Every signature on SignForge is backed by 256-bit encryption, cryptographic verification, and an immutable audit trail — hosted on ISO 27001 certified EU infrastructure.
Six layers of security protect every document from upload to verification.
TLS 1.3 protects every connection. SHA-256 hashes verify document integrity at upload and after signing. No unencrypted data leaves your browser.
ECDSA P-256 digital signatures on every verification record. QR codes on signed documents link to a public verification page. Mathematical non-repudiation.
Append-only event log — no user or system process can modify or delete audit events. Every action recorded with IP, user-agent, and exact timestamp.
32-byte cryptographically random signing tokens. Only SHA-256 hashes stored in the database — raw tokens exist only in the signing URL sent to the signer.
JWT with 30-minute expiry and refresh token rotation. bcrypt password hashing. Cloudflare Turnstile CAPTCHA. NGINX + SlowAPI rate limiting.
Content Security Policy, HSTS (1 year), X-Frame-Options DENY, X-Content-Type-Options nosniff. File uploads validated with magic bytes, not just MIME types.
SignForge captures intent, consent, identity, and document integrity — the universal requirements for legally enforceable electronic signatures.
Hosted on Hetzner in Nuremberg, Germany. Enterprise-grade physical and logical security.
Valid through 2028
International standard for information security management. Covers risk assessment, access control, incident management, and continuous improvement.
German Federal Standard
Cloud Computing Compliance Criteria Catalogue from Germany's Federal Office for Information Security. Type 2 verifies operational effectiveness over time.
Nuremberg, Germany
All data stored in Hetzner's Nuremberg data center. No cross-border transfers. GDPR-friendly by default — your data never leaves the European Union.
Enterprise-grade facility
Biometric access control, 24/7 video surveillance, redundant power systems, and multi-layer perimeter security at the data center facility.
Our infrastructure provider, Hetzner Online GmbH, holds ISO 27001:2022 and BSI C5 Type 2 certifications. SignForge inherits these physical and operational security controls as a hosted customer.
We collect the minimum data necessary and give you full control over your information.
All data stored in Germany. No cross-border transfers.
Privacy-first self-hosted analytics. No third-party data sharing.
Only email, name, IP, and user-agent — nothing more.
Delete your account and documents at any time.
Four steps create an unbreakable chain of evidence — from upload to verification.
PDF uploaded. SHA-256 hash computed and stored as original fingerprint.
Signer fills fields. Signatures stamped. New SHA-256 hash computed for signed version.
ECDSA P-256 signature applied. QR code + verification JSON embedded in PDF.
Audit certificate generated with complete event history, both hashes, and verification code.
Verification records are permanent — they survive even if documents are deleted.
Try document verificationDeep-dive into specific laws, security features, and compliance standards.
256-bit encryption. Cryptographic verification. Immutable audit trail. ISO 27001 infrastructure. Free forever.
Get started freeNo credit card required.