Built on Security. Backed by Trust.

Our products, infrastructure, processes, and AI are designed with security and privacy at the core, so your teams are always protected.
Explore our Trust Center for updates on security, privacy, and compliance.
Last Updated: Oct 17, 2025

Certified for Security and Compliance Excellence

We conduct recurring audits of key IT controls to ensure ongoing trust and compliance and follow a predefined security incident response process, refined through regular exercises and follow-ups.
Contents
Data SecurityHardware and Infrastructure Security Product Security

Data Security

  • FIPS-140-certified encryption safeguards customer data.
  • PCI-compatible encryption secures sensitive contract details (e.g., key points in contracts).
  • HashiCorp Vault protects each contract with a unique encryption key, backed by Google Cloud KMS.
  • Primary and backup servers hosted in the EU (Netherlands) on Google Cloud Platform.
  • GDPR compliant, with easy-to-use tools to help customers meet their own GDPR obligations.
  • Recurring audits of key IT controls reinforce trust and compliance.

Data handling practices:

  • Segmentation & Isolation: Customer data is logically separated within a secure multi-tenant infrastructure to maintain data integrity and prevent unauthorized access.
  • Data Classification & Retention: All data is categorized by sensitivity—public, company confidential, customer confidential, and personal—and protected accordingly.
  • Encryption & Access Control: Data at rest is encrypted using AES-256. Access is tightly governed by least privilege principles, unique IDs, and strong password policies.
  • Privacy Agreements: We enforce strict confidentiality, audit, and incident response protocols with all third-party vendors handling Scoped Data.
  • Regional Data Storage: Personal data is stored within selected regions (US, EU, India, Middle East) and not transmitted outside those locations.
Read More +

Hardware and Infrastructure Security 

SpotDraft uses Google Cloud Platform (GCP) to provide management and hosting of production servers and databases. Google Cloud Platform uses a robust security program with multiple certifications, such as 
SOC 2 Type II and ISO 27001 certifications.
These data centers are equipped with comprehensive and state-of-the-art safety measures, including:
  • 24/7 dedicated security staff, video surveillance, and strictly managed physical access.
  • Automated encryption
  • Secure Internet communication
  • Secure service deployment
  • Secure Data Disposal
Read More +

Product Security

  • SSO: SpotDraft allows account administrators to seamlessly manage access and share policies with authentication and single-sign-on (SSO) options. The platform can be configured to use Office 365 or Google Workspace Login via OAuth. SpotDraft also supports SAML to link with your Okta, Active Directory, or custom authentication solutions and allows administrators to enable zero-touch provisioning.
  • Audit Logs and Version History: The platform has extensive audit logging, allowing user actions to be traced on a contract level. Audit logs capture not only signing and creation events but also the trail of changes made by both the creator and the counterparty. We keep track of every version of the contract created by the user to allow a clear history of each document.
  • Extensible Roles and Permissions: We understand that access to contracts has to follow our customer's organization structures and also needs to work across entities in multiple countries. Our fully customizable roles & permissions allow customers to limit access based on Contract Types, Organizational Entities, and Departments. These controls, along with contract-level permissions, ensure that documents are only visible to authorized personnel without sharing each document manually.
  • Business Continuity and Disaster Recovery: SpotDraft maintains a Business Continuity and Disaster Recovery program to ensure services remain uninterrupted or are easily recoverable in the case of a disaster.
  • Advanced Platform & Network Security: SpotDraft ensures robust protection through automated patch management, server-level monitoring, and continuous CVE tracking for third-party packages. We conduct regular threat modeling, engage independent penetration testers, and run routine static analysis and vulnerability scans—with a dedicated team resolving issues immediately.
Read More +

Do you have more questions about our security practices?

Request a demo

We’re here to help with any questions you have.

No results found.
Is scoped data sent or received via physical media?
Has your company implemented a data loss prevention (DLP) security solution and program?
Do scans performed on incoming and outgoing email include phishing prevention?
Are scoped systems or data stored or transferred in cloud-based public file sharing solutions? If yes, please explain in the Additional Information field.
Are encryption keys managed and maintained for scoped data?
Is maintenance and repair of organizational assets performed and logged, with tools that have been inspected, approved, and controlled?
Can Clients specify where their data is stored (logically and physically)?
Is data segmentation and separation capability between clients provided?
In the event of a subpoena or forensics incident, is specific data able to be put on Litigation Hold without impacting other clients' data?
Are Human Resource policies and/or procedures approved by management, communicated to constituents and an owner to maintain, and review?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.