Security is the point of Signet, not an add-on. Here is how the important parts work, in plain terms. Proof and the audit trail are on every plan, including Free.
Encryption
- In transit: everything travels over encrypted connections (HTTPS/TLS).
- At rest: stored documents and files are encrypted at rest. Files are held in encrypted object storage, separate from the database.
Data residency
Data is stored with UK and EU residency. We do not host customer data outside the UK and EU. If your organisation has specific residency or compliance requirements, email [email protected] and we will talk them through.
The seal, and why it can be trusted
When an agreement completes, Signet computes a SHA-256 fingerprint of the exact final document and signs a compact statement about it using elliptic-curve cryptography (ECDSA on the P-256 curve). The certificate carries that fingerprint and signature.
Anyone can check a certificate independently, in their own browser, with nothing uploaded and even if Signet is offline. The check proves two things: the document has not changed since it was sealed (integrity), and the certificate genuinely came from Signet and was not forged (origin). Crucially, only the one-way fingerprint is ever involved in verification. The document's contents never leave it and are never made public.
The audit trail
Every event on an agreement (created, sent, opened, signed, sealed) is recorded in an append-only, hash-chained log. Each entry is cryptographically linked to the one before it, so entries cannot be quietly edited, reordered or removed without detection. Each signature records who signed, their consent, the time, and the IP and browser it came from. The trail travels with the certificate of completion.
Accounts and access
- Sign in with email and password (passwords are stored only as secure hashes), a one-click email magic link, or Google.
- You can see your active sessions and sign out other devices from Settings, Security.
- Role-based permissions control what each person in a workspace can do.
- Two-factor authentication is on our roadmap and not yet available.
- Signers never create an account. Their secure link is the session, which is why the link should be kept private.
Your data stays yours
We do not sell your data and do not use your documents to train AI models. You can export your whole workspace or delete individual agreements, contacts or the entire workspace from Settings at any time.
Reporting a vulnerability
If you believe you have found a security issue, please email [email protected] with the details. We welcome responsible disclosure and will work with you on it.