Skip to content
ArmorSign

Security & Trust

Defensible by design

An electronic signature is only as strong as the evidence around it. ArmorSign records the four things that make a signature stand up under the U.S. ESIGN Act and UETA — and stores them so they can't be quietly changed.

Intent & consent

Every signer affirms consent to use electronic records and signatures, and that their typed name is their signature. The exact language they saw is recorded verbatim on the certificate.

Document integrity

We compute a SHA-256 hash of the document before and after the certificate is appended. The hash is printed on the certificate and stored in the audit log, so any later alteration is detectable.

Append-only audit trail

Consent and audit events are written to a hash-chained, append-only ledger. There are no update or delete paths — the record is tamper-evident by construction.

Immutable archival

Completed records are stored in object-locked, versioned cloud storage with up to seven years of immutable retention.

Industry context · 2024

Why architecture matters

The e-signature category had three significant security events in 2024. Each exposed a structural weakness that ArmorSign addresses at the architecture level — not with policy, but with how the system is built.

April 2024

Dropbox Sign

Full production database breach. Customer names, emails, phone numbers, hashed passwords, and general account settings were exposed across the platform. Dropbox filed a regulatory disclosure with the SEC.

ArmorSign by design

Per-account data isolation: ArmorSign stores customer data in isolated account contexts. A breach of one account cannot expose another tenant's data or documents.

November 2024

DocuSign

Attackers exploited DocuSign's API to send mass phishing invoices indistinguishable from legitimate DocuSign emails — bypassing enterprise email filters because the sending infrastructure was genuinely DocuSign's.

ArmorSign by design

Scope-limited sending surface: ArmorSign's outbound email is DMARC-signed and limited to initiated envelope events. The API cannot send arbitrary content to arbitrary recipients.

2023–2024

Adobe Acrobat Sign

Adobe's e-sign infrastructure was used as a malware delivery vector — attackers sent documents through verified Adobe channels to distribute infostealers, exploiting the trusted sender reputation.

ArmorSign by design

Hash-locked artifacts: the signed PDF is SHA-256 anchored at signing time and stored in immutable, object-locked storage. There is no mutable link that can be swapped to a different payload after signing.

Sources: public vendor disclosures, SEC regulatory filings, CISA advisories, and security research reports (2023–2024).

Compliance Scorecard

16 controls · all passing

Every control below is enforced at the code level, verified by our secure-development process, and attested to our internal compliance ledger.

Ledger attestation

Enrollment in progress · powered by Miralto

E-Signature Compliance

ESIGN / UETA informed consent

Every signer explicitly consents before any action is recorded. The verbatim consent text is stored with the audit event.

ESIGN Act 15 U.S.C. § 7001 · UETA

PASS

SHA-256 document integrity anchor

A SHA-256 hash of the finalized signed PDF is recorded on the certificate and stored in the immutable audit ledger.

ESIGN Act 15 U.S.C. § 7001

PASS

Append-only consent ledger

Consent events are written via DB triggers to a hash-chained ledger with no UPDATE or DELETE path — tamper-evident by construction.

ESIGN Act · UETA · SOC 2 CC7.2

PASS

Verbatim consent language preserved

The exact disclosure text the signer saw is embedded in the signing certificate, not a reference to a policy version.

ESIGN Act 15 U.S.C. § 7001(c)

PASS

Authentication & Access

JWT issuer + audience validation

Every API request validates iss and aud claims on the access token — forged or mis-scoped tokens are rejected at the middleware layer.

SOC 2 CC6.1

PASS

Single-use signer magic-links

30-day TTL

Signing links are unguessable, single-use tokens that expire after 30 days from the send date.

SOC 2 CC6.1

PASS

Per-IP rate limiting

All API surfaces are rate-limited at the edge (240 req/min global; tighter on auth and signer routes) to prevent credential stuffing and abuse.

SOC 2 CC6.1 · SOC 2 A1.2

PASS

Data Protection

HTTPS-only API

All API traffic is TLS-terminated at the Fly.io edge — no plain-HTTP surface exists. HSTS is sent on every response.

SOC 2 CC6.1

PASS

7-year immutable archival

7-yr Object Lock

Completed envelope artifacts are stored in object-locked, versioned cloud storage with a seven-year retention policy — records cannot be silently deleted.

SOC 2 A1.2

PASS

Per-account data isolation

Every database query is scoped to the authenticated account ID — no cross-account data leakage path exists at the query layer.

SOC 2 CC6.1

PASS

Monitoring & Audit

Real-time error tracking

Application errors are captured and alerted via Sentry with no PII in payloads. Consent-chain verification failures are flagged as warnings.

SOC 2 CC7.2

PASS

Append-only audit log

Every envelope action (sent, signed, declined, voided, downloaded) is recorded to a tamper-evident audit log. DB-level triggers block UPDATE and DELETE.

SOC 2 CC7.2 · ESIGN Act

PASS

Infrastructure SOC 2 Type II

Fly.io — compute & database

SOC 2 Type II

Application runtime and managed Postgres. Fly.io holds SOC 2 Type II covering availability, confidentiality, and security.

SOC 2 CC9.2

PASS

Cloudflare — CDN, DNS, DDoS

SOC 2 Type II

Global CDN, DNS, WAF, and DDoS protection. Cloudflare holds SOC 2 Type II.

SOC 2 CC9.2

PASS

Cloudflare R2 — object storage

SOC 2 Type II

Signed artifact storage with Object Lock immutability. Part of Cloudflare's SOC 2 Type II scope.

SOC 2 CC9.2 · SOC 2 A1.2

PASS

Mailgun — transactional email

SOC 2 Type II

DMARC-protected transactional email delivery for signer magic-links. Mailgun holds SOC 2 Type II.

SOC 2 CC9.2

PASS

Infrastructure SOC 2 reports are available upon request under NDA. Application-level SOC 2 audit: roadmap Q4 2026.

Engineering practices

Hardened from the ground up

ArmorSign is built and reviewed under the Armorstack secure-development process (aligned to NIST SSDF).

A note on cryptographic signatures

For ordinary electronic signatures, ArmorSign relies on the recorded hash, immutable storage, and audit trail — the same model the mainstream e-sign vendors use — rather than a self-signed certificate that chains to no trusted authority. Qualified, AATL-anchored signatures are available as a later option when a transaction requires them.

Start free