Trust Center

🔒 Security Overview

How we protect your documents and data at every layer.

• Cloudflare Pages + Workers (edge-deployed, no origin server)
• All data encrypted in transit (TLS 1.3) and at rest
• 256-bit CSPRNG tokens, SHA-256 hashed (never stored raw)
• Hash-chained audit trail — tamper detection is automatic
• AWS KMS (FIPS 140-2 Level 3) for document signing keys
• JWT + JWKS authentication with product-scoped API keys
• Rate limiting (IP + user), CORS, body size limits
• 9 independent verification anchors per envelope

🕵 Privacy & Data Handling

What we collect, why, and how we handle it.

• Signer email, name, IP, and user agent recorded for evidence
• Optional features (photo, GPS, audio, video) are opt-in and consent-gated
• Evidence data stored in sealed WORM buckets — not modifiable after sealing
• No third-party analytics or tracking on signing pages
• AI summaries processed via Cloudflare Workers AI (no external LLM calls)
• Signing pages do not set cookies or use fingerprinting
• Privacy policy: abundera.ai/privacy

📅 Retention & Deletion

How long we keep documents and how deletion works.

• Starter: 3-year WORM retention
• Professional: 7-year WORM retention
• Business: Configurable up to 99 years
• WORM (Write Once Read Many) storage — evidence packages immutable after sealing
• Automated retention cron purges expired packages
• Archived envelopes excluded by default, recoverable before purge
• Demo envelopes: 90-day retention in separate WORM bucket

🌐 Subprocessors

Third-party services that process data on our behalf.

• Cloudflare — hosting, CDN, D1 database, KV storage, R2 object storage, Workers AI
• ZeptoMail (Zoho) — transactional email delivery (primary)
• Resend — transactional email delivery (fallback)
• Twilio — SMS OTP delivery
• SSL.com + DigiCert — RFC 3161 timestamp authorities
• Veriff — government ID verification (optional)
• AWS KMS — hardware security module for signing keys
• GitHub — evidence anchoring (public commit)

⚡ Availability & Incident Response

How we keep the service running and handle incidents.

• Deployed on Cloudflare's global edge network (300+ cities)
• Business plan: 99.9% SLA
• Health endpoint: /api/v1/health (checks D1, KV, R2)
• Dual email provider failover (ZeptoMail → Resend)
• Email retry queue with automatic re-delivery (up to 3 attempts)
• Dual RFC 3161 TSA redundancy (SSL.com + DigiCert)
• Graceful degradation — optional anchors fail independently

⚖ Legal & Compliance

Regulatory framework and legal standards we support.

• ESIGN Act (15 U.S.C. § 7001) compliant
• UETA (Uniform Electronic Transactions Act) compliant
• PAdES-LTA digital signatures (ETSI EN 319 142)
• RFC 3161 trusted timestamps (IETF standard)
• Court-ready Declaration of Custodian of Records (FRE 803(6), 901(b)(9), 902(11), 902(14))
• WORM storage for evidence immutability
• Terms of service: abundera.ai/terms

📨 Contact Security / Report Vulnerability

Found a security issue? We take responsible disclosure seriously.

Security contact: security@abundera.ai

General support: support@abundera.ai