Customer Security Brief

A short, plain-English answer to "how safe is my data?". No jargon — just where SignSheet sits compared to other services you already trust with your information.

The bottom line

The security ladder

A simple way to compare. Where common services land:

• 10
  Canadian Banks

  RBC, TD, Scotiabank — federally regulated, hardware tokens, real-time fraud detection.
• 9
  Insurance Giants

  Manulife, Sun Life — federally regulated, encrypted at every layer.
• 8
  SignSheet · Payment SystemsThat's us

  Stripe, Square — and SignSheet. Independently audited, regular outside testing, full encryption.
  You are here
• 7
  Big Cloud Tools

  Salesforce, HubSpot, Mailchimp — solid baseline, occasional outside audits.
• 6
  Average SaaS

  Most everyday business tools. Reasonable defaults, no formal audits.
• ≤5
  Hobby & Side-Project Apps

  Avoid for real business data.

What's protecting your data right now

1 · Your company is sealed off

Each company in SignSheet lives in its own room. Even if our app makes a mistake, the database itself refuses to hand over another company's data. Three independent locks, all checked automatically.

2 · Email links instead of passwords

You don't memorise a password. We email you a one-time link that expires in 10 minutes and works once. Open it from any device — phone, laptop, work computer.

3 · Your files are locked

Every file you upload (logos, scanned timesheets) lives in a private vault. Outsiders get a "not found" error if they try. Your team gets short-lived access keys, fresh on each download.

4 · No runaway costs

We cap how fast anyone can use the system — including legitimate users. A buggy script can't drive your bill up or block other users from working.

5 · Encryption everywhere

The connection between your browser and SignSheet is encrypted. Browsers will refuse to connect unencrypted for the next two years. Six layers of browser-level protections on every page.

6 · Tamper-proof history

Sign-ins, exports, settings changes, member edits — all logged. The history can't be edited or deleted, even by us. If something is ever disputed, the record is the source of truth.

What we're adding next

• Week 1: 24/7 automatic problem detection — an alert pings us in minutes if anything breaks.
• Month 1: Last few service tables move to the same bank-level isolation as the rest.
• Month 2: Independent security firm acts like attackers and stress-tests the app. We fix what they find and share the report.
• Month 3+: Formal compliance certificate (the same one Stripe and Salesforce hold) — ready when your contracts require it.

Security isn't a checkbox we tick once. It's quarterly reviews, independent testing, and regression checks on every change.

What you should do

• Don't share your secure link. The email link is yours alone — works one time, then dies.
• Remove people who leave in Settings → Members. Their next sign-in won't work.
• Tell us if anything looks off — we trace it back to source via the audit log.

Watch out for

We never ask for a password (there isn't one). We never email you to "verify your account" with a link to a different website. If an email isn't from noreply@signsheet.app — it isn't us. When in doubt, forward to support@signsheet.app.

Refresh cadence

We'll refresh this page every quarter, and after anything material happens. If something here is unclear, write to support@signsheet.app — we'd rather over-explain than have you wonder.