Security

Every signature is hash-chained and independently verifiable.

Each event is sealed into a SHA-256 chain that breaks visibly if anything is altered, and anyone can confirm a signed PDF at /verify — no account needed. Encryption, access controls, and lifecycle rules round out a defense-in-depth stack.

Defense in depth

Six layers, each independent of the next.

If one layer fails, the others still hold. No single point of trust.

  1. 01

    Cryptographically hash-chained audit trail

    Every action on an envelope — opened, viewed, signed, declined, voided, expired — is written to an append-only event log. Each event's SHA-256 hash includes the previous event's hash, forming a chain that breaks visibly if any row is altered.

  2. 02

    Independently verifiable — no account needed

    Anyone with the envelope ID can visit /verify and confirm the document's original and final SHA-256 hashes (re-hashed from the stored bytes) plus the audit-chain head. If the signed PDF or the chain has been tampered with, the verification page surfaces it immediately.

  3. 03

    Encryption in transit and at rest

    All traffic to KeenDraft is served over TLS 1.2+. PDFs are stored in Supabase Storage (S3-API compatible) with at-rest encryption managed by Supabase. Signed download URLs are short-lived (60–120 seconds) and scoped to a single object.

  4. 04

    Envelope passwords + magic links

    Magic links are signed JWTs scoped to one recipient on one envelope, valid for seven days. Senders can require an additional shared password — stored only as a scrypt hash, never plaintext — before a recipient can access the document.

  5. 05

    Expiry and revocation

    Each envelope has a sender-set expiry. A nightly sweep flips active envelopes to expired and notifies the sender. Senders can void in-progress envelopes at any time — the event log records who voided and why.

  6. 06

    No-account signers, by design

    Signers never create an account. They authenticate via the magic link, optionally re-prompted for the envelope password. Sessions are HttpOnly cookies scoped to that envelope, expiring after two hours of inactivity.

Compliance posture

Live where it counts. Honest about the rest.

KeenDraft is built to meet the legal requirements for electronic signatures under the U.S. ESIGN Act, UETA, and Canada's PIPEDA. Today we deliver Simple Electronic Signatures (SES), with the audit trail ready for AES when our PAdES microservice ships.

  • Live

    ESIGN Act + UETA (United States)

    15 U.S.C. §7001 — consent disclosure, intent, association, retention. Read our consent disclosure.

  • Live

    PIPEDA (Canada)

    Fair information principles for personal data, including consent, limiting collection, and accountability.

  • Live

    Quebec Law 25

    We comply with the cookie-consent and retention requirements that apply to our processing today.

  • Practiced

    SOC 2

    Not yet certified. We follow SOC 2 practices today and intend to pursue Type I once we cross meaningful customer revenue.

  • On the roadmap

    Advanced Electronic Signatures (AES / PAdES)

    Our data model and audit trail are ready to upgrade from Simple Electronic Signatures (SES) to Advanced (AES) when the PAdES microservice ships.

Reporting a security issue

Found something? We'd rather hear about it from you. Send a write-up to security@keendraft.com with steps to reproduce. We respond within two business days and credit researchers in our security log.

Email the security team

Our coordinated approach

  • Acknowledge new reports within two business days.
  • Provide a timeline for triage and remediation within five business days.
  • Credit reporters publicly (with consent) once a fix has shipped.
  • Never pursue legal action against good-faith research.

Try it

The whole stack, free for three envelopes a month.

Every layer above ships on day one — not as an enterprise upsell.

No credit card required.