Security
How Atlas protects your contracts and signing data. Forward this page to your legal or security team.
Encryption
At rest: AES-256 encryption on all stored documents and signing data.
In transit: TLS 1.2+ enforced on all connections. TLS 1.3 preferred.
Document storage: PDFs stored in private cloud storage buckets. Download URLs are signed and time-limited. No public bucket access.
Legal compliance
ESIGN Act: Atlas signatures meet the requirements of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.).
UETA: Compliant with the Uniform Electronic Transactions Act, adopted in all 50 U.S. states.
eIDAS (SES): Default EU workflows use Simple Electronic Signatures under eIDAS Regulation (EU) 910/2014. Cross-border recognition of SES depends on your jurisdiction and document type.
Qualified signatures (QES): Available only through an accredited QTSP partner integration, opt-in per envelope. Atlas facilitates the ceremony; the trust service provider issues the qualified certificate. Contact us if your matter requires QES.
Legal review: The Atlas signing process has been reviewed by legal counsel for compliance with U.S. electronic signature law. Contact us if you need a letter for your records.
Audit trail and tamper evidence
Every signing event is recorded and cryptographically tied to the document. When an envelope completes, Atlas stores two PDFs: the executed document and a separate Atlas Signing Record. The signing record contains:
Signer identity: Email address and full name as entered.
IP address: The signer's IP address at the moment of signature.
Timestamp: UTC timestamp of each signing event, precise to the millisecond.
SHA-256 document hash: A cryptographic fingerprint of the signed PDF. If the document is altered after signing, the hash will not match.
HMAC-attested agent identity: When a signing request comes from an AI agent or API integration, the agent's identity is HMAC-signed and recorded in the audit trail.
Tamper-evident event chain: Signer events are chained with HMAC-SHA256. Each event's hash includes the previous event's hash, so any insertion, deletion, or modification of events breaks the chain and is immediately detectable.
Envelope ID on signatures: A short envelope ID is printed with each signature on the executed document, linking the contract to the signing record file.
Download artifacts
The executed document is at GET /api/envelope/{id}/pdf. Its SHA-256 hash is stored on the envelope row.
The Atlas Signing Record is at GET /api/envelope/{id}/audit-cert. It bundles document hashes, signer events, IPs, timestamps, and the certificate hash into one legal artifact.
Infrastructure
Hosting: Application and data hosted on enterprise cloud infrastructure. US-based data residency.
Access control: Row-level security enforced on all database tables. API keys are hashed before storage.
Webhook signatures: All outbound webhooks are signed with HMAC-SHA256 using your API key. Verify with the X-Atlas-Signature header.