Security
People trust these tools with contracts, finances, and data rooms. We can't out-promise the big vendors — so we out-honest them. Here is exactly what we do and don't do.
These tools are built fast by a small team and are improving every week. We take real care with your data — but we are not yet audited the way big vendors are. Don't upload things you couldn't afford to lose or leak: government IDs, medical records, credentials. Keep your own copies of signed documents.
What we actually do
- Google sign-in only. We never store a password of yours.
- Encrypted in transit and at rest.Documents you upload or import are encrypted (AES-256-GCM) before they're stored, with per-document keys wrapped by a master key. Never a public, world-readable URL.
- Accounts are isolated. Every row is tied to your account and every request is re-checked on the server against your identity — not just at the edge. We test cross-account isolation before shipping a tool that stores your data.
- We only touch files you pick. Google Drive access is limited to the specific files you choose to open with a tool — nothing else. Your tokens are encrypted at rest and you can disconnect anytime.
- Share links are hashed and expiring. Links to signable or shared documents carry a random token (we store only its hash) and can have an expiry, a password, a view limit, and revocation.
- If something goes wrong,we'll tell affected users within 72 hours, plainly. Security work is ongoing.
What you should do
- Keep your own copies of anything important, including signed documents.
- Don't upload government IDs, medical records, or credentials.
What we won't claim
We won't call this "bank-level" or "100% secure," and we won't claim compliance certifications we don't hold. When we've earned a stronger claim, we'll say so — with proof.
Found a problem?
Please report security issues through the site before disclosing them publicly. We'll fix what we reasonably can.