Security Overview
A plain-English summary of Filosign's current security model, what the service can see, and what remains your responsibility. This is not a certification or audit report.
Last updated: June 19, 2026
Client-side encryption
Documents are encrypted in the browser before upload, including drafts. We store encrypted ciphertext, encrypted key material, and workflow metadata. We do not hold document decryption keys and do not need plaintext document contents for normal operation.
Key handling and access
Signing and document access rely on user authentication and wallet authorization. You are responsible for securing wallets, login methods, recovery materials, and invite or share links.
Proof records
Completed workflows can produce audit records and proof exports describing participants, timestamps, workflow status, and supporting application or on-chain references where applicable.
What Filosign processes
We process account data, workflow metadata, recipient emails, wallet addresses, transaction hashes, billing identifiers, support messages, operational logs, consent-gated analytics events, and encrypted files. See our Privacy Policy and Subprocessors list.
Administrative access
Production administrative access is limited to personnel who need it to operate, secure, and support the Service. We log sensitive administrative actions that affect accounts, entitlements, payout attachment access, or customer data where our tooling supports it.
Backups and availability
We rely on standard provider hosting infrastructure features, but we do not guarantee backups, recovery, or database replication. Senders and signers are solely responsible for maintaining local copies of all documents and proof packets.
Smart contract risk
Optional payout attachment uses public smart contracts on supported networks. Contracts are not represented as formally audited unless we publish an audit. Use payout attachment only for amounts and counterparties you understand and accept.
Incident response
If we confirm a security incident that affects personal data or account security in a manner that triggers a legal notification obligation, we investigate, take containment steps, and notify affected users or regulators as required by applicable law. We do not promise advance notice beyond what the law requires.
Report a vulnerability
Report security issues to security@filosign.xyz. Include reproduction steps. Do not access, modify, or disclose other users' data.
Product guides
Plain-language help for privacy, signing records, and proof exports: Document privacy, Verification records, and Proof packets.