Trust & security
How SteadSign protects documents — stated plainly, verifiable where possible.
Tamper-evident by design
Every completed document is fingerprinted with SHA-256 — one for the original and one for the signed file. The fingerprints, signer identities, timestamps, and IP addresses are sealed into a keyed (HMAC) verification record the moment signing completes.
Change a single byte of a signed PDF and its fingerprint no longer matches the record. That is what "tamper-evident" means here — not a promise, a property you can test yourself on the Verify page.
Verification is permanent — files are your choice
The verification record (certificate, audit trail, fingerprints) is kept permanently and is independent of the signed file itself.
The sender chooses per document whether SteadSign deletes the signed file right after signing, keeps it for 7 days, or stores it in the Vault. Even after a file is deleted, anyone holding a copy can verify it by re-uploading it — the fingerprint check runs in the browser and the copy is never stored.
Where your data lives
Documents are stored in encrypted object storage and metadata in our database, hosted on Cloudflare infrastructure with our primary region in Asia-Pacific (Singapore). Data is encrypted in transit (TLS) and at rest.
Signature images, originals, signed files, and certificates are stored per company and are never shared across tenants.
Access control
Each signer receives a unique, single-recipient signing link that expires. Resending an invite invalidates the previous link. Voiding a document kills every live link instantly.
Sender accounts are protected by hashed passwords today, with passkeys (Face ID / Touch ID) next on our security roadmap — device-bound sign-in with nothing to phish.
Legal standing in Singapore
SteadSign produces electronic signatures with the consent, identity association, and record integrity that the Singapore Electronic Transactions Act contemplates for electronic signatures. Signers explicitly agree to sign electronically before adopting a signature.
Whether a specific document type may be signed electronically remains your responsibility — some instruments (like wills) have special rules. This page is information, not legal advice.
Email safety
Signing emails carry a plain warning that the link is unique to the recipient, plus our full legal identity and links to our Terms and Privacy Policy — so recipients can tell a genuine SteadSign email from a phishing attempt.
If you receive a SteadSign email you did not expect, do not forward it; contact the sender directly.
Honesty about certifications
SteadSign is a young product. We do not yet hold third-party certifications such as ISO 27001 or SOC 2, and we will not claim badges we have not earned. What we publish here is how the system actually works — and you can verify the core claims cryptographically, which no badge does.
Test it, don't take our word
Take any SteadSign-signed document and check it against the register.
Verify a documentSecurity question or something to report? Email contact@steadgroup.com.sg.
SteadSign is a product of Stead Group Pte. Ltd. · Terms · Privacy