Privacy
At HelloSign, we believe that you own your data, and we’re committed to keeping it private. Our privacy policy clearly describes how we handle and protect your information. On an annual basis our independent third-party auditors test our privacy-related controls and provide their reports and opinions, which we can provide to you upon request. To report an issue with privacy, please have a look at our Reporting Security Events page.
Here are a few ways we protect your data:
Data Deletion/Destruction
Upon request, HelloSign will work to expunge all customer data and solely owned documents from our systems. Documents under legal hold or owned by multiple parties will be deleted upon completion of the legal hold process or upon deletion by the other parties at their discretion.
To initiate a data deletion/data destruction event, please contact support@hellosign.com
Payment Info
We process all payments through our payment provider, Stripe, and do NOT store cardholder data on our servers. HelloSign is PCI compliant for payment processing.
Our Sub-Processors
At least annually, HelloSign performs a review of our sub-processors. In the event these reviews have material findings that we determine to present risks to HelloSign or our customers, we’ll work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue is resolved.
Security Incidents & Reporting
If you see something, say something. If you need to report a potential security incident to HelloSign, please submit a request.
Encryption
Documents are stored behind a firewall and authenticated against the sender’s session every time a request for that document is made. We enforce the use of industry best practice for the transmission of data to our platform (Transport Layer Security TLS) and data is stored in a SOC 1 Type II-, SOC 2 Type I- and ISO 27001-certified data centres. Your documents are stored and encrypted at rest using AES 256-bit encryption.
Audit trails
The non-editable audit trail ensures that every action on your documents is thoroughly tracked and time stamped, to provide defensible proof of access, review and signature. The audit trail that is appended to all executed signature requests includes an identifier that we can use to lookup the transaction log in our database.
Application Security
HelloSign has a formal application security program in place with dedicated application security staff. Additionally, we scan our code for security related issues using static code analysis tools.
To further enhance our application security, we run a bug bounty program and engage multiple times a year with third-party penetration testing teams to ensure our products are secure.
Permissions
It’s imperative that you can control who can do what within the system. Different roles carry different access rights, both in the HelloSign API and in the HelloSign end user product. Learn more about role-based security permissions.
Infrastructure
HelloSign uses Amazon Web Services (AWS) as its Infrastructure as a Service (IaaS) provider with Amazon data centres hosting our data within the US. We utilise AWS features like Virtual Private Cloud (VPC), Security Groups, disk level encryption, etc., to ensure the confidentiality of our customer data in the cloud.
Dedicated & Experienced
Security Team
HelloSign has a formal information security program in place under the Head of Security that leads an information and Risk Management Committee. The Information and Risk Management Committee meets periodically to review security-related initiatives at the product, the infrastructure and the company level.
At HelloSign, employees undergo comprehensive background checks and undergo annual security awareness training.
We also have an acceptable use policy and terms of service for our end users to ensure our customers completely understand how we intend our products to be used and under what terms.