Security you can trust. Records you can prove.
DocOtto takes data security seriously, with enterprise-grade encryption and legally defensible e-signature workflows.
Security and data protection is our highest priority and our site is SOC 2 Type II aligned: we maintain documented controls and operating practices across all five Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy. While we have not yet completed an official SOC 2 Type II audit, our internal compliance program tracks the required controls with continuous remediation.
Access Controls
Row-Level Security in our database, cross-platform rate limiting with lockout, Cloudflare Turnstile CAPTCHA, and quarterly access reviews.
Encryption
TLS 1.2+ everywhere. AES-256-GCM field-level encryption for sensitive PII. Versioning on every uploaded document.
Incident Response
Sentry monitoring with PII scrubbing. Documented response, escalation, and rollback procedures.
Vendor Policies
Documented vendor management policy. SOC 2-attested vendors only, with reports on file.
Data Retention & Privacy
Documented retention policies by data type. DSAR self-service endpoint. GDPR and CCPA-aligned privacy notices.
Change Management
GitHub Actions CI gates every merge with lint, type check, and build. CODEOWNERS enforces review.
Risk Assessment
Maintained risk register with documented risks and mitigations. Quarterly risk review cadence. Threat model for high-value assets.
Vulnerability Management
Continuous security scanning via our managed scanner. Documented vulnerability management policy.
Governance
Information Security Policy, Code of Conduct, and a Security Awareness Training program.
Audit-Ready Signing Trail
Every signature captures consent, intent, timestamp, and IP. Each completed document ships with an ESIGN verification certificate including a tamper-evident hash and geolocation context.
Secure Payments
Payments processed securely via Stripe. We never store credit card numbers on our servers.
Reliable Infrastructure
Hosted on enterprise-grade cloud infrastructure with 99.9% uptime SLA and automatic backups.
Privacy First
We never sell your data. GDPR and CCPA compliant. Your data belongs to you.
Legally Binding E-Signatures
DocOtto captures consent to do business electronically, signature intent, timestamps, and document integrity logs, so records are easy to retrieve and easier to defend.
Designed to support ESIGN Act and UETA electronic signature workflows.
Compliance & Certifications
Security FAQ
Where is my data stored?
Your data is stored in SOC 2 compliant AWS data centers in the United States. Database services are hosted on AWS infrastructure with automatic backups and encryption.
Are e-signatures legally binding?
Yes. DocOtto e-signatures comply with the ESIGN Act and UETA requirements, making them legally equivalent to handwritten signatures. Each signature includes a comprehensive audit trail with timestamp, IP address, and consent record.
Can I export my data?
Yes. You can download completed documents at any time. For full data exports including templates and submission data, contact our support team.
What happens to my data if I cancel?
Upon account cancellation, you have 30 days to export your data. After that period, your data is permanently deleted from our systems and backups within 90 days.
Do you share data with third parties?
We never sell your data. We only share data with service providers essential to operating DocOtto (e.g., email delivery, payment processing), and these providers are contractually bound to protect your data.
Responsible Disclosure
Found a security vulnerability? We appreciate your help in keeping DocOtto secure. Report it responsibly and we'll work with you to address it.
Questions about security?
Schedule a demo and we'll walk you through our security features.