Security

Last updated 10 July 2026

Private beta draft. Signet is in private beta. This document is accurate to how the product works today, but it has not yet had formal legal review and may change before general release. We will tell you before anything material changes. Questions? Email [email protected].

Security is the point of Signet, not an add-on. Here is how the important parts work, in plain terms. Proof and the audit trail are on every plan, including Free.

Encryption

  • In transit: everything travels over encrypted connections (HTTPS/TLS).
  • At rest: stored documents and files are encrypted at rest. Files are held in encrypted object storage, separate from the database.

Data residency

Data is stored with UK and EU residency. We do not host customer data outside the UK and EU. If your organisation has specific residency or compliance requirements, email [email protected] and we will talk them through.

The seal, and why it can be trusted

When an agreement completes, Signet computes a SHA-256 fingerprint of the exact final document and signs a compact statement about it using elliptic-curve cryptography (ECDSA on the P-256 curve). The certificate carries that fingerprint and signature.

Anyone can check a certificate independently, in their own browser, with nothing uploaded and even if Signet is offline. The check proves two things: the document has not changed since it was sealed (integrity), and the certificate genuinely came from Signet and was not forged (origin). Crucially, only the one-way fingerprint is ever involved in verification. The document's contents never leave it and are never made public.

The audit trail

Every event on an agreement (created, sent, opened, signed, sealed) is recorded in an append-only, hash-chained log. Each entry is cryptographically linked to the one before it, so entries cannot be quietly edited, reordered or removed without detection. Each signature records who signed, their consent, the time, and the IP and browser it came from. The trail travels with the certificate of completion.

Accounts and access

  • Sign in with email and password (passwords are stored only as secure hashes), a one-click email magic link, or Google.
  • You can see your active sessions and sign out other devices from Settings, Security.
  • Role-based permissions control what each person in a workspace can do.
  • Two-factor authentication is on our roadmap and not yet available.
  • Signers never create an account. Their secure link is the session, which is why the link should be kept private.

Your data stays yours

We do not sell your data and do not use your documents to train AI models. You can export your whole workspace or delete individual agreements, contacts or the entire workspace from Settings at any time.

Reporting a vulnerability

If you believe you have found a security issue, please email [email protected] with the details. We welcome responsible disclosure and will work with you on it.

Questions about this?

We're happy to explain anything here in plain terms.

Email us