Trust & Compliance

eSignova implements a defense-in-depth security architecture with multiple layers of protection:

• Encryption in Transit: All data transmitted between your browser and eSignova is encrypted using TLS 1.2 or higher
• Encryption at Rest: Documents and sensitive data are encrypted using AES-256 encryption when stored
• Application Security: Regular security testing, vulnerability scanning, and code reviews
• Infrastructure Security: Hosted on secure cloud infrastructure with physical and network security controls
• Access Controls: Role-based access controls, multi-factor authentication support, and principle of least privilege
• Monitoring & Logging: Continuous security monitoring, intrusion detection, and comprehensive audit logging

Every document on every plan is sealed using Public Key Infrastructure (PKI) digital signatures to ensure tamper-evident integrity.

How it works:

• When a document is uploaded, eSignova generates a cryptographic hash (fingerprint) of the original file
• When signers complete the document, their signatures are applied and the document is digitally sealed using PKI
• The digital seal binds the document content, signatures, and metadata together cryptographically
• Any modification to the sealed document invalidates the digital signature, providing tamper-evident proof
• The seal can be verified independently to confirm document authenticity and integrity

Standards: eSignova's digital sealing is based on industry-standard PKI cryptography and X.509 digital certificates.

eSignova generates comprehensive, hash-chained audit logs for every signing workflow. These logs are cryptographically linked to prevent tampering and provide verifiable evidence of all workflow events.

What we log:

• Document upload timestamp and original file hash
• Sender actions (field placement, recipient configuration, sending)
• Invitation delivery timestamps and email addresses
• Document access events (views, IP addresses, timestamps)
• Verification method completions (email codes, magic links)
• Signature placement events with timestamps and signer details
• Document completion timestamp and final file hash
• Certificate generation and delivery

Hash-Chaining: Each audit log entry is cryptographically hashed and linked to the previous entry, creating an immutable chain. Any attempt to modify or delete an entry breaks the chain, making tampering detectable.

Evidence Packages: Completed envelopes include the signed document, full audit trail, verification records, and completion certificate, everything needed for legal defensibility.

Completed envelopes are stored in immutable S3 'Lock' buckets to ensure permanent, tamper-proof archiving.

Immutability guarantees:

• Once written, completed documents cannot be modified or deleted
• S3 Object Lock prevents overwrite or deletion for a specified retention period
• WORM (Write Once, Read Many) storage ensures long-term integrity
• Versioning and backup systems protect against data loss
• Geographic redundancy ensures availability and disaster recovery

Retention: Completed envelopes are retained according to your subscription plan and legal requirements. You may download evidence packages at any time.

Compliance support: Immutable archiving helps satisfy regulatory requirements for document retention, audit trails, and non-repudiation in industries like healthcare (21 CFR Part 11), finance (SOX), and legal services.

eSignova implements multiple layers of access controls to ensure only authorized users can access documents and signing workflows.

Sender authentication:

• Account-based authentication with secure password requirements
• Optional multi-factor authentication (MFA) for enhanced security
• Session management with automatic timeout and re-authentication
• Role-based access controls for team accounts (on qualifying plans)

Signer verification:

• Magic Links: Unique, time-limited URLs sent to each signer's email address
• Email Verification Codes: One-time codes sent to the signer's email for additional verification
• IP address and device logging for audit trail evidence
• Session security with automatic timeout after inactivity

Document access controls:

• Time-limited access to signing sessions
• Encrypted document transmission and storage
• Access logging for all document views and downloads
• Revocation capabilities for in-progress envelopes

Privacy by design: eSignova is built with privacy-first principles:

• Data minimization: we only collect information necessary to provide the Service
• Purpose limitation: data is used only for stated purposes
• Transparency: clear disclosure of data collection and processing practices
• User control: tools to access, export, and delete your data
• Security safeguards: technical and organizational measures to protect data

Data residency: eSignova is hosted on secure cloud infrastructure. Data may be processed and stored in multiple geographic regions to ensure performance and redundancy.

Third-party vendors: We work with carefully vetted service providers for infrastructure, payment processing, and email delivery. All vendors are bound by confidentiality agreements and process data only as instructed.

Breach notification: In the event of a security incident affecting personal data, we will notify affected users and regulators as required by applicable law.

eSignova is designed to support compliance with electronic signature laws and data protection regulations:

Important: eSignova provides tools and controls to support compliance, but ultimate compliance responsibility rests with you. You are responsible for determining whether eSignova is appropriate for your specific compliance requirements and use cases.

Security documentation: We provide documentation on our security practices, architecture, and controls to support your due diligence and compliance needs.

Audit-ready reports: Pro Unlimited subscribers can generate one-click compliance reports that include envelope details, audit trails, verification records, and completion certificates.

Incident response: We maintain an incident response plan and will notify affected users of security incidents as required by law.

Questions? For security or compliance questions, contact our trust team at security@esignova.com.