Built on Security. Backed by Trust.

Our products, infrastructure, processes, and AI are designed with security and privacy at the core, so your teams are always protected.
Explore our Trust Center for updates on security, privacy, and compliance.
Last Updated: Oct 17, 2025

Certified for Security and Compliance Excellence

We conduct recurring audits of key IT controls to ensure ongoing trust and compliance and follow a predefined security incident response process, refined through regular exercises and follow-ups.
Contents
Data SecurityHardware and Infrastructure Security Product Security

Data Security

  • FIPS-140-certified encryption safeguards customer data.
  • PCI-compatible encryption secures sensitive contract details (e.g., key points in contracts).
  • HashiCorp Vault protects each contract with a unique encryption key, backed by Google Cloud KMS.
  • Primary and backup servers hosted in the EU (Netherlands) on Google Cloud Platform.
  • GDPR compliant, with easy-to-use tools to help customers meet their own GDPR obligations.
  • Recurring audits of key IT controls reinforce trust and compliance.

Data handling practices:

  • Segmentation & Isolation: Customer data is logically separated within a secure multi-tenant infrastructure to maintain data integrity and prevent unauthorized access.
  • Data Classification & Retention: All data is categorized by sensitivity—public, company confidential, customer confidential, and personal—and protected accordingly.
  • Encryption & Access Control: Data at rest is encrypted using AES-256. Access is tightly governed by least privilege principles, unique IDs, and strong password policies.
  • Privacy Agreements: We enforce strict confidentiality, audit, and incident response protocols with all third-party vendors handling Scoped Data.
  • Regional Data Storage: Personal data is stored within selected regions (US, EU, India, Middle East) and not transmitted outside those locations.
Read More +

Hardware and Infrastructure Security 

SpotDraft uses Google Cloud Platform (GCP) to provide management and hosting of production servers and databases. Google Cloud Platform uses a robust security program with multiple certifications, such as 
SOC 2 Type II and ISO 27001 certifications.
These data centers are equipped with comprehensive and state-of-the-art safety measures, including:
  • 24/7 dedicated security staff, video surveillance, and strictly managed physical access.
  • Automated encryption
  • Secure Internet communication
  • Secure service deployment
  • Secure Data Disposal
Read More +

Product Security

  • SSO: SpotDraft allows account administrators to seamlessly manage access and share policies with authentication and single-sign-on (SSO) options. The platform can be configured to use Office 365 or Google Workspace Login via OAuth. SpotDraft also supports SAML to link with your Okta, Active Directory, or custom authentication solutions and allows administrators to enable zero-touch provisioning.
  • Audit Logs and Version History: The platform has extensive audit logging, allowing user actions to be traced on a contract level. Audit logs capture not only signing and creation events but also the trail of changes made by both the creator and the counterparty. We keep track of every version of the contract created by the user to allow a clear history of each document.
  • Extensible Roles and Permissions: We understand that access to contracts has to follow our customer's organization structures and also needs to work across entities in multiple countries. Our fully customizable roles & permissions allow customers to limit access based on Contract Types, Organizational Entities, and Departments. These controls, along with contract-level permissions, ensure that documents are only visible to authorized personnel without sharing each document manually.
  • Business Continuity and Disaster Recovery: SpotDraft maintains a Business Continuity and Disaster Recovery program to ensure services remain uninterrupted or are easily recoverable in the case of a disaster.
  • Advanced Platform & Network Security: SpotDraft ensures robust protection through automated patch management, server-level monitoring, and continuous CVE tracking for third-party packages. We conduct regular threat modeling, engage independent penetration testers, and run routine static analysis and vulnerability scans—with a dedicated team resolving issues immediately.
Read More +

Do you have more questions about our security practices?

Request a demo

We’re here to help with any questions you have.

No results found.
Is there a formalized risk governance policy approved by management that defines the Enterprise Risk Management program requirements?
Are there Subject Matter Experts and/or groups assigned to assess risk for distinct categories e.g., operational, reputational, regulatory, technology, privacy, financial, etc.?
Is there a formalized Risk Assessment process that identifies, quantifies, and prioritizes risks based on the risk acceptance levels relevant to the organization?
Does the Enterprise Risk Management program include measures for defining, monitoring, and reporting risk metrics to the appropriate stakeholders e.g., KRIs, KPIs, SLAs, Performance benchmarks, maturity levels, etc.?
Do fourth parties (e.g., backup, subcontractors, equipment support/maintenance, software support/maintenance, data recovery, hosting providers, etc.) have access to scoped systems and data or processing facilities?
Is there an information security program that has been documented, approved by management, published, and communicated to constituents?
Have any of the Information Security and IT processes been outsourced?
Do the information security policies and procedures include requirements for third party risk management?
Are responsibilities for information security processes clearly identified and communicated to the relevant parties?
Do all projects involving systems, applications, and platforms go through an information security assessment?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.