Built on Security. Backed by Trust.

Our products, infrastructure, processes, and AI are designed with security and privacy at the core, so your teams are always protected.
Explore our Trust Center for updates on security, privacy, and compliance.
Last Updated: Oct 17, 2025

Certified for Security and Compliance Excellence

We conduct recurring audits of key IT controls to ensure ongoing trust and compliance and follow a predefined security incident response process, refined through regular exercises and follow-ups.
Contents
Data SecurityHardware and Infrastructure Security Product Security

Data Security

  • FIPS-140-certified encryption safeguards customer data.
  • PCI-compatible encryption secures sensitive contract details (e.g., key points in contracts).
  • HashiCorp Vault protects each contract with a unique encryption key, backed by Google Cloud KMS.
  • Primary and backup servers hosted in the EU (Netherlands) on Google Cloud Platform.
  • GDPR compliant, with easy-to-use tools to help customers meet their own GDPR obligations.
  • Recurring audits of key IT controls reinforce trust and compliance.

Data handling practices:

  • Segmentation & Isolation: Customer data is logically separated within a secure multi-tenant infrastructure to maintain data integrity and prevent unauthorized access.
  • Data Classification & Retention: All data is categorized by sensitivity—public, company confidential, customer confidential, and personal—and protected accordingly.
  • Encryption & Access Control: Data at rest is encrypted using AES-256. Access is tightly governed by least privilege principles, unique IDs, and strong password policies.
  • Privacy Agreements: We enforce strict confidentiality, audit, and incident response protocols with all third-party vendors handling Scoped Data.
  • Regional Data Storage: Personal data is stored within selected regions (US, EU, India, Middle East) and not transmitted outside those locations.
Read More +

Hardware and Infrastructure Security 

SpotDraft uses Google Cloud Platform (GCP) to provide management and hosting of production servers and databases. Google Cloud Platform uses a robust security program with multiple certifications, such as 
SOC 2 Type II and ISO 27001 certifications.
These data centers are equipped with comprehensive and state-of-the-art safety measures, including:
  • 24/7 dedicated security staff, video surveillance, and strictly managed physical access.
  • Automated encryption
  • Secure Internet communication
  • Secure service deployment
  • Secure Data Disposal
Read More +

Product Security

  • SSO: SpotDraft allows account administrators to seamlessly manage access and share policies with authentication and single-sign-on (SSO) options. The platform can be configured to use Office 365 or Google Workspace Login via OAuth. SpotDraft also supports SAML to link with your Okta, Active Directory, or custom authentication solutions and allows administrators to enable zero-touch provisioning.
  • Audit Logs and Version History: The platform has extensive audit logging, allowing user actions to be traced on a contract level. Audit logs capture not only signing and creation events but also the trail of changes made by both the creator and the counterparty. We keep track of every version of the contract created by the user to allow a clear history of each document.
  • Extensible Roles and Permissions: We understand that access to contracts has to follow our customer's organization structures and also needs to work across entities in multiple countries. Our fully customizable roles & permissions allow customers to limit access based on Contract Types, Organizational Entities, and Departments. These controls, along with contract-level permissions, ensure that documents are only visible to authorized personnel without sharing each document manually.
  • Business Continuity and Disaster Recovery: SpotDraft maintains a Business Continuity and Disaster Recovery program to ensure services remain uninterrupted or are easily recoverable in the case of a disaster.
  • Advanced Platform & Network Security: SpotDraft ensures robust protection through automated patch management, server-level monitoring, and continuous CVE tracking for third-party packages. We conduct regular threat modeling, engage independent penetration testers, and run routine static analysis and vulnerability scans—with a dedicated team resolving issues immediately.
Read More +

Do you have more questions about our security practices?

Request a demo

We’re here to help with any questions you have.

No results found.
Does the organization's executive leadership ensure information security policy is established and aligned with organizational strategy, and communicated to the entire organization?
Has a qualified individual responsible been designated as the owner (e.g., Chief Information Security Officer (CISO), Security Officer, etc.) to oversee and implement the organization's information security program and enforce its information security policy?
Is there an asset management program approved by management, communicated to constituents and an owner to maintain, review, and manage asset controls?
Is there an acceptable use policy for information and associated assets that has been approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review the policy?
Is there a policy or procedure for information handling consistent with its classification that has been approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review e.g., authorized parties, encryption, public cloud storage, removable media, classification labeling, etc.?
Is there a records retention policy and retention schedule covering paper and electronic records, including email in support of applicable regulations, standards, and contractual requirements?
Is scoped data sent or received electronically?
Is regulated or confidential scoped data stored electronically with data protection safeguards e.g., full-disk encryption, databases, files, encryption keys, etc.?
Is Information classified according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification?
Does the organization assign asset ownership to a department, team or individual?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.