Security

At HelloSign the security and privacy of customer data is our #1 priority

Bank vault illustration

Privacy

At HelloSign, we believe that you own your data, and we’re committed to keeping it private. Our privacy policy clearly describes how we handle and protect your information. On an annual basis our independent third-party auditors test our privacy-related controls and provide their reports and opinions, which we can provide to you upon request. To report an issue with privacy, please have a look at our Reporting Security Events page.


Here are a few ways we protect your data:


Data Deletion/Destruction

Upon request, HelloSign will work to expunge all customer data and solely owned documents from our systems. Documents under legal hold or owned by multiple parties will be deleted upon completion of the legal hold process or upon deletion by the other parties at their discretion.

To initiate a data deletion/data destruction event, please contact support@hellosign.com


Payment Info

We process all payments through our payment provider, Stripe, and do NOT store cardholder data on our servers. HelloSign is PCI compliant for payment processing.

Our Sub-Processors

At least annually, HelloSign performs a review of our sub-processors.  In the event these reviews have material findings that we determine to present risks to HelloSign or our customers, we’ll work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue is resolved.

Security Incidents & Reporting

If you see something, say something. If you need to submit a potential security incident to HelloSign, please provide a summary report to the HelloSign Security Team as an attachment to abuse@hellosign.com. The Information Security team will evaluate the report and arrange to discuss specifics.

Encryption

Documents are stored behind a firewall and authenticated against the sender’s session every time a request for that document is made. We enforce the use of industry best practice for the transmission of data to our platform (Transport Layer Security TLS) and data is stored in a SOC 1 Type II, SOC 2 Type I and ISO 27001 certified data centres. Your documents are stored and encrypted at rest using AES 256-bit encryption.

Audit trails

The non-editable audit trail ensures that every action on your documents is thoroughly tracked and time stamped, to provide defensible proof of access, review and signature. These records include a hash of the PDF document which we can compare to the hash of a questionable PDF document to determine whether or not it has been modified or tampered with.

Application Security

HelloSign has a formal application security program in place with dedicated application security staff. Additionally, we scan our code for security related issues using static code analysis tools.


To further enhance our application security, we run a bug bounty program and engage multiple times a year with third-party penetration testing teams to ensure our products are secure.

Permissions

It’s imperative that you can control who can do what within the system. Different roles carry different access rights, both in the HelloSign API and in the HelloSign end user product. Learn more about role-based security permissions.

Infrastructure

HelloSign uses Amazon Web Services (AWS) as its Infrastructure as a Service (IaaS) provider with Amazon data centres hosting our data within the US. We utilise AWS features like Virtual Private Cloud (VPC), Security Groups, disk level encryption, etc., to ensure the confidentiality of our customer data in the cloud.

Dedicated & Experienced

Security Team

HelloSign has a formal information security program in place under the Head of Security that leads an information and Risk Management Committee. The Information and Risk Management Committee meets periodically to review security-related initiatives at the product, the infrastructure and the company level.


At HelloSign, employees undergo comprehensive background checks and undergo annual security awareness training.


We also have an acceptable use policy and terms of service for our end users to ensure our customers completely understand how we intend our products to be used and under what terms.