With Sign you can rest assured that we have you covered when it comes to secure management of your business systems. Especially with recent evolutions in security law around the world, it’s paramount that businesses ensure the security of their user and customer data through their own internal practices and those of their vendors. Here at Sign, we understand the trust you place in your business software platform to lead the charge when it comes to ensuring your data remains protected.
Sign is SSAE16 Certified, EU-U.S. Privacy Shield Compliant, and GDPR Compliant.
This means we take your security seriously, and have done the work to prove it.
For this document, we’ll dive into the details of each layer in our security and provide most details required by any business owner or IT manager to properly vet Sign has a software vendor. In general, when looking at security Sign breaks apart protections into two categories:
Internal Threats – Having data improperly accessed, exported, or deleted by a user of the system, such as a disgruntled employee deleting all of the business data. Our platform security features explain how your company can design a secure system and mitigate these risks.
External Threats – These are threats related to outside parties like hackers, who may attempt to compromise the system or business data. These threats are mitigated by strong IT policies and systems administration, which Sign takes care of for you. Below we’ll detail our certifications, network infrastructure, and basic IT security policies designed to protect your data.
1. Policies & Certifications
Sign has a robust system of security & privacy policies verified by both internal resources as well as third parties. These policies are reviewed and updated at least once a year, with the last review being in June 2018.
Sign follows the principles of EU Safe Harbor and other Privacy domains. We don’t collect any data from users for our use, except during the payment process which is pretty typical for all web-based services. All other information including a user’s location, email and phone number are needed only for those users to run their business on our platform. For example, if they need to print their address, email and phone number on their proposals or invoices. Sign never uses information provided by our users and hence does not mandate users to provide any of that information. All PII and sensitive information are completely optional.
1.2 GDPR Compliance
Sign is fully compliant with GDPR regulations to be used by companies in Europe (and worldwide) so they can provide that same commitment to their customer privacy. We have formed a team dedicated to managing all data privacy-related inquiries or issues and is also there to support you in your compliance requirements with the guidance you may need for your DPIAs (Data Protection Impact Assessment).
Click here to view our Data Protection Addendum (DPA).https://www.Sign.co/dpa/
1.3 EU-U.S. Privacy Shield Compliance
The EU-U.S. Privacy Shield Framework is designed as an additional set of commitments that Sign makes to ensure the privacy of your data is upheld. This goes above and beyond the required GDPR regulations and is something that Sign voluntarily participates in. You can view Sign’s Privacy Shield status here:
1.4 SSAE16 Certification
Sign utilizes a third party to audit our processes for SSAE16 compliance. The most recent audit was completed in February 2018 and the next review is February 2019. Sign’s most recent certification was for SSAE16 SOC2 compliance.
Third-Party Vulnerability & Penetration Testing
Sign utilizes Symantec and Qualys for malware and vulnerability scans. The malware scans are done on a daily basis and the Qualys scans are done on a weekly basis. We also do on-demand Qualys scans as needed.
1.5 Data Ownership & Deletion Policy
In short, all data is owned by the client and can be deleted on demand at any time. Sign supports a self-delete feature for each account. At this time all business data will be deleted and cleared from rolling backups shortly after. Otherwise, Sign retains basic contact & administrative data, but no client business data. In compliance of GDPR Sign supports the “right to be forgotten” by emailing privacy@Sign.co with a request to delete such sales data. A customer is responsible for managing & deleting their own business data if desired.
2. System & Network Infrastructure
Sign utilizes 3-tier architecture; web, application and data storage. The systems are secured behind a pair of the perimeter firewalls working in an active/standby mode. These firewalls also serve as IDS and IPS. The web tier is on a pair of load balancer appliance. The application and data storage is running on Linux servers. The communication between the layers and to-and-from the internet is encrypted with SSL.
The logical access for systems & database administrators is allowed only to the jump servers, which can be accessed via VPN from the internet. Servers can be accessed only by SSH with username, password and key file from the whitelisted IP’s.
There are no private connections established for any clients or the service providers. The connection to third-party service providers is established over the internet with SSL encryption.
2.1 Hosting Infrastructure
Sign’s production environment is hosted in Fremont, CA where it is collocated at a Hurricane Electric data center. Hurricane Electric operates the largest IPv4 and IPv6 transit networks globally, offering quick transmission of business data worldwide. All physical access is restricted by biometric security with 24×7 on-site monitoring & security. All business data are stored within this primary location, which is a tier 2/3 data center.
2.2 Disaster Recovery Capabilities
Sign systems operate with a continual rolling backup at a maximum interval of 1 hour for every business account. This data is encrypted and transmitted to our DR storage and application environments with hosted Amazon.
We use AWS East zone as our disaster recovery environment. All data is stored encrypted at rest within Amazon S3 buckets, and access is limited onto to our DR AWS account. We have a minimal set of infrastructure designed to mirror a segment of the production environment at Hurricane Electric. This includes required firewalls, load balancers, as well as application and database servers.
In the event of a disaster which makes the production environment, unaccessible Sign will initiate the process to bring the DR environment online with the latest data backups. Our most recent recovery process took about 8 hours to complete.
2.3 Data Encryption
All access to data is provided only through our web, mobile, or API applications. Every connection to the Sign service must be secured by a 256-bit SSL encryption. All data is encrypted in transit, then decrypted to be stored at rest. User passwords used to authenticate with Sign will be salted and hashed and stored in their encrypted form at rest.
2.4 Data Segmentation Between Clients
All data is carefully segmented between each client. Sign operates multiple multi-tenant platforms within our infrastructure. Standard customers are allocated into a series of sharded databases designed to hold a specified amount of business data. Every record of business data is assigned a unique identifier and tagged to the specific organization it belongs to. For enterprise clients, Sign is able to deploy completely segmented databases which can house one or many tenants from a single client.
3. Platform Security Features
3.1 User Authentication & SSO
The standard Sign authentication requires an email address and password for each user. A user can request a password reset on their own, or an administrator can send a password reset request directly to them. Additionally, an administrator has control to disable the user’s ability to reset their own password and enforce the usage of SSO.
3.2 Standard SSO Integrations
Sign has multiple out-of-the-box SSO capabilities. We currently integrate with Office 365, G Suite, and PayPal. The Microsoft and Google services will function with both the consumer and business class products to provide authentication. This includes the ability to log in from the Sign mobile and web apps, and we also have an installable app for G Suite/Office 365 which places an SSO link within their Google/Microsoft web interface.
- The data collected from Office 365 will not be shared with third-party applications.
- The data in transit between Sign and Office 365 are secure and transferred only after appropriate user authentication.
- We do not give governments “backdoor” access to your data.
- The data from Google are not shared with third-party applications and data are shared between Sign and Google only after appropriate user authentication.
- We do not give governments “backdoor” access to your data.
3.3 Custom SAML Authentication
For enterprise clients, Sign has the ability to integrate with any SAML authentication system, such as Microsoft ADFS which can be integrated using SAML 2.0. This custom authentication system is not available in typical Sign deployments and must be requested and implemented individually by the client.
3.4 Session Management Controls
Our application has a configured session length for each company. The default session timeout is set to 11 days, and then firm administrators can change this from their business settings. For companies using SSO, it’s recommended to sync the Sign timeout with your SSO service.
4. Role Based Access Control
A security role is a “profile” that contains a list of specific actions, or privileges that a user can perform. These roles can then be assigned to employees, allowing admins to set up the same level of access for similar employees. One employee can have one or many roles.
A privilege is a single specific action that can be performed and is specific to one app. For example, one basic privilege is “View Contacts”. This privilege allows a user to search & view the details of any contact, but not create, update, or perform any other action. There are a basic set of privileges in each app: Access (Add from App Store), View (read-only), Manage (create/update). Additionally, you can create custom privileges in each app, which come into effect when limiting access to features, fields, and special actions. We’ll cover these in detail below.
System administrators will perform all of the configurations of your roles & privileges in the Employees App settings area, then assign these roles directly to employees in the same app. There are a series of default security roles & privileges available in each app when you sign up, but you can disable/customize these at any time in the settings area.
4.1 Data-Level Access
Data level access is an additional layer of security over access roles. Enabling this setting will restrict access to the individual object, based on whether all users are assigned to that object, or whether they manage a particular person assigned to that object. For example, an organization might have a sales organization with 2 teams of 5 people, each managed by a sales manager, and all lead by a sales director.
This feature enables the sales director to view all records, each sales manager could view their own and their team’s records, and each sales rep could view only their own records. This feature can be turned on or off within each app that supports it individually.
4.2 Collaboration Security
While data level access, controls access to specific records in each of the apps (leads, contacts, cases, etc), collaboration security is the similar concept but applied to the common apps. Collaboration security determines how emails, calendar events, and tasks are shared among employees.
This allows you to keep these objects private to the user and administrators or can be turned into “collaboration mode” which will share these records between users.
4.3 Report & Action-Level Security
Nearly every button, link, report, or action within the system can be restricted to a set of individuals. This is controlled using the same security privileges identified above, but allows businesses to create their own custom privileges, then restrict actions to those users who have such privileges.
Here are some of the most common action-level security restrictions a business might use:
- Restrict export capabilities
- Restrict permanent deletion of data
- Restrict access to reports
- Restrict creation of records in certain apps
- Restrict the ability to perform bulk data changes
4.4 Field-Level Security
While data-level access controls which record a user might be able to view/edit, they still might not have complete access to every field on that record. Sign allows administrators to restrict every field individually using security privileges. An administrator can choose which privilege is required to view a field, edit a field, or submit a value for a field during creation only.
4.5 Search Security
Action-level security can completely remove the ability for a user to run a search, but some companies might have specific limitations required to control the risk of their data being harvested by a malicious employee. Each field can individually be controlled, and an administrator will choose which types of users are allowed to run a search using that field.
5. Complete Audit History
Sign stores two types of audit logs: System Logs, and News Feed. The system logs are internal logs for details such as when/where an account logged in, and what actions they performed. These logs are only accessible to specially credentialed Sign system administration staff for monitoring and investigation of issues. These system logs are maintained for 30 days before deletion.
The news feed feature is the complete audit history available to clients. Every change to the data within the system is automatically captured within the news feed. This will capture the user who performed the action, the time, and the old/new values if something was changed. All field changes, the creation of records, updates to records, deletion of records, or any other activity is captured and visible to Sign administrators. This audit history can be filtered down to a specific rep or record within the platform on demand.