Security Policy

We are committed to provide the highest level of security. This is one of our top priorities.
Our general approach is that we always combine the industry standard security solutions with custom implementations. Studies have proven that none of the existing software solutions are 100% bullet proof from security prospective. The standard ones are the strongest and well tested, but they are also well known and constantly targeted by various attacks. This is why we took a different approach by developing a totally new a customized algorithm that is wholly secure. Custom approaches are less common, which gives the application a chance to survive in case there is a newly discovered security flaw in standard software.

Online security

Implementing HTTPS protocol and SSL encryption with SHA-256 algorithm will keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. Upon login, your connection with SkySignature is secure and highly encrypted. In addition to encryption, a proper SSL certificate installation and cyphers configuration is also very important. Currently there are many vulnerabilities related to SSL technology and it is critical to properly mitigate them.
To check the SSL safety visit the following URLS:
And for full SSL Report

Also utilizing the latest best advanced user authentication and authorization algorithm makes sure the highest level of security and privacy. If the user forgot to log out on any computer it is enough to login on another computer to invalidate all the previous sessions.

Document Storage and Encryption

Transport Encryption: uses 256 bit SSL encryption technology to secure all data in your session and to keep your personal information safe. This is the strongest type of encryption available for the web.

Firewalls:We protect all our servers with a firewalls to ensure only authorized traffic is permitted.
Backups: All data stored on our database which includes all the uploaded documents are regularly backed up to avoid potential data loss.

Data Retention: We stored store all your documents until you explicitly remove and delete it. After you finished signing process and no longer need the document to keep online you can delete it from your "Document List" and it will be physically removed from the server. The only document digest (hash) will remain for future authenticity verification.

Document storage: We chose the Amazon S3 as an industry trusted document storage and we believe this is a top quality secure documents vault. All the documents are stored in encrypted format and even our developers do not have the access to them. The documents are encrypted using a very long key and we believe it is virtually unbreakable.

Personal Information

Passwords: The passwords are not stored. We implement the best practices in the industry and store only password's hash for authentication purpose only. This hash is specifically developed for passwords and is currently the best choice for one way encryption.

Personal Data: Being PCI compliant, we do not collect or store any sensitive user's data like phone numbers, addresses, credit cards etc…

Payment: We only allow payment processing through Pay-Pal a trusted third party so we never have to store or access your sensitive credit card or billing on file.

General approach

Your contacts: The application does not have contact's search functionality. We believe that all your contacts have to come from real life and not as a result simple name search. Being an online service, there is no way we can identify the real person behind the email address. That is why the trust between you and your contacts (co-signors) has to come from outside of the application. You as a user have to know the email of the real person who you send invitation to. But that concept in no different from sending the document via fax.

Software: Our platform of choice is Linux this enterprise grade security, locked down ports and additional firewall on every server.

Document authenticity and signature verification: There are two major way to verify the authenticity of the document and the signature on it. The first one implements on x.509 certificate based PKI and the verification happens on the client - user's desktop. There are number of issues, which stopped us from relying on this technology:
- This technology does not guarantee the integrity of the whole document file just because the document's hash has to be embedded into the file, which creates a well known "Chicken and Egg" problem. - There is no common document's format, designed specifically for legal purposes. All common formats, including PDF are dynamic ones, meaning they can create the false impression of being verified.
- The certificate of the root CA has to be in the white list of the software, used to read and verify document. The current market is competitive and there is no guarantee that they have the same CA's white lists or they will not change it in the future. The situation may be similar to the Internet Browser's incompatibility problem.
- The current market certificate prices are prohibitively expensive for the general public. That means we cannot expect most of the users will have their own certificates and all the documents will be signed with the same certificate, which defeats the main idea of it.

We took the different and a very straight forward approach - to do the verification process on our servers. This will require the document to be uploaded for verification but we believe it is worth the effort just because it will guarantee the authenticity of the whole document's file and validity of the signatures. This also eliminates any current and future incompatibility in software vendors.





Title of the Message