Security & Trust
An electronic signature is only as strong as the evidence around it. ArmorSign records the four things that make a signature stand up under the U.S. ESIGN Act and UETA — and stores them so they can't be quietly changed.
Every signer affirms consent to use electronic records and signatures, and that their typed name is their signature. The exact language they saw is recorded verbatim on the certificate.
We compute a SHA-256 hash of the document before and after the certificate is appended. The hash is printed on the certificate and stored in the audit log, so any later alteration is detectable.
Consent and audit events are written to a hash-chained, append-only ledger. There are no update or delete paths — the record is tamper-evident by construction.
Completed records are stored in object-locked, versioned cloud storage with up to seven years of immutable retention.
Industry context · 2024
The e-signature category had three significant security events in 2024. Each exposed a structural weakness that ArmorSign addresses at the architecture level — not with policy, but with how the system is built.
April 2024
Dropbox Sign
Full production database breach. Customer names, emails, phone numbers, hashed passwords, and general account settings were exposed across the platform. Dropbox filed a regulatory disclosure with the SEC.
ArmorSign by design
Per-account data isolation: ArmorSign stores customer data in isolated account contexts. A breach of one account cannot expose another tenant's data or documents.
November 2024
DocuSign
Attackers exploited DocuSign's API to send mass phishing invoices indistinguishable from legitimate DocuSign emails — bypassing enterprise email filters because the sending infrastructure was genuinely DocuSign's.
ArmorSign by design
Scope-limited sending surface: ArmorSign's outbound email is DMARC-signed and limited to initiated envelope events. The API cannot send arbitrary content to arbitrary recipients.
2023–2024
Adobe Acrobat Sign
Adobe's e-sign infrastructure was used as a malware delivery vector — attackers sent documents through verified Adobe channels to distribute infostealers, exploiting the trusted sender reputation.
ArmorSign by design
Hash-locked artifacts: the signed PDF is SHA-256 anchored at signing time and stored in immutable, object-locked storage. There is no mutable link that can be swapped to a different payload after signing.
Sources: public vendor disclosures, SEC regulatory filings, CISA advisories, and security research reports (2023–2024).
Compliance Scorecard
Every control below is enforced at the code level, verified by our secure-development process, and attested to our internal compliance ledger.
Ledger attestation
Enrollment in progress · powered by Miralto
ESIGN / UETA informed consent
Every signer explicitly consents before any action is recorded. The verbatim consent text is stored with the audit event.
ESIGN Act 15 U.S.C. § 7001 · UETA
SHA-256 document integrity anchor
A SHA-256 hash of the finalized signed PDF is recorded on the certificate and stored in the immutable audit ledger.
ESIGN Act 15 U.S.C. § 7001
Append-only consent ledger
Consent events are written via DB triggers to a hash-chained ledger with no UPDATE or DELETE path — tamper-evident by construction.
ESIGN Act · UETA · SOC 2 CC7.2
Verbatim consent language preserved
The exact disclosure text the signer saw is embedded in the signing certificate, not a reference to a policy version.
ESIGN Act 15 U.S.C. § 7001(c)
JWT issuer + audience validation
Every API request validates iss and aud claims on the access token — forged or mis-scoped tokens are rejected at the middleware layer.
SOC 2 CC6.1
Single-use signer magic-links
30-day TTLSigning links are unguessable, single-use tokens that expire after 30 days from the send date.
SOC 2 CC6.1
Per-IP rate limiting
All API surfaces are rate-limited at the edge (240 req/min global; tighter on auth and signer routes) to prevent credential stuffing and abuse.
SOC 2 CC6.1 · SOC 2 A1.2
HTTPS-only API
All API traffic is TLS-terminated at the Fly.io edge — no plain-HTTP surface exists. HSTS is sent on every response.
SOC 2 CC6.1
7-year immutable archival
7-yr Object LockCompleted envelope artifacts are stored in object-locked, versioned cloud storage with a seven-year retention policy — records cannot be silently deleted.
SOC 2 A1.2
Per-account data isolation
Every database query is scoped to the authenticated account ID — no cross-account data leakage path exists at the query layer.
SOC 2 CC6.1
Real-time error tracking
Application errors are captured and alerted via Sentry with no PII in payloads. Consent-chain verification failures are flagged as warnings.
SOC 2 CC7.2
Append-only audit log
Every envelope action (sent, signed, declined, voided, downloaded) is recorded to a tamper-evident audit log. DB-level triggers block UPDATE and DELETE.
SOC 2 CC7.2 · ESIGN Act
Fly.io — compute & database
SOC 2 Type IIApplication runtime and managed Postgres. Fly.io holds SOC 2 Type II covering availability, confidentiality, and security.
SOC 2 CC9.2
Cloudflare — CDN, DNS, DDoS
SOC 2 Type IIGlobal CDN, DNS, WAF, and DDoS protection. Cloudflare holds SOC 2 Type II.
SOC 2 CC9.2
Cloudflare R2 — object storage
SOC 2 Type IISigned artifact storage with Object Lock immutability. Part of Cloudflare's SOC 2 Type II scope.
SOC 2 CC9.2 · SOC 2 A1.2
Mailgun — transactional email
SOC 2 Type IIDMARC-protected transactional email delivery for signer magic-links. Mailgun holds SOC 2 Type II.
SOC 2 CC9.2
Infrastructure SOC 2 reports are available upon request under NDA. Application-level SOC 2 audit: roadmap Q4 2026.
Engineering practices
ArmorSign is built and reviewed under the Armorstack secure-development process (aligned to NIST SSDF).
For ordinary electronic signatures, ArmorSign relies on the recorded hash, immutable storage, and audit trail — the same model the mainstream e-sign vendors use — rather than a self-signed certificate that chains to no trusted authority. Qualified, AATL-anchored signatures are available as a later option when a transaction requires them.
Start free