Here are a few ways we protect your data:
Upon request, HelloSign will work to expunge all customer data and solely owned documents from our systems. Documents under legal hold or owned by multiple parties will be deleted upon completion of the legal hold process or upon deletion by the other parties at their discretion.
To initiate a data deletion/data destruction event, please contact email@example.com
We process all payments through our payment provider, Stripe, and do NOT store cardholder data on our servers. HelloSign is PCI compliant for payment processing.
At least annually, HelloSign performs a review of our sub-processors. In the event these reviews have material findings that we determine to present risks to HelloSign or our customers, we’ll work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue is resolved.
Documents are stored behind a firewall and authenticated against the sender’s session every time a request for that document is made. We enforce the use of industry best practice for the transmission of data to our platform (Transport Layer Security TLS) and data is stored in a SOC 1 Type II, SOC 2 Type I and ISO 27001 certified data centres. Your documents are stored and encrypted at rest using AES 256-bit encryption.
The non-editable audit trail ensures that every action on your documents is thoroughly tracked and time stamped, to provide defensible proof of access, review and signature. The audit trail that is appended to all executed signature requests includes an identifier that we can use to lookup the transaction log in our database.
HelloSign has a formal application security program in place with dedicated application security staff. Additionally, we scan our code for security related issues using static code analysis tools.
To further enhance our application security, we run a bug bounty program and engage multiple times a year with third-party penetration testing teams to ensure our products are secure.
HelloSign uses Amazon Web Services (AWS) as its Infrastructure as a Service (IaaS) provider with Amazon data centres hosting our data within the US. We utilise AWS features like Virtual Private Cloud (VPC), Security Groups, disk level encryption, etc., to ensure the confidentiality of our customer data in the cloud.
Dedicated & Experienced
HelloSign has a formal information security program in place under the Head of Security that leads an information and Risk Management Committee. The Information and Risk Management Committee meets periodically to review security-related initiatives at the product, the infrastructure and the company level.
At HelloSign, employees undergo comprehensive background checks and undergo annual security awareness training.