In 2025, the average cost of a data breach in Australia reached $4.26 million. For businesses handling contracts, agreements, and legal documents, a security incident does not just cost money -- it destroys trust and can create legal liability.
Ironically, electronic signatures are often more secure than traditional paper processes. A paper document can be photocopied, forged, or lost. An electronically signed document has encryption, an audit trail, and tamper evidence that paper simply cannot match.
But not all eSignature platforms are equal. The security of your documents depends on the practices of the platform you choose. Here is what to look for.
Every byte of data is encrypted. TLS 1.3 protects data moving between your browser and our servers. AES-256 encrypts data stored on our infrastructure. Even our internal team cannot read your documents.
Strong authentication prevents unauthorised access. SignAndGo supports email/password, Google OAuth, and Microsoft OAuth. Two-factor authentication adds a second layer of verification.
Every action on every document is recorded with timestamps, IP addresses, user agent strings, and geolocation. This creates a tamper-evident chain of evidence that exceeds the reliability of wet signatures.
Beyond encryption and authentication, SignAndGo applies multiple layers of application security to prevent exploitation, injection attacks, and data leakage.
All data is stored in Sydney, Australia (Google Cloud australia-southeast1). This is not a promise -- it is an infrastructure constraint. Our services are pinned to the Sydney region.
Users only see documents they are authorised to access. Business accounts have role-based access control. API keys use scoped permissions (read, write, sign, admin).
Before trusting a platform with your sensitive documents, ask these questions.
Where is my data stored? Can you guarantee it stays in my jurisdiction?
What encryption is used in transit and at rest?
Do you support two-factor authentication?
What information does the audit trail capture?
How do you protect against server-side request forgery (SSRF)?
What happens to my data if I cancel my subscription?
Do you have a vulnerability disclosure or bug bounty program?
How are API keys scoped and managed?
What certifications or compliance frameworks do you follow?
How quickly can you respond to a security incident?
The APPs under the Privacy Act 1988 regulate how personal information is handled. Data residency in Australia simplifies compliance with APP 8 (cross-border disclosure) and APP 11 (security of personal information).
This Act and its state equivalents give electronic signatures legal validity. The security of your signing process strengthens the evidentiary weight of your signed documents.
Financial services (APRA), healthcare, government, and legal sectors have additional data handling requirements. Australian data residency and strong audit trails help meet these sector-specific obligations.
The NDB scheme requires organisations to notify affected individuals and the OAIC of eligible data breaches. Strong encryption and access controls reduce both the likelihood and impact of breaches.
A secure platform is only part of the equation. Here is what you should do on your end to maximise document security.
Protect your account with 2FA. Even if your password is compromised, 2FA prevents unauthorised access.
Use a password manager and generate unique passwords for every service. Never reuse passwords across platforms.
For business accounts, review who has access and remove users who no longer need it. Apply the principle of least privilege.
Scope API keys to the minimum permissions needed. Rotate keys regularly and never commit them to version control.
Use the correct email addresses for signers. For high-value documents, consider requiring additional identity verification.
SignAndGo uses TLS 1.3 encryption for all data in transit and AES-256 encryption for data at rest. Signed documents are sealed with a digital certificate that makes any post-signing tampering detectable. This exceeds the encryption standards used by most traditional document handling processes.
An audit trail is a detailed record of every action taken on a document — who opened it, when they signed, their IP address, device information, and geolocation. This creates an evidence chain that is admissible in Australian courts and far more reliable than the evidence available for traditional wet signatures.
SignAndGo stores all data in Google Cloud's Sydney (australia-southeast1) region. Documents, signatures, audit trails, and user data never leave Australia. This meets Australian Privacy Principles and data sovereignty requirements for government, healthcare, legal, and financial services.
SignAndGo implements SSRF protection on all outbound server requests (such as webhook delivery), blocking requests to private IP ranges, localhost, and internal network addresses. All user inputs that could influence server-side requests are validated and sanitised.