External Audit and Certifications
At SpotDraft, the security of customer data is our utmost priority, with a “Security first” culture maintained throughout the software development and management process. SpotDraft incorporates components such as FIPS-140-certified encryption solutions to protect customer data. We are GDPR compliant and have gone a step further and developed easy-to-use tools to allow our customers to meet their obligations under GDPR. SpotDraft can also be configured to meet PCI and eIDAS Attestation standards on-demand.
As a responsible steward of your data, we audit SpotDraft’s key IT controls on a recurring basis.
As a responsible steward of your data, we audit SpotDraft’s key IT controls on a recurring basis.
Hardware and Infrastructure Security
SpotDraft uses Google Cloud Platform (GCP) to provide management and hosting of production servers and databases. Google Cloud Platform uses a robust security program with multiple certifications, such as SOC 2 Type II and ISO 27001 certifications. These data centers are equipped with comprehensive and state-of-the-art safety measures, including:
24/7 dedicated security staff, video surveillance, and strictly managed physical access.
Automated encryption
Secure Internet communication
Secure service deployment
Secure Data Disposal
Data Security
Customer data is stored with encryption at rest using better keys which are periodically rotated as per industry best practices.
SpotDraft uses a PCI-compatible encryption scheme for extra sensitive data like key points in contracts. SpotDraft also uses Hashicorp Vault, where each contract has a unique encryption key generated and backed by Google Cloud KMS. This data is also encrypted at rest and in transit before being stored in the database.
List of Data Sub-Processors
SpotDraft uses a PCI-compatible encryption scheme for extra sensitive data like key points in contracts. SpotDraft also uses Hashicorp Vault, where each contract has a unique encryption key generated and backed by Google Cloud KMS. This data is also encrypted at rest and in transit before being stored in the database.
List of Data Sub-Processors
Product Security Features
Single Sign On
SpotDraft allows account administrators to seamlessly manage access and share policies with authentication and single-sign-on (SSO) options. The platform can be configured to use Office365 or Google Workspace Login via OAuth. SpotDraft also supports SAML to link with your Okta, Active Directory, or custom authentication solutions and allows administrators to enable zero-touch provisioning.
Audit Logs and Version History
The platform has extensive audit logging, allowing user actions to be traced on a contract level. Audit logs capture not only signing and creation events but also the trail of changes made by both the creator and the counterparty. We keep track of every version of the contract created by the user to allow a clear history of each document.
Extensible Roles & Permissions
We understand that access to contracts has to follow our customer’s organization structures and also needs to work across entities in multiple countries. Our fully customizable roles & permissions allow customers to limit access based on Contract Types, Organizational Entities, and Departments. These controls, along with contract-level permissions, ensure that documents are only visible to authorized personnel without sharing each document manually.
Backups and Business Continuity
SpotDraft maintains a Business Continuity and Disaster Recovery program to ensure services remain uninterrupted or are easily recoverable in the case of a disaster.
Advanced Platform and Network Security
The platform’s patch management process identifies and addresses missing patches within the product infrastructure. Server-level instrumentation ensures tracked software packages use the appropriate versions. We also continuously monitor third-party packages for CVEs and strive to deploy fixes as soon as they are made available.
We regularly perform threat modeling and use independent 3rd party penetration testing firms to test our product’s infrastructure. A dedicated internal team also runs routine static analysis and infrastructure vulnerability scans to ensure there is no security breach and it is immediately resolved when it arises.
We regularly perform threat modeling and use independent 3rd party penetration testing firms to test our product’s infrastructure. A dedicated internal team also runs routine static analysis and infrastructure vulnerability scans to ensure there is no security breach and it is immediately resolved when it arises.
Security Incident Response
SpotDraft's security incident process flows, and investigation data sources are pre-defined during recurring preparation activities and exercises and are refined through investigation follow-ups. We use standard incident response process structures to ensure that the right steps are taken at the right time.