Security
Every document session runs through encrypted channels, verified identities, and tamper-evident records. The controls your clients and compliance teams expect are on by default — no add-ons required.
Controls
Client interview answers are encrypted at rest using AES-256-GCM authenticated encryption on Pro, Developer, and Enterprise plans. Sensitive fields — SSNs, dates of birth, financial data — are never stored in plaintext.
Learn more →
Every session generates a complete audit record: session creation, OTP verification, signature event, and submission — each with a precise timestamp, IP address, and device fingerprint. Stored independently of the PDF.
Learn more →
Every signed document receives a trusted timestamp from an independent TSA authority — cryptographic proof of exactly when it was signed that cannot be altered after the fact.
Learn more →
A SHA-256 hash of every completed PDF is recorded at generation time and stored in the audit trail. Any modification to the file after signing produces a hash mismatch — detectable on verification.
Learn more →
Restrict access to your Docuplete organisation to specific IP addresses or CIDR ranges. Enforce access from your office network or VPN — block all other traffic by default.
Learn more →
Automate user lifecycle management through your identity provider. Users provisioned and deprovisioned automatically — no manual seat management for enterprise teams.
Learn more →
Identity verification
Docuplete uses OTP verification to confirm the signer's identity via their email address before accepting a signature — producing a legally defensible audit trail on every submission.
Each document session has its own tokenised URL. The link is single-use — opening it on a different device does not start a separate session.
Before the client can sign, Docuplete sends a one-time code to their email address. They enter it to confirm they control the inbox.
The verified signature event — with timestamp, IP, device, and OTP confirmation — is written to the immutable audit trail and appended to the PDF as a signing certificate page.
In transit
All data between clients, Docuplete's servers, and your integrations is transmitted over TLS. Combined with AES-256-GCM at rest, client data is protected through its entire lifecycle.
Every query is scoped to your organisation. Data from other Docuplete customers is inaccessible by design — enforced at the database and API middleware level.
Docuplete's security architecture — encryption, audit trails, access controls, and tenant isolation — is built around SOC 2 Trust Services Criteria. SOC 2 Type II audit in progress.
We're happy to walk through Docuplete's controls with your security or compliance team.
Contact usRelated