A
Agreement
  • Features
  • How it Works
  • Pricing
  • Enterprise
  • Developers
Sign In Start Free Trial

Security

Last updated: May 20, 2026  ยท  Beezifi Inc.

Security is foundational to Agreement. Legal documents and signatures are sensitive, and we take every measure to protect the confidentiality, integrity, and availability of your data. This page describes the technical and organizational controls we have in place.

๐Ÿ”’
Encryption in Transit
All data between your browser and our servers is encrypted using TLS 1.2 or higher with HSTS enforcement.
๐Ÿ—„๏ธ
Data Isolation
Every organization operates in a fully isolated database. Your data is never co-mingled with another organization's data.
๐Ÿ”‘
Password Security
Passwords are hashed with bcrypt (cost factor 12) and never stored or logged in plaintext.
๐Ÿ“ฑ
Two-Factor Auth
TOTP-based two-factor authentication is available for all users and required for administrator accounts.
๐Ÿ“‹
Full Audit Trail
Every signature event โ€” IP address, timestamp, device fingerprint โ€” is logged and included in tamper-evident completion certificates.
๐Ÿ›ก๏ธ
Application Hardening
HTTP security headers (CSP, X-Frame-Options, HSTS), parameterized queries preventing SQL injection, and rate limiting on all endpoints.

Infrastructure Security

Data Isolation Architecture

Agreement uses a per-organization database model. Every workspace has its own isolated database with validated tenant identifiers checked on every request. There is no shared schema โ€” an error in one tenant context cannot expose another tenant's data.

Encryption

All connections use TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced, preventing downgrade attacks. Sensitive fields receive application-layer encryption before being written to the database. Backup snapshots are encrypted at rest.

Infrastructure Segmentation

Application servers and database servers operate on separate network segments. Database servers are not directly internet-accessible. The application process runs under a least-privilege account with no write access outside its designated directories.

Application Security

Authentication

  • Passwords hashed with bcrypt (cost factor 12)
  • Short-lived signed JWTs for session management, rotated on every request cycle
  • TOTP two-factor authentication compatible with Google Authenticator, Authy, 1Password, and any TOTP-compliant app
  • Rate limiting on login and registration endpoints to prevent brute-force attacks
  • Account lockout after repeated failed authentication attempts

Role-Based Access Control

Agreement enforces role-based permissions at every API endpoint. Users can only access documents and actions permitted by their assigned role within their organization. Cross-organization access is architecturally prevented.

Input Validation and Injection Prevention

All database queries use parameterized statements โ€” SQL injection is not possible. All HTML output is escaped to prevent XSS. File uploads are validated for type and scanned before storage. API inputs are validated against strict schemas with request body size limits.

Security Headers

Every HTTP response from Agreement includes:

  • Content-Security-Policy โ€” restricts script and resource origins
  • X-Frame-Options: DENY โ€” prevents clickjacking
  • X-Content-Type-Options: nosniff โ€” prevents MIME sniffing
  • Strict-Transport-Security โ€” enforces HTTPS for all connections
  • Referrer-Policy: no-referrer โ€” limits referrer leakage

E-Signature Integrity

Signed agreements are sealed with a tamper-evident audit trail. Each completion certificate includes the full chronological event log (views, signing actions, IP addresses, timestamps) and is cryptographically linked to the document content. Any post-signing modification to the document is detectable.

Agreement complies with the U.S. ESIGN Act and UETA, and produces basic electronic signatures under the EU eIDAS Regulation.

Audit Logging

We maintain comprehensive, append-only audit logs for all user actions, administrative changes, and authentication events. Logs include timestamps, actor identity, IP address, and affected resources. These logs are retained for a minimum of 12 months and are accessible to organization administrators within the platform.

Incident Response

In the event of a confirmed security breach affecting your data, we commit to:

  • Notifying affected organizations within 72 hours of breach confirmation, consistent with GDPR Article 33 requirements
  • Providing a clear description of the nature of the breach, data categories affected, and our response actions
  • Cooperating with affected customers and relevant authorities throughout the investigation

Shared Responsibility

Security is a shared responsibility. We ask that you:

  • Use a strong, unique password for your Agreement account
  • Enable two-factor authentication, especially for administrator accounts
  • Review and manage team member access regularly
  • Log out of shared devices after use
  • Report any suspicious activity to security@beezifi.com immediately

Vulnerability Disclosure

If you discover a security vulnerability in Agreement, please report it responsibly to security@beezifi.com. We acknowledge all reports within 2 business days and aim to resolve critical issues within 7 days. We do not pursue legal action against good-faith security researchers.

Contact Security Team

Beezifi Inc. Security Team
Email: security@beezifi.com
Privacy: privacy@beezifi.com

A
Agreement

Enterprise e-signature and document workflow platform by Beezifi Inc. ESIGN Act and UETA compliant.

Product

Features Pricing How it Works Templates

Legal

Privacy Policy Terms of Service GDPR Security

Developers

API Reference JavaScript SDK OpenAPI Spec Webhooks
ยฉ 2026 Beezifi Inc. All rights reserved. ESIGN Act ยท UETA ยท GDPR Ready ยท SOC 2 Type II