Security
Verifiable instead of certified.
Most vendors hand you a badge and ask for trust. We hand you a public verifier and a public JWKS — verify the signature yourself, no account required.
Four principles, no marketing copy.
Tamper-evident audit chain
Every view, OTP attempt, field fill, and signature is hashed and chained. Modify any event and the chain stops verifying. Append-only by design.
Cryptographic receipts
On completion, the head hash is signed with EdDSA. The receipt is a standard JWS, verifiable against our public JWKS by any jose-compatible library.
OTP-gated signing
Every recipient authenticates via email OTP before the signing session opens. Rate-limited, attempt-tracked, and locked on abuse — every attempt is an audit event.
Soft-delete with audit trail
Erasure is recorded as an audit event, not a quiet UPDATE. A stronger guarantee — per-recipient cryptographic erasure — is designed and on the roadmap. We tell you what's shipped and what isn't.
What we don't claim
The honest list of things we're not yet.
We'd rather under-promise here than ship a security page padded with framework names. Today, DocuCRM is not SOC 2 certified, not eIDAS QES, and not running per-recipient cryptographic erasure. Each of those is on a roadmap and we'll update this page the day it ships — not the day we start the project.
What we do ship is the verifier above. Drop any signed PDF and its receipt into it and judge the proof yourself.
Responsible disclosure
Found something? We'll work with you in good faith.
Email security@docucrm.com with a clear reproduction. We aim to reply within one working day. We don't pursue researchers acting in good faith.
Free for everyone
Send your first signed contract in ten minutes.
No credit card. No trial timer. No seat counter. Open the app, sign your first document, and we'll get out of your way.
Open the appBuilt and hosted at app.docucrm.com.