Enterprise-Grade Security Without Enterprise Complexity

Firma.dev protects your documents with bank-level encryption, strict access controls, and compliance-ready infrastructure. Built for teams that need security without the procurement headache.

Infrastructure

Firma.dev runs on AWS infrastructure in the European Union

AWS maintains SOC 2 Type II, ISO 27001, and HIPAA certifications. All customer data is stored in EU data centers.

Backups run every 60 seconds with point-in-time recovery. All backups are encrypted and stored in the EU. Full version history is available for every document.

System status is public at status.firma.dev. We do not offer formal SLAs at this time.

All customer data is stored exclusively in the European Union. Data never leaves EU data centers. This includes documents, metadata, audit logs, and backups. EU-only residency is the default for all accounts and cannot be changed.

Encryption

All documents and metadata are encrypted at rest using AES-256

Data in transit is secured with TLS 1.2 or higher. Row-level security and strict access policies ensure data isolation at the database level.

"Illustration of a coding interface showing JSON data, flanked by icons. Left icon shows '3 Weeks' delivery, right icon shows '2.5 Hours'. An arrow points from the left to the right, suggesting a transition or update. The tone is technical and efficient.

Authentication & Access Control

API authentication

All API requests require key-based authentication. Rate limits protect against abuse. View rate limit details.

Dashboard login

Google and GitHub SSO are supported. Role-based access control lets account owners define what team members can see and do.

IP allowlisting

Available on request. Contact support to configure.

IP allowlisting

Available on request. Contact support to configure.

Customer Workspaces

Each of your customers gets a private, partitioned workspace

Templates, signers, and envelopes are fully isolated. No cross-customer data exposure. Learn more about Customer Workspaces.

Signer Security

Firma.dev protects signers throughout the signing process

Unique signing links

Every signer receives a unique URL tied to their signing request. Links cannot be shared or reused by other signers.

Link expiration

Signing links expire after 7 days by default. You can configure custom expiration windows (in hours) when creating templates.

Signing consent

Signer consent is captured and recorded before any signature is applied.

Signing consent

Signer consent is captured and recorded before any signature is applied.

Revocation

You can cancel signing requests at any point before completion. Signers receive cancellation notifications automatically.

Revocation

You can cancel signing requests at any point before completion. Signers receive cancellation notifications automatically.

For implementation details, see the signing request documentation.

Webhook Security

All webhook requests are signed using HMAC SHA-256

Every request includes:

X-Firma-Signature with your current signing secret
X-Firma-Signature-Old with your previous secret during the 7-day rotation grace period

You can retrieve your signing secret from the dashboard and rotate it via the API. Always verify webhook signatures to prevent spoofing. View the Webhooks guide.

Audit Trails

Every signature event generates an immutable audit record. Audit logs capture:

Signer identity and email address

Timestamp of each action (viewed, signed, completed)

IP address of the signer

Document hash for tamper detection

Consent record confirming signer agreement

Completion status and certificate generation

Audit logs cannot be modified or deleted. You can retrieve them via the API for compliance reviews, legal disputes, or internal audits.

Compliance

Firma.dev is designed to support major e-signature and data protection frameworks

E-signature validity

Firma.dev produces legally binding electronic signatures under:

ESIGN Act and UETA (United States)

Electronic signatures are legally equivalent to handwritten signatures for most transactions.

eIDAS SES and AdES (European Union)

Firma.dev supports Simple Electronic Signatures and Advanced Electronic Signatures with tamper-evident audit trails and signer identification.

UK eIDAS (United Kingdom)

Electronic signatures remain valid under retained EU law.

Data protection

Signer consent is captured and recorded before any signature is applied.

GDPR (European Union)

All data is stored in the EU. Firma.dev acts as a data processor on your behalf. A Data Processing Agreement is available for all customers. We assist with Data Subject requests as required.

HIPAA (United States)

Firma.dev runs on HIPAA-compliant AWS infrastructure, making it suitable for healthcare-related documents. If you require a Business Associate Agreement, contact support.

Security standards

Firma.dev is designed with SOC 2 principles in mind. SOC 2 Type II and ISO 27001 certifications are on our roadmap.

Data Processing & Retention

Data Processing Agreement

A Data Processing Agreement is available for all customers here. Countersigned copies are available on request. Contact support.

Data Retention and Deletion

Documents are retained indefinitely unless you request deletion. Customers can request full account and data deletion at any time.

Data Subject Requests

For Data Subject requests under GDPR, Firma.dev will notify you promptly and provide reasonable assistance. We do not respond directly to Data Subject requests unless you authorize us or the law requires it. Full details are in the DPA.

Data Subject Requests

Subprocessors

A list of subprocessors is included in the DPA.

Subprocessors

A list of subprocessors is included in the DPA.

Personnel Access Control

Access to customer data is limited to specific Firma.dev personnel. Viewing document content requires explicit account-level permission.

Security Testing and Incident Response

We employ full-time penetration testers and code reviewers to identify vulnerabilities before they reach production. Internal incident response policies are in place and tested regularly.

$290/year

$290

Firma.dev

VS

D

$10.000+/year

$10.000+

Docusign

Responsible Disclosure

We welcome vulnerability reports from security researchers. If you discover a potential security issue, please contact us at security@firma.dev. We review all reports and respond promptly.

FAQ

Frequently asked questions

For security or compliance questions, reach out to security@firma.dev or contact support for DPA and allowlisting requests.

Is Firma.dev SOC 2 certified?

Not yet. Firma.dev is built on SOC 2-certified AWS infrastructure and designed with SOC 2 principles in mind. SOC 2 Type II certification is on our roadmap.

Where is my data stored?

All data is stored in the European Union. Data never leaves EU data centers. This includes documents, metadata, audit logs, and backups.

Can I get a copy of your DPA?

Yes. The DPA is available at firma.dev/legal/data-processing-agreement. If you need a countersigned copy, contact support.

Do you support HIPAA?

Firma.dev runs on HIPAA-compliant infrastructure and can support healthcare-related use cases. Contact support if you require a Business Associate Agreement.

How long are signing links valid?

Signing links expire after 7 days by default. You can configure custom expiration windows when creating templates.

Can I delete my data?

Yes. Customers can request full account and data deletion at any time. Contact support to initiate deletion.

Do you offer an SLA?

We do not offer formal SLAs at this time. System uptime is monitored publicly at status.firma.dev.

How do I report a security vulnerability?

Email security@firma.dev. We review all reports and respond promptly.

FAQ

Frequently asked questions

For security or compliance questions, reach out to security@firma.dev or contact support for DPA and allowlisting requests.

Is Firma.dev SOC 2 certified?

Not yet. Firma.dev is built on SOC 2-certified AWS infrastructure and designed with SOC 2 principles in mind. SOC 2 Type II certification is on our roadmap.

Where is my data stored?

All data is stored in the European Union. Data never leaves EU data centers. This includes documents, metadata, audit logs, and backups.

Can I get a copy of your DPA?

Yes. The DPA is available at firma.dev/legal/data-processing-agreement. If you need a countersigned copy, contact support.

Do you support HIPAA?

Firma.dev runs on HIPAA-compliant infrastructure and can support healthcare-related use cases. Contact support if you require a Business Associate Agreement.

How long are signing links valid?

Signing links expire after 7 days by default. You can configure custom expiration windows when creating templates.

Can I delete my data?

Yes. Customers can request full account and data deletion at any time. Contact support to initiate deletion.

Do you offer an SLA?

We do not offer formal SLAs at this time. System uptime is monitored publicly at status.firma.dev.

How do I report a security vulnerability?

Email security@firma.dev. We review all reports and respond promptly.

FAQ

Frequently asked questions

For security or compliance questions, reach out to security@firma.dev or contact support for DPA and allowlisting requests.

Is Firma.dev SOC 2 certified?

Not yet. Firma.dev is built on SOC 2-certified AWS infrastructure and designed with SOC 2 principles in mind. SOC 2 Type II certification is on our roadmap.

Where is my data stored?

All data is stored in the European Union. Data never leaves EU data centers. This includes documents, metadata, audit logs, and backups.

Can I get a copy of your DPA?

Yes. The DPA is available at firma.dev/legal/data-processing-agreement. If you need a countersigned copy, contact support.

Do you support HIPAA?

Firma.dev runs on HIPAA-compliant infrastructure and can support healthcare-related use cases. Contact support if you require a Business Associate Agreement.

How long are signing links valid?

Signing links expire after 7 days by default. You can configure custom expiration windows when creating templates.

Can I delete my data?

Yes. Customers can request full account and data deletion at any time. Contact support to initiate deletion.

Do you offer an SLA?

We do not offer formal SLAs at this time. System uptime is monitored publicly at status.firma.dev.

How do I report a security vulnerability?

Email security@firma.dev. We review all reports and respond promptly.

Ready to add secure e-signatures to your app?

Get your API key for free. No credit card required.

Get your API key

Ready to add secure e-signatures to your app?

Get your API key for free. No credit card required.

Get your API key

Ready to add secure e-signatures to your app?

Get your API key for free. No credit card required.

Get your API key