Security
Every signature is hash-chained and independently verifiable.
Each event is sealed into a SHA-256 chain that breaks visibly if anything is altered, and anyone can confirm a signed PDF at /verify — no account needed. Encryption, access controls, and lifecycle rules round out a defense-in-depth stack.
Defense in depth
Six layers, each independent of the next.
If one layer fails, the others still hold. No single point of trust.
01
Cryptographically hash-chained audit trail
Every action on an envelope — opened, viewed, signed, declined, voided, expired — is written to an append-only event log. Each event's SHA-256 hash includes the previous event's hash, forming a chain that breaks visibly if any row is altered.
02
Independently verifiable — no account needed
Anyone with the envelope ID can visit /verify and confirm the document's original and final SHA-256 hashes (re-hashed from the stored bytes) plus the audit-chain head. If the signed PDF or the chain has been tampered with, the verification page surfaces it immediately.
03
Encryption in transit and at rest
All traffic to KeenDraft is served over TLS 1.2+. PDFs are stored in Supabase Storage (S3-API compatible) with at-rest encryption managed by Supabase. Signed download URLs are short-lived (60–120 seconds) and scoped to a single object.
04
Envelope passwords + magic links
Magic links are signed JWTs scoped to one recipient on one envelope, valid for seven days. Senders can require an additional shared password — stored only as a scrypt hash, never plaintext — before a recipient can access the document.
05
Expiry and revocation
Each envelope has a sender-set expiry. A nightly sweep flips active envelopes to expired and notifies the sender. Senders can void in-progress envelopes at any time — the event log records who voided and why.
06
No-account signers, by design
Signers never create an account. They authenticate via the magic link, optionally re-prompted for the envelope password. Sessions are HttpOnly cookies scoped to that envelope, expiring after two hours of inactivity.
Compliance posture
Live where it counts. Honest about the rest.
KeenDraft is built to meet the legal requirements for electronic signatures under the U.S. ESIGN Act, UETA, and Canada's PIPEDA. Today we deliver Simple Electronic Signatures (SES), with the audit trail ready for AES when our PAdES microservice ships.
- Live
ESIGN Act + UETA (United States)
15 U.S.C. §7001 — consent disclosure, intent, association, retention. Read our consent disclosure.
- Live
PIPEDA (Canada)
Fair information principles for personal data, including consent, limiting collection, and accountability.
- Live
Quebec Law 25
We comply with the cookie-consent and retention requirements that apply to our processing today.
- Practiced
SOC 2
Not yet certified. We follow SOC 2 practices today and intend to pursue Type I once we cross meaningful customer revenue.
- On the roadmap
Advanced Electronic Signatures (AES / PAdES)
Our data model and audit trail are ready to upgrade from Simple Electronic Signatures (SES) to Advanced (AES) when the PAdES microservice ships.
Reporting a security issue
Found something? We'd rather hear about it from you. Send a write-up to security@keendraft.com with steps to reproduce. We respond within two business days and credit researchers in our security log.
Email the security teamOur coordinated approach
- Acknowledge new reports within two business days.
- Provide a timeline for triage and remediation within five business days.
- Credit reporters publicly (with consent) once a fix has shipped.
- Never pursue legal action against good-faith research.
Try it
The whole stack, free for three envelopes a month.
Every layer above ships on day one — not as an enterprise upsell.
No credit card required.