Built on Security. Backed by Trust.

Our products, infrastructure, processes, and AI are designed with security and privacy at the core, so your teams are always protected.
Explore our Trust Center for updates on security, privacy, and compliance.
Last Updated: Oct 17, 2025

Certified for Security and Compliance Excellence

We conduct recurring audits of key IT controls to ensure ongoing trust and compliance and follow a predefined security incident response process, refined through regular exercises and follow-ups.

Data Security

  • FIPS-140-certified encryption safeguards customer data.
  • PCI-compatible encryption secures sensitive contract details (e.g., key points in contracts).
  • HashiCorp Vault protects each contract with a unique encryption key, backed by Google Cloud KMS.
  • Primary and backup servers hosted in the EU (Netherlands) on Google Cloud Platform.
  • GDPR compliant, with easy-to-use tools to help customers meet their own GDPR obligations.
  • Recurring audits of key IT controls reinforce trust and compliance.

Data handling practices:

  • Segmentation & Isolation: Customer data is logically separated within a secure multi-tenant infrastructure to maintain data integrity and prevent unauthorized access.
  • Data Classification & Retention: All data is categorized by sensitivity—public, company confidential, customer confidential, and personal—and protected accordingly.
  • Encryption & Access Control: Data at rest is encrypted using AES-256. Access is tightly governed by least privilege principles, unique IDs, and strong password policies.
  • Privacy Agreements: We enforce strict confidentiality, audit, and incident response protocols with all third-party vendors handling Scoped Data.
  • Regional Data Storage: Personal data is stored within selected regions (US, EU, India, Middle East) and not transmitted outside those locations.
Read More +

Hardware and Infrastructure Security 

SpotDraft uses Google Cloud Platform (GCP) to provide management and hosting of production servers and databases. Google Cloud Platform uses a robust security program with multiple certifications, such as 
SOC 2 Type II and ISO 27001 certifications.
These data centers are equipped with comprehensive and state-of-the-art safety measures, including:
  • 24/7 dedicated security staff, video surveillance, and strictly managed physical access.
  • Automated encryption
  • Secure Internet communication
  • Secure service deployment
  • Secure Data Disposal
Read More +

Product Security

  • SSO: SpotDraft allows account administrators to seamlessly manage access and share policies with authentication and single-sign-on (SSO) options. The platform can be configured to use Office 365 or Google Workspace Login via OAuth. SpotDraft also supports SAML to link with your Okta, Active Directory, or custom authentication solutions and allows administrators to enable zero-touch provisioning.
  • Audit Logs and Version History: The platform has extensive audit logging, allowing user actions to be traced on a contract level. Audit logs capture not only signing and creation events but also the trail of changes made by both the creator and the counterparty. We keep track of every version of the contract created by the user to allow a clear history of each document.
  • Extensible Roles and Permissions: We understand that access to contracts has to follow our customer's organization structures and also needs to work across entities in multiple countries. Our fully customizable roles & permissions allow customers to limit access based on Contract Types, Organizational Entities, and Departments. These controls, along with contract-level permissions, ensure that documents are only visible to authorized personnel without sharing each document manually.
  • Business Continuity and Disaster Recovery: SpotDraft maintains a Business Continuity and Disaster Recovery program to ensure services remain uninterrupted or are easily recoverable in the case of a disaster.
  • Advanced Platform & Network Security: SpotDraft ensures robust protection through automated patch management, server-level monitoring, and continuous CVE tracking for third-party packages. We conduct regular threat modeling, engage independent penetration testers, and run routine static analysis and vulnerability scans—with a dedicated team resolving issues immediately.
Read More +

Do you have more questions about our security practices?

We’re here to help with any questions you have.

No results found.
Are any entities involved in the delivery of scoped services licensed or regulated by the New York Department of Financial Services (NYDFS)?
Are End User Devices (desktops, laptops, tablets, smartphones) used for transmitting, processing, or storing Scoped data?
Does the organization maintain policies and procedures for the access to and the usage of collaborative computing devices or applications e.g., networked white boards, cameras, and microphones?
Is there an established Network Security Program policy that defines enterprise network security requirements that is approved by management, communicated to constituents, and has an owner to maintain and review?
Is every connection to an external network terminated at a firewall e.g., the Internet, partner networks?
Are all network devices patched with all, available high-risk security patches applied and verified?
Is there a policy that defines the requirements for remote access from external networks to networks containing Scoped systems and data that has been approved by management and communicated to constituents?
Are Network Intrusion Detection / Prevention Systems (NIDS/NIPS) used to detect and/or prevent intrusions into the network?
Is there an DMZ environment within the network that transmits, processes, or stores Scoped systems and data e.g., web servers, DNS, directory services, remote access, etc.?
Is there a wireless policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain, and review the policy?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.