Accordsign
Start free

Security at Accordsign

Security is the product.

We're building Accordsign with the security posture our customers expect from a contract-signing platform. This page documents exactly what's in place today — and what we're still working on.

Accordsign audit trail — every signing event recorded, AES-256 encrypted and sealed

Infrastructure

Built on Microsoft Azure, India-hosted by default.

Built on Microsoft Azure

Accordsign runs on Microsoft Azure. Azure itself holds SOC 2 Type II and ISO 27001 certifications at the infrastructure layer — we inherit those infrastructure controls without claiming the application-level certifications for ourselves.

Encryption in transit and at rest

All traffic to and from Accordsign uses TLS 1.2 or higher. Document and metadata storage at rest is encrypted with AES-256 via Azure Storage Service Encryption.

Indian data residency

Primary region: Azure Central India. Failover region: Azure South India. Customer data does not leave the country during normal operations.

Backups, recovery, and DDoS

Daily encrypted backups with 30-day retention. Backups are encrypted independently from production keys. DDoS protection is inherited from Azure's edge network.

Application security

Documents stay locked to the people they're meant for.

Document access control

Documents are stored encrypted in Azure Blob Storage and served only through authenticated requests. Every fetch verifies the requester's ownership server-side — knowing a document URL is not enough to access the document.

Authentication

JWT for API access, cookie-based sessions for the web app, optional Google OAuth single sign-on. Sessions expire automatically. Passwords are hashed; password-reset tokens are single-use and time-limited.

Audit logging

Every action — upload, send, view, sign, decline, download — is logged with timestamp, IP address, device, and authentication method. Audit trails are tamper-evident and downloadable as a separate PDF alongside the signed document.

Third-party data handling

We share customer data only with the service providers strictly required to deliver the service: Microsoft Azure (hosting), SendGrid (transactional email), Razorpay (payments), and the CCA-licensed eSign Service Provider (Aadhaar signing). No data is logged, sold, or shared with anyone else.

Signing security

The signature itself is what matters most.

The cryptography behind Aadhaar eSign happens at a CCA-licensed eSign Service Provider — never on Accordsign servers. Full flow on the Aadhaar eSign page.

Aadhaar data isolation

Cryptographic signing is performed entirely by a CCA-licensed eSign Service Provider. Accordsign servers never see, store, or process Aadhaar numbers or biometric data — that exchange happens directly between the signer and the licensed ESP.

Document hash for tamper detection

Every signed document includes a SHA-256 hash recorded in the audit trail. Anyone with the signed PDF can verify at any future point that the file has not been altered since it was signed.

Signing order enforcement

When sequential signing is required, order is enforced at the server level. Recipients cannot sign out of order even if they share the document link with each other.

Signer identity verification

Signers receive a unique, single-use signing link by email. For high-trust workflows, Aadhaar OTP authentication verifies the signer's identity before signing completes — see the Aadhaar eSign page for the full flow.

Compliance

Where Accordsign stands today — precisely.

We use precise language about compliance. We do not claim certifications we don't hold; we say "architected to" or "designed for" frameworks where we meet the substance but haven't completed a formal audit.

SOC 2
Architected to SOC 2 standards. Formal SOC 2 Type II readiness assessment is on the roadmap; we will publish the SOC 2 report once the audit completes.
ESIGN Act (US)
ESIGN Act compliant for US transactions. Signature workflows capture intent, consent to electronic records, signature-to-record association, and an audit trail per ESIGN requirements.
UETA (US states)
UETA compliant. Electronic signatures captured on Accordsign meet the four UETA criteria: intent to sign, consent to do business electronically, signature attribution, and record retention.
IT Act 2000 (India)
IT Act 2000 compliant for Indian transactions, including Section 3A for Aadhaar electronic signatures. Signed records are admissible as evidence under Bharatiya Sakshya Adhiniyam 2023 Section 63.
DPDP Act 2023 (India)
DPDP Act 2023 compliant. We process personal data only as required to deliver the service, retain it only as long as needed, and never sell or repurpose it.
HIPAA (US healthcare)
Designed for HIPAA frameworks. We can discuss BAA arrangements with enterprise customers handling protected health information — contact our team for specifics.

Privacy

What we collect, what we don't, and what we never will.

  • We collect only what is needed to deliver the service.

  • We do not sell customer data.

  • We do not use customer documents to train AI models.

  • We share customer data only with the service providers required to deliver the product (listed under Application Security above).

  • Customers may request access, correction, export, or deletion of their data at any time.

For the full breakdown, see our Privacy Policy. Customer-facing terms are in our Terms & Conditions.

Responsible disclosure

Found a security issue?

Email connect@accordsign.app with "Security:" in the subject line. We respond within one business day. Researchers acting in good faith won't face legal action — but please don't access data that isn't yours, and give us a reasonable disclosure window before publishing. We're a small team and we read every email that comes in.

connect@accordsign.app — subject "Security:"

What's next

Where we still have work to do.

We're transparent about what's done and what's coming. If a security feature you need isn't here yet, ask — we'll tell you honestly whether it's near-term, mid-term, or out of scope.

  • Formal SOC 2 Type II audit

    On the 12-month roadmap.

  • Independent annual penetration test

    Scheduled.

  • Public status page

    Planned at status.accordsign.app.

  • Public bug bounty programme

    Under consideration.

Get in touch

How to reach us.

Security, privacy & general
Vulnerability reports, DPDP questions, partnerships, anything else. Use "Security:" or "Privacy:" in the subject line to route faster.
connect@accordsign.app
Existing customer support
Account, billing, product help.
support@accordsign.app