Security

The boring details, on the record.

XOsign treats every signature as a legal record. Here's exactly how we make sure it stays one.

ESIGN / UETA-aligned audit trail

Every meaningful event — created, sent, viewed, signed, declined, voided, expired — lands in an append-only audit log with timestamp, IP, device fingerprint, and explicit consent record. UPDATE and DELETE are revoked on that table at the database level, so even the application can't backdate or erase entries.

SHA-256 document fingerprint

Every signed PDF gets a SHA-256 hash recorded in the audit trail. Anyone can independently verify a copy of the document matches the signed version — no need to trust XOsign.

RFC 3161 trusted timestamp

On completion, the document hash is signed by FreeTSA — an independent RFC 3161 timestamp authority. If XOsign disappeared tomorrow, a third party with the PDF and the timestamp token can still prove when it was signed.

Row-level security on every table

Every database table that holds account data has Postgres row-level security policies pinned to your account_id. Even a maximally-permissioned API key can only see data from your account.

Magic-link sign-in by default

No passwords to leak. Google / Apple OAuth and SMS OTP arrive Monday. Signing as a recipient uses a single-use cryptographic token tied to your email — never logged after issue, never reusable.

Encryption in transit and at rest

TLS 1.3 on every connection. AES-256 at rest on the Supabase Postgres + Storage backend. Service-role keys live only in edge functions; the browser never sees them.

Things we explicitly do NOT do

We do not enforce. XOsign surfaces what the law typically requires and what most contracts include. We never tell a user a contract is unenforceable, decide whether a clause is valid, or hold a document hostage for compliance. Big decisions stay with you and your attorney.

We do not store payment cards. Billing lives in Stripe Checkout / Customer Portal. We hold only the Stripe customer ID.

We do not train on your data. Your contracts are not used to train any model. Our AI work runs through Anthropic on a zero-retention configuration.

Reporting a security issue

Found something? Email security@xosign.ai. We acknowledge every report within 24 hours and aim to fix critical issues within 7 days.

Seguridad · XOsign