In transit
TLS 1.3 on every request. HSTS enabled. No HTTP fallback.
Every document, signature, audit log and account record is hosted on servers physically located in Australia. There is no replica, mirror, or backup of customer data outside Australia. This is the data sovereignty pitch the US-headquartered platforms can't make.
TLS 1.3 on every request. HSTS enabled. No HTTP fallback.
AES-256 at the storage layer. Customer documents are also encrypted with a per-account key derived from your password hash.
Every event in a document's lifecycle — sent, viewed, disclosure accepted, signed, completed — is recorded with:
prevHash) to the hash of the previous event.This chains every event to the one before it. If a single byte of the audit log is altered after the fact — including by us — the chain breaks and the audit page flags it. This is how SignPad makes audits court-defensible by default.
Every signing email we send is signed with DKIM, aligned with SPF and DMARC, on the signpad.com.au domain. This is what stops your signing links being marked as phishing.
Passwords are hashed with Argon2id (memory cost 64MB, time cost 3, parallelism 4). We never store, log, or transmit your password in plain text. On Business plans, SSO with Google Workspace and Microsoft Entra is available.
We take continuous database snapshots and store them in a separate Australian-region location. Snapshots are encrypted with the same key hierarchy as production data.
The only third parties we share customer data with are:
If you've found a security issue, please email sign@signpad.com.au with the subject line "Security: [short summary]". We respond within 2 business days. We don't yet run a paid bug bounty but we'll send a thank-you and a credit on the page if you'd like.
Targets for the next 12 months:
Security questions: sign@signpad.com.au.