InSign Trust & Security

At InSign, the security and privacy of customer data is our #1 priority!

Transparency is ESSENTIAL

InSign’s first priority is to make your experience safe and secure and to ensure you have the information you need to feel comfortable transacting business online. That’s why we created the Trust Center: to give you access to the latest InSign security, compliance, legal, privacy, and system performance information, when and where you need it.

InSign Trust & Security Protocols

At InSign we believe that you own your data, and we’re committed to keeping it private. Our privacy policy clearly describes how we handle and protect your information. On an annual basis our independent third-party auditors test our privacy related controls and provide their reports and opinions which we can then provide to you. To report an issue with privacy please submit a ticket on our Contact Us page.

Here are a few ways we protect your data:

Data Deletion/Destruction

Upon request InSign will work to expunge all customer data and solely owned artifacts from our systems. Artifacts under legal hold or owned by multiple parties will be deleted upon completion of the legal hold process or upon deletion by the other parties at their discretion.

To initiate a data deletion / data destruction event please contact support@insign.io

Payment Info

We process all payments through our payment provider, Stripe, and do NOT store cardholder data on our servers. InSign is PCI compliant for payment processing.

At least once a year, InSign performs a review of our sub-service providers. In the event these reviews have material findings which we determine present risks to InSign or our customers, we’ll work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue is resolved.

Reporting an issue with privacy

At InSign we believe that you own your data, and we’re committed to keeping it private. Our privacy policy clearly describes how we handle and protect your information. On an annual basis our independent third-party auditors test our privacy related controls and provide their reports and opinions which we can then provide to you.

If you need to submit a request with respect to privacy related concern please submit it to privacy@insign.io

Reporting a potential security incident

If you need to submit a potential security incident to InSign please provide a summary report to the InSign Security Team as an attachment to abuse@insign.io. The security team will evaluate the report and arrange to discuss specifics.

Reporting SPA

If you think that you’ve received a fraudulent email pretending to come from InSign, send the email as an attachment to abuse@insign.io and delete it.

At InSign, each of your documents are stored behind a firewall and authenticated against the sender’s session every time a request for that document is made. All communications use SSL (Secure Sockets Layer) encryption and all data is stored in a SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified data center. Your documents are stored and encrypted at rest using AES 256-bit encryption.

In addition, each document is encrypted with a unique key. As an additional safeguard, each key is encrypted with a regularly rotated master key. This means that even if someone were able to bypass physical security and access a hard drive, they wouldn’t be able to decrypt your data.

Each signature on a contract is imposed and affixed to the document. When you request a signature, InSign affixes an audit trail page to the document itself. The audit trail contains a globally unique identifier, or GUID, that can be used to look up a record in our database that shows who signed a document and when. These records include a hash of the PDF document which we can compare to the hash of a questionable PDF document to determine whether or not it has been modified or tampered with.

The non-editable audit trail ensures that every action on your documents is thoroughly tracked and time-stamped, to provide defensible proof of access, review, and signature.

Beyond traditional encryption

InSign protects data in transit between our apps and our servers, and at rest. Documents are stored behind a firewall and authenticated against the sender’s session every time a request for that document is made. We enforce the use of industry best practice for the transmission of data to our platform (Transport Layer Security TLS) and data is stored in a SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified data centers. Your documents are stored and encrypted at rest using AES 256-bit encryption.

Rigorous security testing

We regularly test our infrastructure and apps to identify and patch vulnerabilities. We also work with third-party specialists, industry security teams, and the security research community to keep our users and their files safe. Potential security bugs and vulnerabilities can be reported to us on the third-party service HackerOne.

It’s imperative that you can control who can do what within the system. Different roles carry different access rights. For example, administrators control team-wide settings, billing information, and the roles of others.

  • Role-based security – Enables different levels of permissions for different members of a team, ranging from administrative rights to members who have only permissions to view templates and issue signature requests.
  • Signer-specific access codes – Can be assigned to each individual being asked to sign as an extra layer of security

At InSign we have a dedicated Security Team with a Head of Information Security who is directly responsible for the security of InSign products and services.

Additionally we have a formal information security program in place that leads an information and Risk Management Committee. This committee periodically meets to review security-related initiatives at the product, infrastructure, and company level.

To ensure all employees are able to champion the security of customer data we work to ensure security is embedded in our company culture from day one. Employees undergo comprehensive background checks, sign and follow a code of conduct and acceptable use policies, as well as undergo periodic security awareness training.

To ensure teams are prepared for the unexpected InSign performs red team testing against our employee base to ensure they are prepared to act appropriately when faced with a potential security event. In general we want to ensure we can detect physical, network, and system vulnerabilities by taking an attacker-like approach.

Get Started, It's Free - FOREVER

Go paperless and accelerate your business. With InSign you will be equipped with all the tools you need to increase your efficiency working with contracts and agreements of any kind.