Security at SignoffRoom
Many SignoffRoom customers publish copy where a leak before the embargo is a regulated event. We treat security accordingly. Below is a plain summary; for the formal language see our Privacy Policy and Terms of Service.
Application
- Passwords are stored as a modern salted hash (we never see plaintext).
- Sessions are signed, HTTP-only, secure cookies with a configurable inactivity timeout.
- Role-based access control within an organization (Admin, Owner, Editor, Reviewer, Approver, External Reviewer, Viewer).
- External reviewer links are unguessable, scoped to a single release, and optionally time-limited.
- Single sign-on via SAML 2.0 (Enterprise). SCIM provisioning on the roadmap.
Infrastructure
- TLS 1.2+ in transit; AES-256 at rest for primary data stores.
- Hosted on SOC 2 Type II-attested cloud infrastructure.
- Production databases isolated by network segmentation.
- Daily encrypted backups with a 30-day retention window. Point-in-time restore available on Enterprise.
Operations
- Annual penetration test by an independent third party.
- Least-privilege access for the team. All production access is logged.
- Background checks on every team member with production access.
- Mandatory security training for new hires.
Audit trail
Every edit, approval, lock, unlock, export, and external-link event is recorded against the release with actor, timestamp, and (for edits) diff. On the Pro plan and above, audit logs are exportable.
Disclosure
We operate a coordinated disclosure program. Send security reports to security@signoffroom.com. We respond within one business day and credit researchers (with permission) on this page.
Subprocessors
SignoffRoom uses a short list of subprocessors for hosting, database, and transactional email. A current list is available on request from security@signoffroom.com.
Compliance
We support GDPR data subject requests at privacy@signoffroom.com. A Data Processing Addendum is available on Enterprise plans. SOC 2 Type II report is available under NDA.