Trust Center

Is SignBolt secure and compliant?

SignBolt signatures are legally binding under the US ESIGN Act, EU eIDAS Regulation, and Australia's Electronic Transactions Act 1999. Documents are SHA-256 audit-trailed, encrypted in transit, and stored in the United States on Supabase-managed infrastructure. This page lists security controls, compliance status, sub-processors, and vulnerability reporting.

ETA 1999ESIGNeIDASSOC2 preparing

Compliance status

ETA 1999 (AU)

✅ compliant (Simple Electronic Signature)

ESIGN Act (US)

✅ compliant

eIDAS (EU)

✅ compliant (Simple Electronic Signature tier)

UK Electronic Communications Act 2000

✅ compliant

SOC2

🟡 preparing (target Q3 2026)

HIPAA

⚪ not applicable (not a healthcare platform)

GDPR

DPA available on request

GDPR DPA requests go to [email protected].

Security overview

Encryption: TLS 1.3 in transit (HSTS preload) · AES-256 at rest (Supabase-managed)
Headers: strict CSP, frame-ancestors 'none', HSTS preload, MIME-sniffing disabled
Sessions: HMAC-SHA256 signed, httpOnly, Secure, SameSite, 90-day TTL
Audit trail: every signed document gets a SHA-256 hash + ISO-8601 timestamp + signer identity + IP/UA; any byte change invalidates the certificate (independently checkable at /verify)

Read our full security overview →

Sub-processors

These providers support payments, email, hosting, analytics, sign-in, and translation.

Provider	Purpose	Data	Region
Stripe	Payments + subscriptions	Email, payment metadata	US / AU
Resend	Transactional email	Email, name	EU
Supabase	Database + auth + storage	All account & document data	US (east-1)
Vercel	Hosting + edge network	Request metadata, logs	Global
PostHog	Product analytics	Anonymous/ pseudonymous events	US
Google (One Tap / OAuth)	Optional sign-in	Email, name, Google ID	Global
Google Analytics	Site analytics	Pseudonymous usage events	Global
Google Ads	Conversion measurement	Pseudonymous conversion events	Global
Google Translate	On-page locale translation	Page text only	Global

Last updated 2026-05-27. Email [email protected] to be notified of sub-processor changes.

Vulnerability disclosure policy

We welcome reports from security researchers.

Report to: [email protected]

PGP key fingerprint placeholder: /trust/signbolt-security.asc

Response SLA: acknowledgement within 48 business hours, status update within 7 days.

Safe harbour: SignBolt won't pursue legal action for good-faith research that respects the rules listed below.

Rules

No DoS.
No social engineering.
No accessing other users' data.
No destructive testing.

Out of scope: physical attacks, social-engineering attacks, and brute-forcing rate limits.

Data handling

Account and document data is stored in the United States (Supabase, us-east-1).

Document retention follows the active account and plan storage rules in the Terms of Service.
No use for AI training under Terms of Service Section 8: Your Documents, Your Property.
Export: download signed documents from /dashboard at any time when they are available in your account.
Erasure right (GDPR Article 17): email [email protected]; deletion requests are handled within 30 days.
AU data residency is on the roadmap — email [email protected] to discuss.

Reporting & contact

General security

[email protected]

Legal

[email protected]

Privacy / GDPR requests

[email protected]

Abuse

[email protected]

We acknowledge security reports within 48 business hours.

Frequently asked questions

Is SignBolt SOC2 certified?: No. SignBolt is preparing for SOC2 with a target of Q3 2026, but is not certified today.
Does SignBolt use my documents to train AI?: No. SignBolt's Terms of Service state that document content is not used to train any machine learning model, AI system, or analytical product.
How do I report a security vulnerability to SignBolt?: Email [email protected] with the subject [security-disclosure]. We acknowledge security reports within 48 business hours.
Where is SignBolt data stored?: Account and document data is stored in the United States through Supabase us-east-1. Hosting and edge request metadata may be processed globally by Vercel.
Is an electronic signature legally binding in Australia?: Yes, for common commercial documents when the method identifies the signer, indicates approval, and the other party consents under Australia's Electronic Transactions Act 1999.

Need a procurement answer?

For DPA requests, security review questions, or abuse reports, use the listed mailboxes so the request reaches the right workflow.

Sign a Document Free

Is SignBolt secure and compliant?

ETA 1999ESIGNeIDASSOC2 preparing

Provider

Purpose

Data

Region

Stripe

Payments + subscriptions

Email, payment metadata

US / AU

Resend

Transactional email

Email, name

Supabase

Database + auth + storage

All account & document data

US (east-1)

Vercel

Hosting + edge network

Request metadata, logs

Global

PostHog

Product analytics

Anonymous/ pseudonymous events

Google (One Tap / OAuth)

Optional sign-in

Email, name, Google ID

Global

Google Analytics

Site analytics

Pseudonymous usage events

Global

Google Ads

Conversion measurement

Pseudonymous conversion events

Global

Google Translate

On-page locale translation

Page text only

Global

Frequently asked questions

Is SignBolt SOC2 certified?

No. SignBolt is preparing for SOC2 with a target of Q3 2026, but is not certified today.

Does SignBolt use my documents to train AI?

No. SignBolt's Terms of Service state that document content is not used to train any machine learning model, AI system, or analytical product.

How do I report a security vulnerability to SignBolt?

Email [email protected] with the subject [security-disclosure]. We acknowledge security reports within 48 business hours.

Where is SignBolt data stored?

Account and document data is stored in the United States through Supabase us-east-1. Hosting and edge request metadata may be processed globally by Vercel.

Is an electronic signature legally binding in Australia?

Yes, for common commercial documents when the method identifies the signer, indicates approval, and the other party consents under Australia's Electronic Transactions Act 1999.