parcosts.
Sign in

Security

People trust these tools with contracts, finances, and data rooms. We can't out-promise the big vendors — so we out-honest them. Here is exactly what we do and don't do.

The standard disclosure

These tools are built fast by a small team and are improving every week. We take real care with your data — but we are not yet audited the way big vendors are. Don't upload things you couldn't afford to lose or leak: government IDs, medical records, credentials. Keep your own copies of signed documents.

What we actually do

  • Google sign-in only. We never store a password of yours.
  • Encrypted in transit and at rest.Documents you upload or import are encrypted (AES-256-GCM) before they're stored, with per-document keys wrapped by a master key. Never a public, world-readable URL.
  • Accounts are isolated. Every row is tied to your account and every request is re-checked on the server against your identity — not just at the edge. We test cross-account isolation before shipping a tool that stores your data.
  • We only touch files you pick. Google Drive access is limited to the specific files you choose to open with a tool — nothing else. Your tokens are encrypted at rest and you can disconnect anytime.
  • Share links are hashed and expiring. Links to signable or shared documents carry a random token (we store only its hash) and can have an expiry, a password, a view limit, and revocation.
  • If something goes wrong,we'll tell affected users within 72 hours, plainly. Security work is ongoing.

What you should do

  • Keep your own copies of anything important, including signed documents.
  • Don't upload government IDs, medical records, or credentials.

What we won't claim

We won't call this "bank-level" or "100% secure," and we won't claim compliance certifications we don't hold. When we've earned a stronger claim, we'll say so — with proof.

Found a problem?

Please report security issues through the site before disclosing them publicly. We'll fix what we reasonably can.