that PDF and the fingerprint no longer matches.

That means a counterparty, an accountant, or a court doesn't have to take your word for it — or ours. Anyone holding the file can check it themselves, without a SignedBy account and without contacting us.

Verify a document →

How your documents are protected

Encrypted in transit and at rest
Documents travel over TLS and are stored encrypted.
Isolated per workspace
Row-level security is enforced in the database, so one workspace's documents, signers, and audit history can't be read by another.
Unguessable signing links
Signers don't need an account. Each signer gets their own long, unguessable link that only opens their fields — never another signer's.
API keys stored hashed
API keys are hashed before storage, so the full key exists only in your hands. Regenerating instantly invalidates the previous one.

Data protection and where your data lives

SignedBy is operated by SPRK10 B.V., a company registered in the Netherlands, and processing is kept within the European Economic Area. We use a small, named set of sub-processors — hosting, storage, email, payments, and the AI provider behind our AI-assisted features (Mistral AI, based in France). They're each listed, with what they do and where they sit, in our Data Processing Agreement.

Our Privacy Policy sets out exactly what we collect from senders and signers, why, and how long we keep it.

What we don't claim

SignedBy produces what eIDAS calls a Simple Electronic Signature: identity is established by control of the email address the document was sent to, backed by the audit trail above. That is valid and enforceable under ESIGN and UETA, and for the great majority of business agreements it's exactly what's used.

We don't currently offer Advanced or Qualified Electronic Signatures (AES/QES), which add per-signer certificates and government-ID verification. Some documents also can't be signed electronically at all in many jurisdictions — wills, certain family-law papers, and some property and hazardous-goods documents. If your matter needs one of those, use a provider or process built for it.

Questions from a security or procurement review? Email security@signedby.ai and we'll answer directly.