Security

Access control

• Creator accounts authenticate through Supabase Auth or the configured auth provider.
• Workspace access uses role-based permissions with owner, editor, and viewer roles.
• Respondents and signers use unguessable tokenized links rather than accounts.
• Password-protected recipient and signer links store bcrypt hashes, not plaintext passwords.

Data protection

• Data is transmitted over HTTPS in production.
• Database and object storage are provided by Supabase infrastructure.
• Service-role storage and database access are server-only.
• File and response access is scoped through workspace or token checks.

Audit and evidence

• Document signing records consent, signer metadata, visit events, field events, submission events, and PDF generation events.
• Completed signing workflows can record PDF hashes and cryptographic verification seals.
• Workspace owners can place legal holds on form recipients and document submissions.

Security review status

This page describes current product controls. It is not a SOC 2, ISO 27001, HIPAA, or PCI certification statement. Customers with regulated workloads should complete a security review and request contractual terms before production use.

Contact

Questions about this page or a compliance review? Contact us.