Every signed document ships with a defensible audit trail. ESIGN Act and UETA compliant. SHA-256 tamper detection. Encryption in transit and at rest. This page is what we actually do, not what we wish we did.
All connections to docrunner.io and app.docrunner.io use TLS 1.2 or higher (TLS 1.3 preferred). HSTS enforced. Modern cipher suites only. Insecure protocols disabled at the load balancer.
Document files stored on AWS S3 with server-side AES-256 encryption. Application database (PostgreSQL on Render) uses encrypted volumes. Daily encrypted backups.
Every completed signing packet generates an auto-attached Certificate of Signature. Captured on every signer event:
The Certificate of Signature PDF and the underlying audit trail JSON are both archived alongside the signed packet on the monday.com board row.
U.S. federal law that gives electronic signatures the same legal weight as ink. Signer consent disclosure is shown and captured before signing begins. DocRunner is compliant by default.
State-level e-signature law adopted by 49 of the 50 U.S. states. DocRunner captures the consent-to-transact-electronically record required for UETA.
Every executed PDF is hashed with SHA-256 at the moment of completion. The hash is recorded in the Certificate of Signature. Any byte-level change to the signed PDF afterwards produces a different hash, allowing tamper detection.
SOC 2 Type II, HIPAA, and eIDAS Advanced/Qualified e-signature certifications are on the roadmap but not in place yet. If your procurement requires one of these, talk to us about timeline.
All customer data is stored in the United States. We use the following subprocessors to operate the service:
Document file storage. AES-256 server-side encryption.
Application hosting + PostgreSQL database. US region.
Transactional email delivery for signing invitations and reminders.
Subscription billing. We do not store payment card numbers.
Cookieless website analytics. No personal data collected.
Aggregate marketing-site usage. Sets _ga cookies.
See the Privacy Policy for the full data flow.
Found a vulnerability? Email security@docrunner.io with reproduction steps. We'll acknowledge within 1 business day and work with you on coordinated disclosure. We do not run a paid bounty program yet, but we recognize responsible disclosure publicly when the reporter wants the credit.
We're an early-stage product. We don't yet have SOC 2 Type II, HIPAA BAA, or eIDAS qualified-signature certification. We do have the foundational controls (encryption, audit trails, compliance disclosures) and we're building toward the certifications. If your procurement requires a specific certification today, ask us about the timeline before you start a trial.
Ask about a specific compliance requirement →Set up in minutes. No credit card required.