Loading...
EU General Data Protection Regulation (2016/679)
Data Protection by Design and Default (Art. 25) — privacy is built into every feature from the start.
Right to Erasure (Art. 17) — users can permanently delete their account and all associated data with one click.
Right to Data Portability (Art. 20) — full JSON export of all your data available in Settings.
Data Processing Agreement (Art. 28) — standard DPA available on our DPA page.
Consent Management — cookie consent banner with explicit opt-in, no tracking cookies used.
Data Minimization — we only collect what's necessary to deliver the service.
Breach Notification (Art. 33/34) — committed to notifying affected users within 72 hours.
EU Electronic Identification and Trust Services Regulation (910/2014)
Simple Electronic Signatures (SES) — legally valid for commercial transactions across the EU under Art. 25.1.
Signer Identity Verification — email verification with 6-digit code before signing.
Document Integrity — SHA-256 hash of document content, stored with the signature to prove the document was not altered.
Complete Audit Trail — every event (created, viewed, consent given, signed) is logged with timestamp, IP address, and user agent.
Consent Text — exact consent text shown and agreed to by the signer is permanently recorded.
Certificate of Completion — downloadable PDF with full legal certificate, hash verification, and audit trail.
Note: Proposly provides Simple Electronic Signatures (SES), not Advanced (AES) or Qualified Electronic Signatures (QES). SES are legally valid and admissible as evidence for the majority of commercial, B2B, and freelance contracts under EU law.
Industry-standard encryption for data in transit and at rest
TLS 1.2+ enforced on all connections — all data transmitted between your browser and our servers is encrypted.
HSTS (HTTP Strict Transport Security) — browsers are instructed to only connect via HTTPS, with preload directive.
AES-256 encryption at rest — all data stored in Supabase PostgreSQL is encrypted using AES-256.
Row Level Security (RLS) — database-level access control ensures users can only access their own data.
Defense-in-depth security measures aligned with ISO 27001 technical controls
Content Security Policy (CSP) — strict CSP headers prevent XSS attacks and unauthorized script execution.
X-Frame-Options: DENY — prevents clickjacking by blocking iframe embedding.
X-Content-Type-Options: nosniff — prevents MIME type sniffing attacks.
Referrer-Policy: strict-origin-when-cross-origin — controls information shared in HTTP referrer headers.
Permissions-Policy — camera, microphone, and geolocation are disabled by default.
Rate Limiting — in-memory rate limiting on all API endpoints to prevent brute force attacks.
Input Validation — all user inputs are validated and sanitized before processing.
All infrastructure providers are SOC 2 Type II certified
Vercel (Hosting) — SOC 2 Type II certified, automatic DDoS protection, edge network.
Supabase (Database) — SOC 2 Type II certified, hosted on AWS with AES-256 encryption.
Resend (Email) — SOC 2 Type II certified email delivery service.
No data stored locally — all data is securely stored in cloud infrastructure with automated backups.
While our technical controls align with ISO 27001 Annex A requirements, formal ISO 27001 and ISO 9001 certification requires organizational processes and external auditors. These certifications are on our roadmap as we scale.
If you discover a security vulnerability or have compliance questions, contact us at hello@proposly.tech. We aim to respond within 24 hours.