SteadSignVerify a document

Trust & security

How SteadSign protects documents — stated plainly, verifiable where possible.

Tamper-evident by design

Every completed document is fingerprinted with SHA-256 — one for the original and one for the signed file. The fingerprints, signer identities, timestamps, and IP addresses are sealed into a keyed (HMAC) verification record the moment signing completes.

Change a single byte of a signed PDF and its fingerprint no longer matches the record. That is what "tamper-evident" means here — not a promise, a property you can test yourself on the Verify page.

Verification is permanent — files are your choice

The verification record (certificate, audit trail, fingerprints) is kept permanently and is independent of the signed file itself.

The sender chooses per document whether SteadSign deletes the signed file right after signing, keeps it for 7 days, or stores it in the Vault. Even after a file is deleted, anyone holding a copy can verify it by re-uploading it — the fingerprint check runs in the browser and the copy is never stored.

Where your data lives

Documents are stored in encrypted object storage and metadata in our database, hosted on Cloudflare infrastructure with our primary region in Asia-Pacific (Singapore). Data is encrypted in transit (TLS) and at rest.

Signature images, originals, signed files, and certificates are stored per company and are never shared across tenants.

Access control

Each signer receives a unique, single-recipient signing link that expires. Resending an invite invalidates the previous link. Voiding a document kills every live link instantly.

Sender accounts are protected by hashed passwords today, with passkeys (Face ID / Touch ID) next on our security roadmap — device-bound sign-in with nothing to phish.

Legal standing in Singapore

SteadSign produces electronic signatures with the consent, identity association, and record integrity that the Singapore Electronic Transactions Act contemplates for electronic signatures. Signers explicitly agree to sign electronically before adopting a signature.

Whether a specific document type may be signed electronically remains your responsibility — some instruments (like wills) have special rules. This page is information, not legal advice.

Email safety

Signing emails carry a plain warning that the link is unique to the recipient, plus our full legal identity and links to our Terms and Privacy Policy — so recipients can tell a genuine SteadSign email from a phishing attempt.

If you receive a SteadSign email you did not expect, do not forward it; contact the sender directly.

Honesty about certifications

SteadSign is a young product. We do not yet hold third-party certifications such as ISO 27001 or SOC 2, and we will not claim badges we have not earned. What we publish here is how the system actually works — and you can verify the core claims cryptographically, which no badge does.

Test it, don't take our word

Take any SteadSign-signed document and check it against the register.

Verify a document

Security question or something to report? Email contact@steadgroup.com.sg.
SteadSign is a product of Stead Group Pte. Ltd. · Terms · Privacy