The short version
- Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Every database table uses row-level security so each org sees only its own data.
- Stored credentials (e.g., shopVOX API tokens during migration) live in an encrypted vault, not in plain SQL columns.
- Card data is handled entirely by Stripe; we never see or store it.
- Public proof and estimate links use cryptographically random tokens, not predictable IDs.
- We support responsible disclosure: see Section 7.
1. Hosting and infrastructure
Customer data is stored with a third-party cloud infrastructure provider (database, file storage, authentication), hosted in US East, N. Virginia (AWS us-east-1). Web traffic is served via Vercel (web app + edge cache) with edge caching and built-in DDOS protection.
Both providers are SOC 2 Type II compliant and undergo regular third-party security audits. We benefit from their underlying physical security, network isolation, and infrastructure-level patching.
2. Encryption
In transit: All client-server communication uses TLS 1.2 or higher. HTTP requests are automatically upgraded to HTTPS by our CDN. Mobile app traffic uses certificate pinning for the data API.
At rest: Database storage is encrypted at the disk level (AES-256). Photo storage uses encrypted S3-compatible buckets behind signed URLs. Backups are encrypted with separate keys.
Sensitive credentials: Third-party tokens (e.g., the temporary shopVOX or QuickBooks credentials supplied during a migration or integration) are encrypted with a dedicated key before being stored, and access is logged in a separate audit table.
3. Access controls
Tenant isolation: Every database table that contains customer data has a row-level-security (RLS) policy that scopes access to your organization. Even if a query forgot to add an explicit org filter, the database refuses to return rows from another org. This is the same model that protects your data inside the application; there is no "internal admin" bypass for routine work.
Role-based permissions: Within your organization, the "crew," "admin," and "owner" roles map to distinct permission sets. You configure which roles can see which features in your settings.
Super-admin access: A small number of SignCore engineers have super-admin access for incident response. Every super-admin action is logged in an immutable audit table that you can request a copy of.
4. Public links and tokens
When you share a proof, estimate, or photo with one of your customers via a public link, the link contains a 256-bit cryptographically random token (not a predictable database ID). Tokens are scoped to a single resource and can be revoked at any time.
Public-facing endpoints have rate limiting (5 requests / 60 seconds per token by default) and idempotency-key support to prevent replay attacks.
5. Payment security
All card payments are processed by Stripe. We never see, transmit, or store full card numbers. Stripe handles them entirely on PCI-compliant infrastructure. We only receive a tokenized customer reference and last-four digits for reconciliation.
6. Operational security
Audit logging: Every business-data mutation (create, update, delete) writes to an immutable activity_log table. You can download your org's full audit trail from the dashboard at any time.
Soft-delete: Records you delete from the application are hidden but retained for 30 days. This protects against accidental deletion and gives a recovery window. After 30 days, a daily purge cron permanently removes the record.
Backups: Database point-in-time recovery (PITR) is enabled at the infrastructure level, with rolling 7-day windows. Photo storage is replicated across multiple availability zones.
Dependency hygiene: Application dependencies are scanned for known vulnerabilities; security patches are applied within 7 days of disclosure for high-severity issues, faster for critical ones.
7. Vulnerability disclosure
If you discover a security vulnerability, please report it to security@signcore.io(live when domain finalizes) rather than disclosing it publicly. We commit to:
- Acknowledge your report within 2 business days.
- Provide a status update within 7 business days.
- Credit you in our security disclosures (with your permission) once the issue is fixed.
- Not pursue legal action against good-faith security researchers.
We don't currently run a paid bug bounty program; we may add one as the customer base grows.
8. Incident response
In the event of a security incident affecting your data, we will notify the account owner within 72 hours of confirmed breach detection, with details on:
- What was accessed or affected.
- What we've done to contain it.
- What we recommend you do (e.g., rotate any shared credentials).
We will follow up with a post-incident report once the investigation completes.
9. Compliance posture
SignCore is a small but growing company. We are not yet SOC 2 audited; we plan to pursue Type II certification once we cross the customer-count threshold where it's commonly required (typically around 50+ shops). Our underlying infrastructure providers (Vercel (web app + edge cache), Stripe) are already SOC 2 Type II compliant.
For shops with specific compliance requirements (industry partners requiring vendor-risk reviews, etc.), we're happy to complete questionnaires. Email security@signcore.io(live when domain finalizes).
10. Contact
Security questions: security@signcore.io(live when domain finalizes)
Privacy / data requests: privacy@signcore.io(live when domain finalizes)