Stop paying for paper, printing, and manual delays. Calculate your savings.
projected annual savings by digitizing
We don't ask you to trust our policy. We ask you to verify our architecture. 18 critical failure vectors, neutralized by design.
SHA-256 PAdES Seal. Even a 1-bit alteration invalidates the embedded cryptographic signature, providing instant forensic proof of tampering.
Organization Root CA. Every verified document is cryptographically bound to your tenant's specific identity, making unauthenticated clones impossible.
HMAC-SHA256 Signed Idempotency. Every payload is signed with a rolling secret; replayed or modified packets are rejected by the gateway.
DB-Level Immutable Triggers. We use hardened Postgres triggers that physically prevent 'UPDATE' or 'DELETE' actions on audit records.
Indefinite Legal Hold. Suspends all auto-deletion policies and mandates permanent archival until the hold is manually revoked.
KMS DEK Invalidation. We physically purge the unique Data Encryption Key (DEK) from the KMS, rendering the storage-at-rest mathematically void.
30-Day Forensic Soft-Lock. Deletion triggers a 'Tombstone' state, allowing recovery via 2FA verification before final cryptographic erasure.
Verified Deletion Certificate. We issue a cryptographic tombstone signed by the KMS proving the key destruction event.
Ephemeral Signing Tokens. Sessions are tied to a one-time cryptographic nonce that expires immediately upon document submission.
RFC 3161 Trusted Timestamping. Timestamps are sourced from an external TSA, independent of the server's local clock.
Regulatory Hold Reconciliation. Automatically prioritizes legal retention mandates over deletion requests to ensure compliance.
Row-Level Security (RLS). Hardened database policies ensure that Client A can never physically access Client B's data at the kernel level.
Strict UUID Key Binding. API keys are cryptographically locked to a single Tenant ID; cross-tenant calls trigger an immediate security alert.
Verified Sender Profiles. We enforce SPF/DKIM and DMARC hardening, ensuring invitations only originate from your verified corporate domain.
Multi-Region Hot-Failover. Real-time data replication across three geographic zones ensures zero data loss and sub-second recovery.
Open-Standard Export. Export full forensic packages in machine-readable JSON with PAdES-LTV signatures. No vendor lock-in.
IP-Bound Whitelisting. API tokens can be restricted to specific IP ranges, rendering leaked keys useless outside your corporate network.
Atomic Bulk Retries. Our task queue tracks every individual recipient state; 'Retry' only targets failed nodes, never duplicates successful ones.
Core Ecosystem
Drag-and-drop signature, text, date, and checkbox fields directly onto your PDF. Upload PDF or DOCX — automatic conversion via LibreOffice.
Define signing order: Person 1 → Person 2 → Person 3. Each signer receives the document only when it's their turn.
Database-level triggers physically prevent deletion or modification of audit logs. SHA-256 hash chain per event.
Signers click anywhere on the PDF to place comment pins. You resolve, upload a revised document, and re-send — all version-tracked.
Custom logo, brand colors, organization name, custom email from address, custom domain with DNS verification. Per-tenant usage limits enforced.
Redis-backed queue with exponential backoff retry. 4 Jinja2 email templates with custom composer and variable substitution.
Automatically detects documents inactive for 7+ days. Status filters, manual reminders, and blocker identification.
Cryptographically verifiable actions, SHA-256 event chaining, and PAdES-LTV validation. Idempotent webhooks with HMAC signatures for high-trust integrations.
Your document is encrypted with a unique data encryption key (DEK) before it ever touches disk. The DEK itself is wrapped with a master key controlled in your GCP KMS instance.
Deploy Control KeyEvery signature event — envelope created, document viewed, signature applied — is cryptographically chained. If a single record is altered, the entire chain triggers a violation.
Validate IntegrityRaw document content exists only in temporary memory buffers during processing. We physically collect garbage (GC) and overwrite memory sectors after encryption.
Simulate BreachSignatures aren't just invisible overlays; they are physically burned into the document's structure at 300 DPI, creating a permanent, flattened forensic record.
Verify ProvenanceExport a self-contained, court-ready JSON bundle containing all metadata, signer IP logs, intent capture, and the full hash chain provenance.
Download BundleWebhooks aren't just POST requests. They are HMAC-signed for security and support idempotent retry logic to ensure your backend stays in perfect sync.
Test EndpointDistributed task queue + surgical retry. Failed recipients auto-retry without resending completed ones. Idempotent webhooks guarantee no duplicates.
Common Queries
Self-hosted ephemeral security, immutable audit trails, and 100% data sovereignty starts here.