Security

Security at OneSign

Last updated: April 17, 2026

OneSign handles documents that matter — contracts, consent forms, offer letters. This page summarises the technical and organisational measures we take to keep them safe. Security is an ongoing programme, and we publish material updates here as the product and infrastructure evolve.

Infrastructure

  • The application and its managed PostgreSQL database run on Railway, on hardened cloud infrastructure with network isolation, automatic patching, and 24/7 operational monitoring.
  • Domain and DNS are managed through Namecheap; DNSSEC and protective registrar settings are enabled.
  • All traffic to the Service is served over HTTPS with TLS 1.2 or higher; older protocols and cipher suites are disabled.

Encryption

  • In transit: TLS 1.2+ for all connections between clients, our edge, and our services.
  • At rest: AES-256 encryption at rest for databases, backups, and persistent storage.
  • Secrets:application secrets and credentials are stored in Railway’s encrypted environment configuration, not in source code.
  • Passwords: account passwords are hashed with a modern adaptive algorithm (bcrypt) with a unique per-user salt; plaintext passwords are never stored or logged.

Access control

  • Least-privilege access for employees and contractors; production access is granted only when required and revoked promptly.
  • Multi-factor authentication is required on administrative and operational accounts.
  • Application access is controlled by signed session cookies and role-based permissions; signing links use unguessable single-use tokens.

Audit trail and signing integrity

Every signing session is recorded with timestamps, signer IP address, browser user-agent, and signing-link token. The completed PDF includes an audit trail that is cryptographically consistent with the signed document so tampering can be detected.

Backups and business continuity

  • Encrypted database backups are taken automatically on a regular schedule; restore procedures are documented and tested.
  • Infrastructure is designed for rapid redeployment from source control.

Secure software development

  • Version control with code review before changes reach production.
  • Automated dependency scanning and prompt patching of known vulnerabilities.
  • Server-side input validation and authorisation checks on all write paths; parameterised database queries via Prisma ORM to prevent injection.
  • Security headers (HSTS, X-Content-Type-Options, Referrer-Policy, a Content-Security-Policy) applied by default.

Incident response

We maintain a documented incident-response plan covering identification, containment, eradication, recovery, and post-incident review. In the event of a personal-data breach affecting you, we will notify you without undue delay and in any event within 72 hours of becoming aware, as set out in our Data Processing Agreement.

Staff

  • Everyone with access to production data or systems is bound by confidentiality obligations.
  • Regular security and data-protection awareness training.
  • Access is reviewed on joiner/mover/leaver events and at least quarterly.

Reporting a vulnerability

We welcome coordinated disclosure. If you believe you have discovered a security issue, please email security@onesign.click with a clear description, steps to reproduce, and — if applicable — proof-of-concept code. Please do not exploit the issue against live user data. We will acknowledge your report within two business days and keep you informed as we work on a fix. We do not pursue legal action against researchers who act in good faith and follow this process.

Trust and compliance

OneSign is a growing product and we are building toward a formal external-audit programme. In the meantime, our Data Processing Agreement covers GDPR Article 28 obligations and our Privacy Policy explains our approach to data protection.