Encryption is the first line of defense for sensitive documents. When you send a contract, NDA, or financial agreement for signature, the data passes through multiple systems — and at every step, it must be protected.
Global · Enacted Ongoing
TLS 1.3 encryption protects all data in transit via Cloudflare edge network
SHA-256 cryptographic hashing ensures document integrity at every stage
ECDSA P-256 digital signatures provide mathematical non-repudiation
Bcrypt password hashing with adaptive cost factor resists brute-force attacks
32-byte crypto-random tokens — only SHA-256 hashes stored, never raw tokens
Infrastructure: ISO 27001:2022 certified data centers with biometric access control
Encryption is the first line of defense for sensitive documents. When you send a contract, NDA, or financial agreement for signature, the data passes through multiple systems — and at every step, it must be protected. SignForge implements encryption at every layer. TLS 1.3 encrypts all data in transit between the signer's browser and our servers. At rest, documents are stored on Hetzner infrastructure with physical security controls including biometric access and 24/7 surveillance. Document integrity is ensured through SHA-256 hashing — a cryptographic fingerprint that changes if even a single bit is modified. For an additional layer of verification, ECDSA P-256 digital signatures are applied to every verification record, providing mathematical proof of document authenticity. Passwords are hashed with bcrypt, and signing tokens use 32 bytes of cryptographic randomness with only the SHA-256 hash stored in the database.
TLS 1.3 on all connections — no unencrypted communication possible
SHA-256 document hash computed at upload and recomputed after every modification
ECDSA P-256 cryptographic signatures on all verification records
Bcrypt password hashing with adaptive cost — immune to rainbow table attacks
JWT access tokens with 30-minute expiry and refresh token rotation
Security headers enforced: CSP, HSTS (1 year), X-Frame-Options DENY, X-Content-Type-Options nosniff
TLS 1.3 + SHA-256
Cryptographic proof
Append-only, immutable
Certified infrastructure
SignForge uses TLS 1.3 for data in transit, SHA-256 for document integrity verification, ECDSA P-256 for cryptographic signing of verification records, and bcrypt for password storage. All communication is encrypted end-to-end between your browser and our servers.
Yes. SHA-256 and ECDSA P-256 are the same cryptographic algorithms used by banks, governments, and major technology companies. Our infrastructure provider (Hetzner) holds ISO 27001:2022 and BSI C5 Type 2 certifications — the highest European security standards.
Each signing link contains a 32-byte cryptographically random token (256 bits of entropy). Only the SHA-256 hash of the token is stored in the database — if the database were compromised, the raw tokens would be unrecoverable. Tokens expire after 30 days.
Legally binding e-signatures with 256-bit encryption, cryptographic verification, and an immutable audit trail. Free forever.
Get started freeNo credit card required.