Here are a few ways we protect your data:
Upon request HelloSign will work to expunge all customer data and solely owned artifacts from our systems. Artifacts under legal hold or owned by multiple parties will be deleted upon completion of the legal hold process or upon deletion by the other parties at their discretion.
To initiate a data deletion / data destruction event please contact firstname.lastname@example.org
We process all payments through our payment provider, Stripe, and do NOT store cardholder data on our servers. HelloSign is PCI compliant for payment processing.
Our Subservice Providers
At least annually, HelloSign performs a review of our subservice providers. In the event these reviews have material findings which we determine present risks to HelloSign or our customers, we’ll work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue is resolved.
Security Incidents & Reporting
If you see something say something. If you need to submit a potential security incident to HelloSign please provide a summary report to the HelloSign Security Team as an attachment to email@example.com. The Information Security team will evaluate the report and arrange to discuss specifics.
Documents are stored behind a firewall and authenticated against the sender’s session every time a request for that document is made. We enforce the use of industry best practice for the transmission of data to our platform (Transport Layer Security TLS) and data is stored in a SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified data centers. Your documents are stored and encrypted at rest using AES 256-bit encryption.
Court Admissible Audit Trails
The non-editable audit trail ensures that every action on your documents is thoroughly tracked and time-stamped, to provide defensible proof of access, review, and signature. These records include a hash of the PDF document which we can compare to the hash of a questionable PDF document to determine whether or not it has been modified or tampered with.
HelloSign has a formal application security program in place with dedicated application security staff.
Additionally we scan our code for security related issues using static code analysis tools.
To further enhance our application security, we run a bug bounty program and engage multiple times
a year with third-party penetration testing teams to ensure our products are secure.
HelloSign uses Amazon Web Services (AWS) as its Infrastructure as a Service (IaaS) provider with Amazon data centers hosting our data within the U.S. We utilize AWS features like Virtual Private Cloud (VPC), Security Groups, disk level encryption, etc., to ensure the confidentiality of our customer data in the cloud.
Dedicated & Experienced
HelloSign has a formal information security program in place under the Head of Security that leads an information and Risk Management Committee. The Information and Risk Management Committee meets periodically to review security-related initiatives at the product, the infrastructure, and the company level.
At HelloSign employees undergo comprehensive background checks, sign and follow a code
of conduct and acceptable use policy, as well as undergo annual security awareness training.