Security

Australian data sovereignty

All data — including uploaded documents, account information, and audit trails — is stored on Australian servers (Supabase Sydney region). Your documents never leave Australia.

Encryption

• In transit: All connections use TLS 1.2 or higher.
• At rest: Documents and sensitive data are encrypted using AES-256 on our storage layer.

Audit trails

Every signing event generates a tamper-evident audit trail that records:

• Signatory name and email address
• IP address and device information at time of signing
• Timestamp of each action (viewed, signed, completed)
• Document hash to detect any post-signing modification

Access control

Documents are only accessible to the sender and invited signatories via unique, expiring secure links. We use row-level security to ensure users can only access their own data.

Authentication

User accounts are protected by secure password hashing (bcrypt). We recommend enabling two-factor authentication — 2FA support is coming soon.

Responsible disclosure

If you discover a security vulnerability, please report it responsibly to security@legalsign.com.au. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly.

Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.