Built on Security. Backed by Trust.

Our products, infrastructure, processes, and AI are designed with security and privacy at the core, so your teams are always protected.
Explore our Trust Center for updates on security, privacy, and compliance.
Last Updated: Oct 17, 2025

Certified for Security and Compliance Excellence

We conduct recurring audits of key IT controls to ensure ongoing trust and compliance and follow a predefined security incident response process, refined through regular exercises and follow-ups.
Contents
Data SecurityHardware and Infrastructure Security Product Security

Data Security

  • FIPS-140-certified encryption safeguards customer data.
  • PCI-compatible encryption secures sensitive contract details (e.g., key points in contracts).
  • HashiCorp Vault protects each contract with a unique encryption key, backed by Google Cloud KMS.
  • Primary and backup servers hosted in the EU (Netherlands) on Google Cloud Platform.
  • GDPR compliant, with easy-to-use tools to help customers meet their own GDPR obligations.
  • Recurring audits of key IT controls reinforce trust and compliance.

Data handling practices:

  • Segmentation & Isolation: Customer data is logically separated within a secure multi-tenant infrastructure to maintain data integrity and prevent unauthorized access.
  • Data Classification & Retention: All data is categorized by sensitivity—public, company confidential, customer confidential, and personal—and protected accordingly.
  • Encryption & Access Control: Data at rest is encrypted using AES-256. Access is tightly governed by least privilege principles, unique IDs, and strong password policies.
  • Privacy Agreements: We enforce strict confidentiality, audit, and incident response protocols with all third-party vendors handling Scoped Data.
  • Regional Data Storage: Personal data is stored within selected regions (US, EU, India, Middle East) and not transmitted outside those locations.
Read More +

Hardware and Infrastructure Security 

SpotDraft uses Google Cloud Platform (GCP) to provide management and hosting of production servers and databases. Google Cloud Platform uses a robust security program with multiple certifications, such as 
SOC 2 Type II and ISO 27001 certifications.
These data centers are equipped with comprehensive and state-of-the-art safety measures, including:
  • 24/7 dedicated security staff, video surveillance, and strictly managed physical access.
  • Automated encryption
  • Secure Internet communication
  • Secure service deployment
  • Secure Data Disposal
Read More +

Product Security

  • SSO: SpotDraft allows account administrators to seamlessly manage access and share policies with authentication and single-sign-on (SSO) options. The platform can be configured to use Office 365 or Google Workspace Login via OAuth. SpotDraft also supports SAML to link with your Okta, Active Directory, or custom authentication solutions and allows administrators to enable zero-touch provisioning.
  • Audit Logs and Version History: The platform has extensive audit logging, allowing user actions to be traced on a contract level. Audit logs capture not only signing and creation events but also the trail of changes made by both the creator and the counterparty. We keep track of every version of the contract created by the user to allow a clear history of each document.
  • Extensible Roles and Permissions: We understand that access to contracts has to follow our customer's organization structures and also needs to work across entities in multiple countries. Our fully customizable roles & permissions allow customers to limit access based on Contract Types, Organizational Entities, and Departments. These controls, along with contract-level permissions, ensure that documents are only visible to authorized personnel without sharing each document manually.
  • Business Continuity and Disaster Recovery: SpotDraft maintains a Business Continuity and Disaster Recovery program to ensure services remain uninterrupted or are easily recoverable in the case of a disaster.
  • Advanced Platform & Network Security: SpotDraft ensures robust protection through automated patch management, server-level monitoring, and continuous CVE tracking for third-party packages. We conduct regular threat modeling, engage independent penetration testers, and run routine static analysis and vulnerability scans—with a dedicated team resolving issues immediately.
Read More +

Do you have more questions about our security practices?

Request a demo

We’re here to help with any questions you have.

No results found.
Is the Cloud Service Provider responsible for deploying patches to the live guest Operating Systems?
How does the system control access and permissions for different user roles and document types?
Does your solution offer audit trails and logging for contract modifications?
How is contract data stored, encrypted, and backed up?
In which country or countries will operations to deliver this service be taking place? Please specify if outside the UK or EEA
Do you use any third-party processors or sub-processors to process data on your behalf? If so, please provide their company name and location.
Are information security requirements addressed in your organisation's own contracts with those of its suppliers involved in delivering services to client, including with respect to the IT supply chain?
Do you have a Personal Data Protection Policy (or equivalent) to safeguard client personal information in accordance with the terms of any local/national data protection legislation (e.g. the Data Protection Act in the UK)?
Do you hold any formal certifications to any other national/internationally-recognised information security/audit standards (e.g. ISO 27001, ISO 22301, SOC2, CyberEssentials)? If YES, please provide summary information of these.
If you are providing a portal/system, does it support SSO?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.