Security
How Atlas protects your contracts and signing data. Forward this page to your legal or security team.
Encryption
At rest: AES-256 encryption on all stored documents and signing data.
In transit: TLS 1.2+ enforced on all connections. TLS 1.3 preferred.
Document storage: PDFs stored in private cloud storage buckets. Download URLs are signed and time-limited. No public bucket access.
Legal compliance
ESIGN Act: Atlas signatures meet the requirements of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.).
UETA: Compliant with the Uniform Electronic Transactions Act, adopted in all 50 U.S. states.
eIDAS: Meets the EU Regulation on electronic identification and trust services for cross-border recognition.
Legal review: The Atlas signing process has been reviewed by legal counsel for compliance with U.S. electronic signature law. Contact us if you need a letter for your records.
Audit trail and tamper evidence
Every signing event is recorded and cryptographically tied to the document. The Certificate of Completion is appended to every signed PDF and contains:
Signer identity: Email address and full name as entered.
IP address: The signer's IP address at the moment of signature.
Timestamp: UTC timestamp of each signing event, precise to the millisecond.
SHA-256 document hash: A cryptographic fingerprint of the signed PDF. If the document is altered after signing, the hash will not match.
HMAC-attested agent identity: When a signing request comes from an AI agent or API integration, the agent's identity is HMAC-signed and recorded in the audit trail.
Tamper-evident event chain: Signer events are chained with HMAC-SHA256. Each event's hash includes the previous event's hash, so any insertion, deletion, or modification of events breaks the chain and is immediately detectable.
Envelope ID stamped on every page: The Atlas Envelope ID is printed on every page of the signed document, linking the PDF to its audit record even if the certificate page is separated.
Public verification
Every signed envelope has a public verification URL: atlaswork.ai/verify/{envelope_id}. No login required. Anyone with the URL can confirm the document hash, signing timestamp, and signer identity.
The full cryptographic audit trail is available via API: GET /api/envelope/{id}/audit.
The HMAC event chain can be independently verified: GET /api/envelope/{id}/audit/verify. Returns pass/fail with the exact event where tampering was detected, if any.
Infrastructure
Hosting: Application and data hosted on enterprise cloud infrastructure. US-based data residency.
Access control: Row-level security enforced on all database tables. API keys are hashed before storage.
Webhook signatures: All outbound webhooks are signed with HMAC-SHA256 using your API key. Verify with the X-Atlas-Signature header.