The boring, important details.

Legal compliance.

• ESIGN Act (United States, 2000). Electronic signatures executed through CyberSygn have the same legal weight as ink signatures. We collect intent, attribution, and a tamper-evident record.
• UETA (United States). Applicable in 49 states. We provide the consumer-disclosure language required by §103.
• eIDAS (European Union). CyberSygn signatures qualify as Simple Electronic Signatures (SES) under eIDAS. Qualified Electronic Signatures (QES) require dedicated certificate authorities and are on our 2026 roadmap.

Audit certificate.

Every signed document we produce ships with a one-page audit certificate listing:

• SHA-256 fingerprint of the original PDF bytes
• Every signer's name, email, IP address, and timestamp
• Every signing event (invite, view, sign, decline, complete) with timestamps
• The document's CyberSygn ID, sender, and creation timestamp

Keep the audit certificate with the signed PDF. It is the contemporaneous record of who signed what and when.

SOC 2.

SOC 2 Type 1 — in progress. We are working through Vanta's controls framework. Target completion: Q3 2026. Type 2 follows 6 months after Type 1.

Until then, we publish our security controls explicitly so customers can evaluate them directly.

Data flow.

• Detection runs in your browser. The first pass of field detection executes entirely in JavaScript on the visitor's device. The PDF does not leave the page until the sender clicks Send.
• Storage is Cloudflare KV + R2. Your documents are stored only on Cloudflare, our sole infrastructure provider, encrypted at rest. No additional third party holds your document. KV encrypts at rest. R2 encrypts at rest.
• Transit is TLS 1.3. Every connection from browser to worker is encrypted in transit. We enforce HSTS.
• Email delivery is Resend. Magic links to signers travel through Resend's infrastructure. DKIM + SPF + DMARC fully configured on cybersygn.io.

Encryption.

• At rest: AES-256 (Cloudflare KV native).
• In transit: TLS 1.3 only.
• Signing tokens: 32 bytes of CSPRNG output, constant-time comparison on validation, 30-day TTL.
• Owner password: SHA-256 with 32-byte random salt.

Access control.

• Worker secrets (Stripe key, Anthropic key, etc.) are stored in Cloudflare's encrypted-at-rest secret store. They are never printed in logs.
• Owner backdoor uses a 64-char SHA-256 hash of a passphrase. Not the passphrase itself.
• Magic-link tokens are unique per signer per document. Forwarding the link means the recipient can sign as you; we surface this warning in every invite email.

Data retention.

• Active documents remain accessible for 30 days after creation. After that, magic links 404 unless the sender extends.
• Audit certificates are immutable once generated. We do not modify them in-place.
• Free tier drip records retain email + name for 5 years for transactional drip. Deletable on request (see GDPR below).
• Owner-only datasets: we retain a labeled-PDF training corpus from free-tier consent, used for improving detection. No document content; positions and types only.

GDPR + data subject rights.

Right to access, right to deletion, right to portability — all supported. Email privacy@cybersygn.io from the address on file and we respond within 30 days. Programmatic export endpoint shipping in slice 100; until then we handle requests manually.

Incident response.

If we discover a security incident affecting your documents, we notify affected senders within 72 hours by the email on file. Our incident log is published at /status/.

Subprocessors.

Contact.

Security disclosures: security@cybersygn.io (PGP key on request).

Privacy + GDPR: privacy@cybersygn.io.

Compliance questionnaires: hello@cybersygn.io. Reply within 1 business day.