Compliance

Document and signing flows use encrypted transport and managed storage. Original files and evidence assets remain behind authenticated delivery, while preview assets are only allowed through cache-safe paths when they are explicitly marked for that use.

Workspace-level roles, authenticated sessions, and route-scoped recipient access are used to control who can view or act on documents. Public signing links store hashed tokens, and enterprise identity needs such as SSO are coordinated with the team rather than exposed as a self-serve toggle.

Signing activity is recorded as an append-only event chain with linked hashes across document lifecycle events. Completed packages surface audit history alongside certificate and manifest artifacts, and compliance settings provide export-oriented workflows for evidence review.

The platform runs on managed cloud infrastructure and publishes customer-facing incidents through the public status page. Cache-safe media delivery is separated from protected originals so signed workflows can stay responsive without treating every document asset as public content.

Signelio relies on third-party infrastructure and delivery providers where needed to operate the service. Data-processing and security questions that depend on those vendors should be validated through support or compliance review instead of assumed from generic platform claims.

Operational issues are investigated through support and the public status surface, with incident updates published when customer-facing impact exists. Security or breach handling follows applicable legal obligations and contractual commitments in effect for the affected customer relationship.

Administrative and operational access is governed through internal process rather than exposed in the product UI. If your review requires detailed answers about personnel controls, onboarding, or internal security operations, request a current questionnaire response from the team.

Security review and vulnerability handling are ongoing operational responsibilities, but exact testing cadence and remediation commitments should be confirmed directly for your engagement. Public copy on this page is intentionally limited to controls and workflows that are visible or supportable from the current product surface.

If your organization has residency, sovereignty, or regional processing requirements, scope those needs with the team before relying on a specific storage jurisdiction. Regional handling and related contractual controls are not presented as self-serve guarantees in the current product surface.

For compliance documentation requests, security questionnaires, or to report a vulnerability, please contact our security team. We are committed to transparency and will respond to all inquiries within two business days.