Security Overview

The privacy and security of our customers’ data is our number one priority

Data Encryption In Transit and At Rest

All your documents at rest are encrypted using 256-bit Advanced Encryption Standard (AES). To protect data in transit between SIGN.PLUS apps (currently mobile or web) and our servers, SIGN.PLUS uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.

System Architecture

To increase stability, performance and security, our system architecture is based on an n-tier architecture with multiple layers of protection, including encryption, network configuration, and application-level controls distributed across a scalable, secure infrastructure.

Application Security Testing

Our security team performs automated and manual application security testing on a regular basis to identify and patch potential security vulnerabilities and bugs on our web and mobile applications.

Key Management

Our key management infrastructure which is used for the encryption of documents at rest is designed with operational, technical, and procedural security controls with very limited direct access to keys.

Comprehensive Audit Logs

For every document that goes into the process of signing, there are real-time logs to keep track of any activity that has occurred with information such as name, IP address, email address, device, and much more.

PCI-DSS Compliance

The processing of our payments in our Web and Android applications rely on two services which are both PCI-DSS: Stripe which processes Credit Card payments and Paypal which processes Paypal payments
Purchases within our iOS application are made available via Apple’s in-app purchase mechanism.
We do not store any Credit Card information only anonymized tokens, as provided by these services.

Comprehensive Audit Logs

For every document that goes into the process of signing, there are real-time logs to keep track of any activity that has occurred with information such as name, IP address, email address, device, and much more.

PCI-DSS Compliance

The processing of our payments in our Web and Android applications rely on two services which are both PCI-DSS: Stripe which processes Credit Card payments and Paypal which processes Paypal payments
Purchases within our iOS application are made available via Apple’s in-app purchase mechanism.
We do not store any Credit Card information only anonymized tokens, as provided by these services.

WAF

Aside from complex network level firewalls, we use enterprise-class web application firewalls (WAF) to protect our service from vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery.

Hardware Level Security

All documents are stored in Swiss datacenters that operate from locations conforming to the most restrictive security standards (ISO 27001) and are part of the Cloud Security Alliance (CSA).

DDoS Protection

We make use of a CDN with network capacity 15x bigger than the largest DDoS attack ever recorded to protect our service from potential DDoS attacks.

Swiss Company (Incorporated in Switzerland)

All user data is stored on our Swiss datacenters which is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and corporations. As Alohi SA (SIGN.PLUS) is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.

Report a Security Vulnerability

Our number one priority is the privacy and security of our customers’ data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible reporting of potential security vulnerabilities, the security team is committed to working with the community to verify, reproduce and respond to legitimate reports. If you believe you’ve identified a potential security vulnerability, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.

Please email your report to [email protected]