Security Policy - BoldSign

Data security

BoldSign is hosted on the Google Cloud Platform and Microsoft Azure servers in the US East data center. We use double encryption to protect your data. The data in storage is encrypted twice: once at the service level and once at the infrastructure level with the AES-256 standard. This provides the highest level of assurance that your data is safe and secure.

Physical and environmental security

We do not have any in-house data centers and rely on Microsoft Azure and Google Cloud Platform to manage the physical and environmental security of our servers.

For more details, please refer to the Microsoft and Google data center security policies linked below:

Google Cloud Platform Data and Security
Microsoft Azure Data and Security

Software security

Our application runs on the latest stable version of the Microsoft .NET Framework. We reduce the attack surface by isolating our processes with containerized microservice architecture.

Our application is also automated with a real-time static analyzer tool that does extensive computation and ensures the security of our source code.

All our developers are trained to pay specific attention toward security. Our automated and manual code review processes constantly look for any code that could potentially violate security policies.

Payment security

We process all payments using Stripe, which has been certified as a PCI Level 1 Service Provider. BoldSign does not have access to customers’ credit card data at all.

For more details, read Security at Stripe.

Third-party due diligence

In addition to our regular security reviews, we partner with trusted third-party security companies to perform code reviews and various tests across our product ecosystem.

Attack prevention and mitigation

We use intelligent web application firewalls on our load balancers to protect against DDoS, XSS, and SQL injection attacks.

Penetration testing

BoldSign undergoes regular penetration testing by our in-house security experts and development team to ensure the highest levels of data security.

Monitoring and alerting

Our application and the underlying infrastructure components are actively monitored 24/7. Our engineers are immediately notified in case of an outage. You can view our historical product reliability details on the status page.

Legality and compliance

BoldSign’s eSignatures are legally compliant with U.S. (ESIGN) and international (eIDAS) eSignature laws. We have also ensured compliance with GDPR.

Backups

Our primary database uses a multinode fault-tolerant cluster approach. The database contains backups of every hour for the last 30 days. Other databases use point-in-time recovery (PITR) for any time in the last 30 days.

Data availability

Our distributed architecture enables us to continuously maintain the availability of our application, providing 99.9% durability over a year and enabling users to access their data at any time.

Key Application Security Features

Audit logs

Every document is accompanied by an audit log. All actions performed in the document will be logged with the user details along with IP address and time stamp.

Role-based access control

BoldSign allows you to assign granular access to entities with roles and custom permissions.

Single sign-on (SSO)

Authenticate with and access BoldSign services through an identity provider of your choice using single sign-on.

Data encryption

We use strong encryption standards to protect your data when it is in transit between our app and the server. Your documents are also stored and encrypted using AES 256-bit encryption.

Tamper proofing

The final signed document and audit trail are digitally signed with our AATL certificate to ensure that any further changes can be easily detected.

Long-term validation of signatures

LTV (long-term validation) provides information about the state of the certificate at the time of signing.

This verification certificate stays in the file itself so that it can still be verified later, even if it has expired, been revoked, or the issuing authority is no longer in operation.

Long-term validation of signatures is important to ensure compliance with standards like PAdES (PDF Advanced Electronic Signatures).

BoldSign Security Policy