eSignature compliance
Signable complies with e-signature laws set by the UK and European Union. We meet and exceed all of the regulations regarding accepting and processing documents, signed via electronic signatures:
- 256-bit SSL encryption on all pages, including signing
- Detailed audit log stored for each signature action
- Identification of users verified before permitted to send documents
- Document integrity checked every step of the way
- Unique salted fingerprints for each document
- Secure storage of documents and data
- Signatory identity verified via email address, timestamps and geo-tracking
Signable complies with regulations established by The eIDAS Regulation which confirms the legal status of electronic signatures and grants them the same legality as pen and paper documents.
Data storage
All data stored and processed within Signable stays within the UK. Our infrastructure is hosted in the Amazon AWS data centre in London. This region is also used by many of the top Internet companies and fully complies with all the major certifications. More information on its compliance can be found here. Backups are taken continuously for our key data stores which includes our main databases and documents.
Encryption
All data stored by Signable is encrypted at rest and during transport. The keys required to encrypt and decrypt the data are stored in an HSM provided by AWS and restricted to the minimum number of required people.
Data access
Access to the data that we hold on behalf of our customers is tightly controlled and regulated by an auditable system and process. We ensure that only the minimum number of people required have full access to the infrastructure and your data is never exposed to third parties. Data access is highly controlled via your account and every action is logged and recorded. Internally, members of the Signable team are unable to access the documents from within your account. If you do require support and assistance which relates to a specific document, you must first grant permission for us to access your documents. Until then, access is locked down and restricted.
Third party access
Your data, including names, address details and the documents itself are never exposed to third parties. Where third party contractors are used, we heavily vet and regulate them and if data is required for them to perform their role, sample data is provided.
Disaster recovery
Depending on the type of disaster we have plans to handle the procedure when dealing with unexpected issues. All include the following:
- Prompt and effective communication to customers on the situation, communicated via Signable’s status page
- Key people assigned as ‘in charge’ of coordinating the response and reaction
- Effective gathering of data and logs required to determine the root cause to help diagnose the problem and work towards a solution
- Feedback loops in place at every stage so learnings can be made for future events
For issues that affect the availability of the Signable service, we communicate them via our status page. We have the ability to regenerate our whole infrastructure, within a different AWS region or datacentre within a few minutes with backups taken from our backup facilities.
Penetration testing
The Signable infrastructure is scanned on a daily basis against the OWASP top 10 security issues and any issues highlighted to the Signable development team. Our infrastructure is also scanned on a quarterly basis to comply with our PCI-DSS certification.
“End of business” plans
In the highly unlikely event that Signable is unable to continue trading, all previously signed documents will be provided in an archive file along with any information required to prove that the documents were signed legally and correctly.