Encryption
All traffic uses TLS 1.3 with modern cipher suites and HSTS preload. At rest, every PDF, audit log, and database row is encrypted with AES-256, with keys managed by the underlying cloud KMS. Backups inherit the same encryption.
Infrastructure
Hosted on Supabase (Postgres + Storage) in the ca-central-1 region (Montreal, Canada). Application tier on Vercel with edge caching. Both providers maintain SOC 2 Type II compliance independently.
Tenant isolation is enforced at the database layer via Postgres Row Level Security — every query is scoped to the authenticated user’s organization, with no application-level shortcuts.
Audit trails
Every action — view, sign, decline, void, even hover-over-link — is appended to an immutable audit log. Each entry is timestamped, hashed, and chained to the previous entry. The chain is sealed when the envelope completes and embedded in the certificate of completion. See Audit certificates for what that produces.
Authentication
Sender accounts use email + password with NextAuth-managed sessions, optional TOTP MFA. Signers verify via email link plus optional SMS one-time code (configurable per envelope). Internal API access is OAuth2-only — no static API keys.
Compliance
PIPEDA-compliant by design (Canadian data residency, retention controls, data subject rights). ISO 27001 and SOC 2 Type II certifications are in progress with target completion in 2026 — written confirmation available on request.
Vulnerability disclosure
Found something? Report it to security@vg-sign.com. We acknowledge within 48 hours and follow a coordinated disclosure timeline. Eligible reports may receive a bounty — contact us for the current scope.
Penetration testing
We commission an independent third-party penetration test annually, with a remediated summary available under NDA to enterprise customers. Continuous internal scanning runs on every deploy.