Security
How we protect your data
Authentication, encryption, payment security, and full audit trails — layered defenses that keep your contracts and client data safe.
Authentication & access control
- Two-factor authentication (TOTP with backup codes)
- Layered rate limiting per account and per IP
- Progressive account lockout after repeated failed attempts
- Suspicious activity detection (credential stuffing, distributed attacks, bot patterns)
- IP blocklisting for malicious actors
- Passwords stored as one-way hashes, never in plaintext
- Role-based access control (7 distinct roles)
- Session management: JWT with 30-day expiration, secure cookies
Data encryption
- Encryption at rest: AES-256-GCM for sensitive financial data
- Bank account details encrypted (account numbers, routing numbers)
- Random IVs per encryption operation
- Authentication tags for integrity verification
- Encryption keys managed outside the codebase with strict access controls and separation from application data
Payment security
- Card data handled exclusively by Stripe (a PCI DSS Level 1 certified provider) — raw card data never touches our servers
- Stripe Connect for marketplace payments
- ACH encryption with NACHA compliance
- Plaid integration for secure bank verification
Network security
- HTTPS/TLS 1.3 enforcement
- Secure cookie configuration (__Secure- prefix, httpOnly, sameSite)
- CORS protection
- CSRF token validation
Audit & logging
- Comprehensive audit logs for all user actions
- Login attempt tracking (IP, user agent, timestamp)
- Contract signature tracking (IP, location, device info)
- Document interaction logging
- Security event logging (suspicious activities, lockouts, blocks)
Security FAQs
Start running your contracts the modern way.
Build, send, e-sign, and manage every MSA and SOW in one platform — start today, no demo required.
Free trial • Cancel anytime • No long-term contract