Trust & Security

Security & trust at FastContracts

Legally admissible signatures, encrypted data at rest and in transit, row-level tenant isolation, and a tamper-evident audit trail on every contract.

Request security documentation Report a vulnerability

eIDASESIGNUETASOC 2 Type IIGDPRTamper-evident audit trail

Data handling

How your contracts, signer data, and audit trails are stored and protected.

Encrypted at rest

Sensitive audit-trail fields (signature data, biometric samples, identity-document payloads, IP, user agent, geolocation) are encrypted with AES-256-GCM before being stored. Database-level encryption at rest is provided by Supabase on top of that.

Encrypted in transit

All traffic between your browser, our servers, and our database uses TLS 1.2 or higher. Signer links, webhook deliveries, and API calls are HTTPS-only.

Data residency

We route personal data to a region consistent with the signer's jurisdiction: US data to us-east-1, Canadian data to ca-central-1, and EU/EEA data to eu-west-1. Enterprise customers can request a specific primary region.

Tenant isolation

Every customer's data is isolated at the database level using Postgres Row-Level Security (RLS). Policies keyed on the authenticated user's ID enforce that you can only ever read or modify rows you own.

Tamper-evident

Audit trail

Every signature on FastContracts records a comprehensive, append-only audit record designed for courtroom and regulator review.

Intent to sign

A discrete intent confirmation is captured before any signature is applied, recording the signer's affirmative decision.

Consent record

ESIGN / UETA / eIDAS consent text shown to the signer, the exact version presented, and the signer's acceptance.

Attribution

Signer email, name, and (when configured) phone or ID-verification reference.

Device + network

IP address, user agent, and browser fingerprint at the moment of signing.

Location

Approximate geolocation derived from the signer's network, stored as a structured record (country, region, city).

Timestamp

UTC timestamp recorded to the database with timezone precision.

Document hash

SHA-256 hash of the exact document presented to the signer, re-verifiable later to prove the document hasn't changed.

How the tamper-evidence works

Audit events are written to an append-only Postgres table protected by database triggers that reject any attempt to update or delete a row. Each event stores a SHA-256 hash of the document as it appeared to the signer. On download or export we re-hash the current document and compare it to the stored hash so any alteration after signing is immediately detectable.

Access control

Authentication, authorization, and session handling that meet enterprise procurement requirements.

Multi-factor authentication

TOTP-based MFA is available to every user account and is enforced for administrators. Authenticator-app enrollment is self-serve from account settings.

Role-based access inside the workspace

Users can be granted owner, signer, approver, or observer roles on a per-contract basis. Signing-link tokens are scoped to a single party and cannot be reused after completion or expiry.

Single Sign-On (SSO)

SAML/OIDC SSO is available on the Enterprise plan. Talk to sales for IdP configuration (Okta, Azure AD, Google Workspace).

Session handling

Sessions are managed via Supabase short-lived access tokens plus rotating refresh tokens. Sign-out invalidates the refresh token server-side.

Subprocessors

The third-party services we use to deliver FastContracts. This list was reviewed on April 17, 2026. For the canonical, always-current version, see our Data Processing Agreement.

Name	Purpose	Data categories	Location
Supabase	Managed Postgres database, authentication, real-time APIs	All customer and signer data	US, EU, or Canada (region per customer)
OVHcloud	Dedicated server hosting (application compute)	In-flight request data; no primary storage of customer data	Beauharnois, Quebec, Canada
Resend	Transactional email delivery (signing invites, notifications)	Recipient email address, message content	United States
Twilio	SMS one-time-code signer verification	Phone number, OTP code (short-lived)	United States
Sentry	Application error monitoring and CSP violation reporting	Error stack traces, limited request metadata (no contract content)	United States
AWS KMS Optional for self-managed KMS deployments.	Managed key storage for encryption keys (when enabled)	Encryption keys only; no customer content	Per customer region

Vulnerability disclosure

Found a security issue? We want to hear about it before anyone else does.

Report to

[email protected]

What to include

A clear description of the issue and its potential impact
Steps to reproduce (proof-of-concept code is welcome)
Any affected URLs, accounts, or parameters
Your name or handle if you want public credit

Safe harbor

We will not pursue legal action against researchers who act in good faith, give us a reasonable opportunity to remediate before public disclosure, avoid privacy violations (do not access, modify, or destroy other users' data), do not degrade service (no DoS, spam, or social engineering against our staff or customers), and comply with all applicable laws. We consider activities conducted consistent with this policy to be authorized conduct.

Bug bounty

We do not run a formal paid bug bounty program at this time. We do offer recognition in our security acknowledgments page for meaningful reports, and are evaluating a paid program for launch alongside SOC 2 Type II.

Compliance, certifications & attestations

What we have in place today and what's on the roadmap. We're deliberate about saying only what we can stand behind.

Available

ESIGN Act (United States)

Learn more

E-signature ceremony produces consent, intent, attribution, and tamper-evident records sufficient for ESIGN Act admissibility.

Available

UETA (United States, state level)

Learn more

Electronic-record and electronic-signature requirements captured per the Uniform Electronic Transactions Act.

Available

eIDAS (European Union)

Learn more

Simple Electronic Signatures (SES) by default; Advanced (AES) and Qualified (QES) are available on eligible plans via integrated trust-service providers.

Available

GDPR + Data Processing Agreement

Learn more

Standard DPA available to all customers. Includes EU Standard Contractual Clauses for cross-border transfers.

Available

CCPA / CPRA (California)

Learn more

Consumer rights to know, delete, and opt-out of sale are honored. A 'Do not sell or share my personal information' link is available in the site footer.

Roadmap

SOC 2 Type II

On our 2026 roadmap. We can provide a vendor security questionnaire (VSAQ) and a security summary on request today.

Ongoing security work

Penetration testing

We engage third-party penetration testers to assess the application and its signing ceremonies. A current executive summary is available to enterprise prospects under mutual NDA.

Dependency + CSP monitoring

Runtime errors and CSP violation reports are captured in Sentry. An enforcing Content Security Policy is being rolled out in phases after a Report-Only observation period.

For enterprise procurement reviews

Request our security questionnaire (VSAQ), SOC 2 status summary, or a tailored DPA. We respond within two business days.

Talk to sales Email [email protected]

This page describes our security and compliance posture at a point in time (reviewed April 17, 2026) and is not legal or security advice. Specific configurations, certifications, and sub-processor arrangements may vary by plan, region, and contractual terms. For the current, contractually binding statement of how your data is processed, see your order form and our Data Processing Agreement. FastContracts provides contract templates and tools, not legal advice — consult a licensed attorney for your specific situation.