Security at Dash Sign
Private document storage, audit-ready signing records, and Canadian-hosted primary data storage. Your documents are protected through encryption, access controls, and traceable signing events.
Last updated: March 30, 2026
Private Document Storage
Dash Sign stores original PDFs, signed PDFs, signature data, and verification files in private storage so invited signers can review and complete documents securely. Access is time-limited where possible, protected by encryption, and paired with an immutable audit trail that records each signing event.
Security Features
Protection at every layer
AES-256 Encryption at Rest
All documents, signatures, and identity files are encrypted with AES-256 — the same standard used by banks and government agencies. Data is unreadable without the encryption keys.
TLS 1.3 in Transit
Every connection between your browser and our servers is secured with TLS 1.3, the latest transport security protocol. No data is ever transmitted in plaintext.
Private Document Storage
Dash Sign stores original PDFs, signed PDFs, and identity uploads in private storage buckets. Access is controlled through app permissions and expiring signed URLs.
SMS OTP Verification
Signers can be required to verify their identity via SMS one-time passcode delivered by Twilio before accessing a document. Adds a strong layer of identity assurance.
Photo ID Verification
For high-value documents, signers can upload a government-issued photo ID. The image is stored in encrypted private storage and tied to the signing audit record.
Immutable Audit Trail
Every action — view, sign, complete — is logged with timestamp, IP address, device info, and signer identity. Audit trails are immutable and retained for 6 years per FSRA requirements.
SHA-256 Checksums
A cryptographic hash is computed for every document at upload and after signing. Any modification to the document is instantly detectable, ensuring tamper-proof integrity.
Canadian-Hosted Primary Storage
Our primary Supabase database and document storage are configured in the `ca-central-1` region. Some supporting providers may process limited account, messaging, or analytics data outside Canada.
Row-Level Security
Database-level isolation ensures users can only access their own application data. Document files are separately protected in private storage buckets.
Access Control
Token-based authentication, encrypted session management, and strict permission boundaries help limit access to documents, templates, and organization settings.
Rate Limiting & Abuse Prevention
Automated rate limiting protects against brute-force attacks, API abuse, and spam. Suspicious activity triggers automatic lockouts and alerts.
6-Year Data Retention
Audit trails are retained for a minimum of 6 years to meet FSRA regulatory requirements. Immutable records provide long-term legal defensibility for every signed document.
Compliance
Built for Canadian regulatory requirements
PIPEDA
Personal Information Protection and Electronic Documents Act
Privacy controls, audit trails, and data-handling choices built for Canadian private-sector workflows.
FSRA
Financial Services Regulatory Authority of Ontario
6-year retention defaults help teams that need longer-lived document and audit records.
UECA
Uniform Electronic Commerce Act
Electronic signing records include timestamps, signer identity details, and completion certificates to support enforceable workflows.
Vulnerability Reporting
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly so we can address it promptly. Do not publicly disclose the vulnerability until we have had an opportunity to investigate and resolve it.
Report vulnerabilities to support@dashsign.ca with "Security Vulnerability" in the subject line. We aim to acknowledge all reports within 24 hours.