Table of Contents
1Security Overview
Security is foundational to PearSign. As an electronic signature platform handling legally binding documents, we implement defense-in-depth security across every layer of our infrastructure, application, and operations.
Our security program is designed to protect the confidentiality, integrity, and availability of your data and documents at all times.
2Encryption
AES-256-GCM Encryption
All documents and sensitive data are encrypted at rest using AES-256-GCM, the same standard used by governments and financial institutions.
- In Transit: All data is transmitted over TLS 1.3 with forward secrecy. We enforce HTTPS everywhere with HSTS preloading.
- At Rest: Documents, signatures, and personal data are encrypted using AES-256-GCM with per-tenant encryption keys.
- Key Management: Encryption keys are managed through a secure key management system with automatic rotation.
- Database: PostgreSQL databases use encrypted storage volumes with separate encryption keys.
3Authentication & Access
- Two-Factor Authentication (2FA): TOTP-based 2FA available for all accounts. Enforced for admin users.
- Session Management: Cryptographically secure session tokens with configurable expiration. Sessions are invalidated on password change.
- Role-Based Access Control: Granular RBAC with per-organization roles and permissions. Row-level security enforced at the database level.
- API Authentication: Bearer token authentication with rate limiting, IP tracking, and usage analytics for all 168 REST API endpoints.
- Brute Force Protection: Automatic account lockout after repeated failed login attempts with progressive delays.
4Infrastructure
- Hosting: Production infrastructure runs on secure, SOC 2 certified hosting providers with redundant systems.
- Network Security: Firewalls, intrusion detection, DDoS protection, and network segmentation isolate critical systems.
- Multi-Tenant Isolation: Each organization operates in a logically isolated environment with row-level security policies preventing cross-tenant data access.
- Backups: Automated daily backups with point-in-time recovery. Backups are encrypted and stored in geographically separate locations.
- Security Headers: Strict-Transport-Security, X-Frame-Options (DENY), X-Content-Type-Options, Content-Security-Policy, Referrer-Policy, and Permissions-Policy enforced on all responses.
5Compliance & Certifications
SOC 2 Type II
Audited controls for security, availability, and confidentiality.
ESIGN Act
Compliant with U.S. Electronic Signatures in Global and National Commerce Act.
UETA
Compliant with the Uniform Electronic Transactions Act.
eIDAS
Supports European electronic identification and trust services regulation.
We also maintain GDPR-compliant data processing practices with configurable data retention policies and right-to-deletion support.
6Digital Signatures
PKI Cryptographic Signing
PearSign supports PKCS#12 certificate-based digital signatures, providing cryptographic proof of document integrity and signer identity.
- Audit Trails: Every document action is logged with timestamps, IP addresses, and user identity — creating a complete, tamper-evident audit trail.
- Document Integrity: Cryptographic hashes ensure signed documents cannot be modified after signing without detection.
- Non-Repudiation: PKI signatures provide verifiable proof that a specific individual signed a specific document at a specific time.
7Data Protection
- Data Retention: Configurable retention policies per organization. Documents can be automatically purged after a defined period.
- Data Portability: Export all your data at any time in standard formats.
- Data Deletion: Full right-to-deletion support. When you delete data, it is permanently removed from all systems including backups within 30 days.
- Access Logging: All data access is logged and auditable. Suspicious access patterns trigger automated alerts.
8Monitoring & Incident Response
- 24/7 Monitoring: Automated monitoring of all systems with real-time alerting for anomalies.
- Incident Response: Documented incident response plan with defined escalation procedures. Critical security incidents are communicated to affected customers within 24 hours.
- Vulnerability Management: Regular dependency audits, automated security scanning, and penetration testing.
- Uptime SLA: 99.9% uptime commitment backed by our service level agreement.
9Responsible Disclosure
We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue, please contact us at security@pearsign.com. We commit to:
- Acknowledging your report within 48 hours
- Providing regular updates on our investigation
- Not pursuing legal action against good-faith researchers
- Crediting researchers who help improve our security (with permission)
10Contact
PearSign Security Team
Security inquiries: security@pearsign.com
General support: info@pearsign.com