Security & trust

Serious security. Plainly explained.

This page is maintained by SalesCollab. It describes the controls SignFlow enables today — not a certification, not a legal promise. Where we are still working toward a standard, we say so honestly.

Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. Signed PDFs sealed with SHA-256 and a document-scoped key.
Access, minimal by default
Role-based access with owner / admin / sender / viewer. Session-scoped tokens. SSO on Business tier.
You can see every event
Workspace audit log records every send, open, sign, delete and settings change. Exportable to CSV or your SIEM.
Region-locked storage
Pick EU, UK, US or APAC at workspace creation. Documents and PII never leave your region unless you export them.
Controls in effect

What we actually do — not what we promise.

Authentication
  • Email + password with rate limiting
  • Google sign-in
  • SAML SSO (Business tier)
  • Optional MFA on all tiers
Document security
  • SHA-256 hash chain on every event
  • RFC 3161 timestamping on completion
  • Court-admissible audit trail PDF attached to every signed doc
  • Signer identity verified by email or SMS OTP
Data handling
  • Region choice: EU · UK · US · APAC
  • Signed URLs with short TTL for downloads
  • Uploads virus-scanned before storage
  • Deletion is permanent — no soft-delete tombstones after retention window
Operational
  • Automated backups, point-in-time restore
  • Least-privilege staff access, audited quarterly
  • Incident response SLA on Business tier
  • Public status page + subscribable RSS
Compliance status

Where we stand — honestly.

Half the industry lists logos of audits that expired last year. We show current state. If you need a control we haven’t reached yet, tell us — it changes our roadmap priority.

GDPR
In effect
UK GDPR + DPA 2018
In effect
SOC 2 Type I
Audit scheduled Q2
SOC 2 Type II
Target Q4
ISO 27001
Gap analysis complete
HIPAA (BAA)
Business tier · on request
21 CFR Part 11
Roadmap
Data Processing Addendum
GDPR-aligned DPA including SCCs. Signed on request during onboarding.
Sub-processor list
Every vendor that touches customer data, updated when it changes. Subscribe for change notices.
Vulnerability reports
Report a security issue to security@salescollab.example. Responsible disclosure recognised.

Have a security team asking questions?

Point them here. If they need something not on this page — SIG, CAIQ, penetration test summary — we’ll send what we have and be honest about what we don’t.