Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.spitshake.io/llms.txt

Use this file to discover all available pages before exploring further.

Compliance

DocuTrust is designed to meet the requirements of major electronic signature, healthcare, and data protection regulations. This page summarizes the standards we comply with and the specific measures implemented for each.

Compliance Matrix

StandardStatusCoverage
ESIGN ActCompliantElectronic signatures legally binding in the United States
eIDASCompliantAdvanced electronic signatures for the European Union
UETACompliantUniform Electronic Transactions Act for US state-level compliance
HIPAAControls implementedPHI encryption, BAA, audit trails, breach detection, access controls
SOC 2 Type IIControls implementedSecurity, availability, and confidentiality trust service criteria — formal audit not yet completed
GDPRCompliantData encryption, consent management, and right to erasure

ESIGN Act

The Electronic Signatures in Global and National Commerce Act (ESIGN Act) is a US federal law that grants electronic signatures the same legal standing as handwritten signatures. DocuTrust satisfies ESIGN Act requirements through:
  • Intent to sign: Signers must take an affirmative action to place their signature (click, draw, or type). No signatures are applied automatically without explicit consent.
  • Consent to do business electronically: Signers are presented with a consent disclosure before beginning the signing process. Consent can be withdrawn.
  • Association of signature with record: Each signature is cryptographically bound to the specific document version, signer identity, timestamp, and IP address.
  • Record retention: Signed documents and their complete audit trails are retained and accessible for the legally required period.

eIDAS

The Electronic Identification, Authentication and Trust Services (eIDAS) regulation governs electronic signatures across European Union member states. DocuTrust implements Advanced Electronic Signatures (AdES) as defined by eIDAS Article 26:
  • Uniquely linked to the signatory: Each signature is associated with a specific submitter identified by email, name, and unique signing URL.
  • Capable of identifying the signatory: Signer identity is verified through email delivery, and optionally through additional identity verification steps.
  • Created using signature creation data under the sole control of the signatory: Only the intended recipient can access their unique signing URL (/s/SUBMITTER_SLUG).
  • Linked to the signed data such that any change is detectable: Documents are hashed at the time of signing, and any subsequent modification is detectable via the audit trail chain hash.

UETA

The Uniform Electronic Transactions Act (UETA) is a state-level law adopted by 49 US states (and the District of Columbia) that provides a legal framework for electronic transactions. DocuTrust’s UETA compliance mirrors its ESIGN Act compliance:
  • Electronic records and signatures are not denied legal effect solely because they are electronic.
  • Both parties consent to conduct the transaction electronically.
  • The electronic record is retainable and accurately reproducible.
  • Attribution of the electronic signature to the signer is established through the audit trail.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets standards for protecting sensitive patient health information (PHI). DocuTrust implements the following HIPAA safeguards:

Technical Safeguards

RequirementImplementation
Encryption at restAES-256-GCM for all documents; Active Record Encryption for PII fields in the database.
Encryption in transitTLS 1.2+ for all connections.
Access controlsRole-based access, unique user accounts, automatic session timeout (30 minutes).
Authenticationbcrypt password hashing, TOTP MFA with account-level enforcement, account lockout after 5 failed attempts.
Audit controlsImmutable audit entries with chain hashing, 7-year retention, 30+ event types covering all PHI access.
Integrity controlsSHA-256 chain hashing detects tampering. Document hashes are recorded at signing time.

Administrative Safeguards

RequirementImplementation
Business Associate AgreementBAA acceptance and tracking via API and admin UI.
Breach notificationAutomated breach detection service with 24-hour notification commitment.
Workforce trainingAccount administrators can enforce MFA and password policies for all users.
Contingency planningEncrypted backups, key rotation procedures, session invalidation during incidents.

Physical Safeguards

RequirementImplementation
Facility accessProduction infrastructure hosted on Railway with managed physical security.
Workstation securityEnforced via customer’s own IT policies; DocuTrust provides session timeout and MFA.
Device controlsAPI token scopes and IP allowlisting restrict which devices and networks can access the system.

SOC 2 Alignment

SOC 2 Type II is an auditing standard that evaluates a service organization’s controls over the security, availability, and confidentiality of customer data. DocuTrust has not completed a SOC 2 Type II audit. The controls below are aligned with the Trust Service Criteria and are maintained in preparation for a future audit. DocuTrust addresses the three applicable trust service criteria:

Security

  • Multi-factor authentication with account-level enforcement
  • Password complexity requirements (12+ characters, mixed case, numbers, special characters)
  • Account lockout after 5 failed login attempts
  • API token scoping and rate limiting (120 requests/minute)
  • IP allowlisting with CIDR support
  • Automated breach detection (privilege escalation, off-hours access, unusual login patterns)
  • Server-side session management with 30-minute timeout
  • SSRF protection on webhook delivery

Availability

  • Production deployment on Railway with managed infrastructure
  • Health monitoring and automated alerting
  • Graceful degradation when optional services (Redis, Sidekiq) are unavailable
  • Rate limiting protects against abuse and ensures fair resource allocation

Confidentiality

  • AES-256-GCM document encryption at rest
  • Active Record Encryption for all PII fields
  • TLS 1.2+ for all data in transit
  • Unique encryption keys for documents, database fields, and configuration
  • Key rotation support with zero downtime
  • Secure temporary file handling during document processing
  • 7-year audit trail retention with immutable storage

GDPR

The General Data Protection Regulation (GDPR) is the EU’s data protection framework governing the processing of personal data. DocuTrust supports GDPR compliance through:

Data Protection

GDPR PrincipleImplementation
Lawfulness and consentSigners provide explicit consent before signing. Consent records are stored in the audit trail.
Data minimizationOnly data necessary for the signing process is collected. Templates define exactly which fields are required.
Storage limitationSubmissions can be configured with expiration dates. Expired submissions are flagged and can be purged.
Integrity and confidentialityAES-256-GCM encryption at rest, TLS 1.2+ in transit, Active Record Encryption for PII.

Data Subject Rights

RightHow DocuTrust Supports It
Right to accessSubmitters can access their signed documents via their signing URL. Administrators can export all data for a submitter.
Right to rectificationSubmissions can be voided and re-sent with corrected information before completion.
Right to erasureAccount administrators can delete submissions, submitters, and associated documents. Audit entries are retained per legal obligation.
Right to data portabilityDocuments are available in standard PDF format. Submission data can be exported as JSON via the API.
Right to objectSubmitters can decline to sign, which records the objection in the audit trail.

Data Processing Agreement

For EU customers who require a Data Processing Agreement (DPA) in addition to or in place of the BAA, contact DocuTrust support to request the current DPA version.

Electronic Signature Levels (QES / AES / SES)

DocuTrust supports three levels of electronic signatures as defined by the eIDAS regulation, allowing you to choose the appropriate level of assurance for each use case.

Signature Levels

LevelNameLegal StandingIdentity VerificationUse Cases
SESSimple Electronic SignatureLegally valid under ESIGN/UETA; lowest eIDAS tierEmail delivery to unique signing URLInternal documents, low-risk agreements, acknowledgments
AESAdvanced Electronic SignatureMeets eIDAS Article 26 requirementsEmail + additional identity verification (SMS OTP, KBA)Commercial contracts, employment agreements, financial documents
QESQualified Electronic SignatureEquivalent to handwritten signature under eIDAS Article 25(2)Identity verified by a Qualified Trust Service Provider (QTSP) via video identification or eIDRegulated industries, cross-border EU transactions, government filings, notarized documents

eIDAS Compliance

  • SES: Admissible as evidence in court but does not carry a presumption of validity. The burden of proof rests on the party relying on the signature.
  • AES: Satisfies all four requirements of eIDAS Article 26 (uniquely linked to signatory, capable of identifying signatory, under sole control, linked to data). Provides stronger evidentiary weight than SES.
  • QES: Created by a qualified electronic signature creation device (QSCD) and based on a qualified certificate. Under eIDAS Article 25(2), a QES has the equivalent legal effect of a handwritten signature and is recognized across all EU member states.

Configuration

Configure the default signature level for your account via the API.

Get Current Signature Level

curl -X GET "https://spitshake.io/api/settings/signature_level" \
  -H "X-Auth-Token: YOUR_API_TOKEN"

{
  "signature_level": "ses",
  "available_levels": ["ses", "aes", "qes"],
  "aes_identity_methods": ["sms_otp", "kba"],
  "qes_provider": "qualified_trust_service",
  "qes_verification_methods": ["video_identification", "eid"],
  "account_id": 1,
  "updated_at": "2026-04-01T12:00:00.000Z"
}

Update Signature Level

curl -X PUT "https://spitshake.io/api/settings/signature_level" \
  -H "X-Auth-Token: YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "signature_level": "aes"
  }'

{
  "signature_level": "aes",
  "available_levels": ["ses", "aes", "qes"],
  "aes_identity_methods": ["sms_otp", "kba"],
  "qes_provider": "qualified_trust_service",
  "qes_verification_methods": ["video_identification", "eid"],
  "account_id": 1,
  "updated_at": "2026-04-09T10:30:00.000Z"
}

Pricing

LevelCost per SignatureIncludes
SES (Simple)FreeEmail-based signing, audit trail, document hashing
AES (Advanced)$0.20SES features + SMS OTP or KBA identity verification
QES (Qualified)$2.00AES features + QTSP video identification or eID verification, qualified certificate issuance
AES and QES costs are billed per individual signature, not per submission. A submission with 3 signers using AES would cost $0.60 total. SES signatures are always free regardless of volume.