Trust & Security

SignBona is designed around the following principles:

• protect access to accounts, documents, signing links, and completed records;
• preserve evidence of consent, intent, attribution, and signing activity;
• make completed documents verifiable through audit records and integrity checks;
• minimize unnecessary exposure of signer and recipient information;
• use reputable infrastructure and service providers;
• avoid overstating legal, security, or compliance claims.

SignBona uses modern cloud infrastructure and third-party service providers to operate the Services.

Current infrastructure and service providers may include:

• Vercel for hosting, deployment, application delivery, analytics, performance insights, and infrastructure services;
• Supabase for authentication, PostgreSQL database services, storage, and backend infrastructure;
• Stripe for checkout, subscriptions, billing, invoices, and customer portal functionality;
• Resend for transactional email delivery, including signing invitations, one-time passcodes, reminders, completed-document notices, and account emails;
• Sentry for error monitoring, reliability diagnostics, and debugging;
• DigiCert Timestamp Authority for RFC 3161 timestamping in PDF signing workflows.

SignBona may update its providers as the Services evolve. Provider usage is also described in our Privacy Policy.

SignBona is designed to use HTTPS/TLS for data transmitted between users, browsers, application servers, and supporting services.

Sensitive platform signing key material is encrypted at rest using AES-256-GCM before storage. Authentication secrets, one-time passcodes, and recovery-related data are stored using hashed or protected formats where appropriate.

Some data, such as uploaded PDFs, field values, signatures, audit records, certificates, and completed documents, must remain accessible to the Services in order to generate signed documents, certificates of completion, audit trails, verification records, and downloads.

SignBona account access is protected through authentication controls. Depending on account settings and product availability, users may have access to:

• email and password authentication;
• session management;
• multi-factor authentication using time-based one-time passcodes;
• backup codes stored in hashed form;
• account deletion confirmation workflows;
• security emails and account notices.

Users are responsible for protecting their own credentials, email accounts, devices, sessions, and downloaded documents. We recommend using a strong unique password and enabling multi-factor authentication where available.

SignBona uses authorization controls designed to limit access to documents, envelopes, templates, account resources, and signing workflows.

Examples of access-control measures may include:

• account-scoped access to owner documents and settings;
• database access controls and row-level security patterns;
• secure signing links generated with high-entropy tokens;
• short-lived signed URLs for document access where appropriate;
• service-role-only operations for sensitive internal workflows;
• restrictions on deleting or modifying completed signing records;
• public verification pages that provide limited integrity status without exposing unnecessary personal information.

Signing links should be treated as sensitive. Anyone with access to a signing link may be able to view or act on a signing request, depending on the workflow and authentication settings.

SignBona signing requests use secure, randomly generated signing tokens. These tokens are intended to be difficult to guess and are used to route each recipient to the correct signing workflow.

Where enabled, SignBona may require email-based one-time passcode verification before a recipient can sign. One-time passcodes are time-limited and stored in protected hashed form.

Recipient authentication settings are selected by the sender or account holder. SignBona does not guarantee a signer’s real-world identity unless a specific identity-verification method is provided and successfully completed.

Before completing a signing workflow, SignBona may require the signer to consent to the use of electronic records and electronic signatures.

SignBona records evidence of that consent, which may include:

• consent version;
• consent language or locale;
• timestamp;
• IP address;
• browser or device user-agent;
• related envelope, recipient, and signing request identifiers.

This consent evidence may be included in the audit trail and certificate of completion.

SignBona records signing-related events to help preserve evidence of what happened during a workflow.

Audit events may include:

• document creation;
• document sending;
• document viewing;
• electronic signature consent;
• one-time passcode events, where enabled;
• signing;
• declining;
• reminders;
• voiding;
• completion.

Audit records may include timestamps, IP addresses, user-agents, recipient identifiers, event types, and related metadata.

SignBona is designed to make audit records tamper-evident by using a chained integrity model. Signing events are linked together using cryptographic hash-based records so that later verification can detect whether the event chain has been modified.

Tamper-evident does not mean tamper-proof. It means that unauthorized or inconsistent changes to the audit chain are designed to be detectable during verification.

When a document is completed, SignBona may generate a final signed PDF and related certificate of completion.

SignBona’s PDF signing workflow may include:

• stamping completed fields onto the PDF;
• recording SHA-256 document hashes;
• generating integrity logs;
• applying PDF signing controls;
• using PAdES B-T style signing where available;
• using RFC 3161 timestamping through DigiCert Timestamp Authority;
• generating certificate and verification records.

The timestamp authority generally receives a document hash or timestamping request data, not the full document contents.

For completed signing workflows, SignBona may generate a Certificate of Completion. The certificate is designed to summarize key evidence associated with the transaction.

A Certificate of Completion may include:

• document title or envelope information;
• envelope identifier;
• signing mode;
• created, sent, viewed, signed, and completed timestamps;
• signer and recipient information;
• electronic signature consent details;
• IP addresses and user-agents associated with signing events;
• one-time passcode verification details, where enabled;
• document hashes;
• PDF signing and timestamping details;
• verification link.

The Certificate of Completion is evidence of the signing workflow. It is not legal advice and does not guarantee that a document is enforceable in every context.

Completed documents may include a verification link. The verification page is designed to help confirm whether SignBona’s audit chain and related integrity records appear valid.

Verification results may include statuses such as valid, warning, or tampered. A verification result is a technical integrity signal. It does not determine every legal question related to a document, signer, transaction, authority, or admissibility.

Electronic signature systems must preserve evidence. For that reason, completed documents, final signed PDFs, certificates of completion, consent records, audit trails, integrity logs, and related evidence may be retained even after an account is deleted or closed.

Draft documents may be deleted by the account holder or removed when an account is deleted, subject to operational limits. In-progress workflows may need to be voided or expired before deletion. Completed documents may be archived or removed from an account holder’s active view, but may not be permanently deleted if deletion would compromise legal evidence, auditability, transaction integrity, verification, or the rights of other parties.

Retention practices are described in more detail in our Privacy Policy and Terms of Service.

SignBona uses transactional email to deliver signing invitations, one-time passcodes, reminders, completed-document notices, account notices, and support-related messages.

Users should review signing emails carefully. If you receive a suspicious email claiming to be from SignBona, do not click links or download files unless you trust the sender and expected the document.

Report suspicious emails, phishing, fraud, or abuse to abuse@signbona.com.

SignBona uses monitoring tools to detect errors, diagnose failures, and improve reliability. Error monitoring is configured to reduce unnecessary personal information where feasible.

Operational logs, diagnostics, and error reports may be used to investigate service issues, security events, failed signing flows, email delivery problems, payment issues, and abuse reports.

SignBona uses Stripe for payment processing, subscription billing, invoices, and the customer billing portal.

SignBona does not store full card numbers or full payment credentials on its own servers. Payment information is processed by Stripe according to Stripe’s own terms, privacy practices, and payment security obligations.

SignBona processes personal information according to our Privacy Policy.

We do not sell personal information. We do not use the contents of customer documents to train public artificial intelligence models.

Because users control the contents of documents and templates, users are responsible for ensuring they have the right to upload, send, sign, store, and process the information included in those documents.

If you believe you have discovered a security vulnerability in SignBona, contact security@signbona.com.

When reporting a vulnerability, please include:

• a clear description of the issue;
• steps to reproduce the issue;
• affected URLs, accounts, or workflows, if applicable;
• screenshots or proof-of-concept details, if safe to provide;
• your contact information.

Do not exploit the issue, access data that is not yours, disrupt the Services, perform denial-of-service testing, modify or delete data, exfiltrate information, or publicly disclose the issue before we have had a reasonable opportunity to investigate and respond.

Transparency matters. Unless SignBona expressly states otherwise in a signed written agreement or updated public notice, SignBona does not currently claim that the Services are:

• SOC 2 certified;
• ISO 27001 certified;
• HIPAA compliant;
• PCI DSS certified as a merchant system handling full card data;
• eIDAS Qualified Electronic Signature services;
• EU Qualified Trust Service Provider services;
• notarization services;
• legal advice services;
• identity-proofing services for every legal or regulated use case;
• guaranteed to make every document legally valid or enforceable.

SignBona may use reputable providers and technical safeguards, but provider security or compliance does not automatically mean that every customer use case is compliant.

Security is shared. Users are responsible for:

• protecting account credentials;
• enabling available account security features;
• verifying recipient email addresses before sending documents;
• choosing appropriate signer authentication settings;
• confirming signer authority and identity where required;
• reviewing documents before signing;
• downloading and retaining records they need;
• keeping devices, browsers, and email accounts secure;
• reporting suspicious activity promptly;
• ensuring that their use of SignBona complies with applicable law.

For security questions, vulnerability reports, or suspicious activity, contact:

security@signbona.com

For abuse, phishing, spam, impersonation, or fraudulent documents, contact:

abuse@signbona.com

For privacy matters, contact:

privacy@signbona.com

For legal matters, contact:

legal@signbona.com

SIGNBONA LLC

SignBona may provide Spanish translations of this Trust & Security page for convenience. The English version is the official version. If there is any conflict between the English version and a translated version, the English version controls to the fullest extent permitted by law.