1. Regulatory Framework
Sign Zone operates under and complies with the following Indian regulatory frameworks:
- Information Technology Act, 2000 — provides legal recognition for electronic signatures and records
- Digital Personal Data Protection Act, 2023 — governs the processing of personal data
- Consumer Protection Act, 2019 — consumer rights and dispute resolution
- Indian Contract Act, 1872 — validity of contracts
- Indian Evidence Act, 1872 (as amended) — admissibility of electronic records in court
- Central Goods & Services Tax Act, 2017 — tax invoicing for our paid services
2. IT Act 2000 — Section 3A Compliance
Section 3A of the IT Act, 2000 (as amended by the IT Amendment Act, 2008) gives electronic signatures the same legal validity as handwritten signatures. For a signature to be valid under Section 3A, it must:
| Requirement | How Sign Zone Meets It |
|---|---|
| Be uniquely linked to the signatory | Each signer receives a unique tokenised email link. OTP verification ties the action to the signer’s verified email. |
| Be capable of identifying the signatory | The audit trail records signer name, email, IP address, user agent, and timestamp for every signature event. |
| Be created in a manner under the signatory’s control | Signers must actively choose a signing method (OTP, draw, upload) and explicitly confirm. No automated signing. |
| Be linked to the signed data so any subsequent change is detectable | SHA-256 cryptographic hash of the document is generated at the moment of signing. Any subsequent modification breaks the hash, making tampering detectable. |
3. DPDP Act 2023 Compliance
The Digital Personal Data Protection Act, 2023 is India’s primary data protection law. Sign Zone is built to meet its requirements as a Data Fiduciary:
3.1 Lawful Processing
We process personal data only for specific, lawful purposes — primarily on the legal basis of consent and contract.
3.2 Notice & Transparency
Our Privacy Policy provides clear, accessible information about data we collect, how we use it, and your rights.
3.3 Data Principal Rights
You can exercise the following rights by emailing info@kredo.in:
- Access your personal data
- Correct inaccurate or incomplete data
- Erase your data (subject to legal retention)
- Export your data in a structured format (right to portability)
- Withdraw consent
- Nominate another individual to act on your behalf
- File a grievance with our Grievance Officer
3.4 Breach Notification
In the event of a personal data breach, we will notify the Data Protection Board of India and affected users within 72 hours of becoming aware, as required.
4. Security Architecture
4.1 Encryption in Transit
All communication between users and Sign Zone uses HTTPS over TLS. HTTPS is enforced site-wide. SSL certificates are issued by recognised certificate authorities.
4.2 Storage & Hosting Security
Documents and database records are stored on managed hosting infrastructure with server-level access controls. Our hosting provider operates infrastructure that is physically secured in a commercial data centre in the Mumbai region of India. Backups are encrypted in transit.
4.3 Password Storage
User passwords are stored as one-way cryptographic hashes (PHP’s password_hash() with default algorithm, currently bcrypt). We never see or store plaintext passwords.
4.4 SHA-256 Document Integrity
Every signed document has a SHA-256 cryptographic hash generated at the moment of completion. This hash is included in the audit trail certificate appended to the final PDF, stored in our database, and used to detect any post-signing tampering.
4.5 Network & Application Security
- Parameterised database queries to prevent SQL injection
- Output escaping to prevent XSS
- CSRF protection on state-changing operations
- Rate limiting on authentication endpoints
- Strong session management with timeout on inactivity
5. Audit Trail Standards
Sign Zone maintains a tamper-evident audit trail for every document. The audit certificate auto-appended to each signed PDF includes:
- Document identifier and SHA-256 hash
- Initiator information: name, email, IP, timestamp
- Each signer: name, email, IP address, user agent, signing method, viewed timestamp, signed timestamp
- Every action: viewed, signed, rejected, downloaded, cancelled
- OTP verification log (where OTP method was used)
- Final document state and integrity hash
This audit trail is designed to meet the evidentiary requirements of Section 65B of the Indian Evidence Act, 1872.
6. Access Controls
6.1 Role-Based Access Control (RBAC)
| Role | Permissions |
|---|---|
| Super Admin | Full system access, user management, billing |
| Admin | Team management, document oversight, billing |
| User / Initiator | Create and send documents, view own documents |
| Signer | Sign documents via secure link — no account required |
6.2 Authentication
- Password complexity requirements enforced
- Cryptographically random session tokens
- Session timeout after inactivity
- OTP for signer email verification
6.3 Internal Access
Our team accesses user data only on a strict need-to-know basis — for support, troubleshooting, or legal compliance. All internal access is logged.
7. Data Storage & Residency
Sign Zone’s primary infrastructure is hosted in India (Mumbai region):
- Application servers
- Database
- Document storage
- Backups
Our email subprocessor (Gmail SMTP, operated by Google LLC) may relay transactional emails through servers located in the United States. This is the only cross-border data flow in our current setup.
The payment subprocessor (Razorpay) operates from India and stores payment data within India.
8. Subprocessors
The full current list of subprocessors:
| Subprocessor | Operator | Purpose | Region |
|---|---|---|---|
| Web hosting | cPanel managed hosting | Application, database, document storage | India (Mumbai) |
| Email (SMTP) | Google LLC (Gmail SMTP) | Transactional email delivery | United States |
| Payment gateway | Razorpay Software Pvt. Ltd. | Wallet top-ups and per-document billing | India |
8.1 Subprocessor Change Notice
If we add a new subprocessor that processes personal data, we will update this list. Material changes (e.g. adding an analytics processor) will be notified to users via in-app banner or email before activation, with an opportunity to object via your DPDP rights.
For the most up-to-date list, contact info@kredo.in.
9. AI / Machine-Learning Practices
- We do not feed your documents into AI training pipelines
- We do not share your documents or signatures with any AI / ML vendor
- We do not use signature data to train signature-recognition or biometric models
- Our subprocessors are contractually prohibited from using your data for AI training
If you opt-in to analytics cookies (when activated in future), we may use aggregate, anonymised, non-identifying feature-usage data only. Document content is never used for any AI/ML purpose, regardless of consent.
See Privacy Policy §4 for the full statement.
10. Incident Response
Our incident response process for security events:
- Detection & triage — identify scope and severity
- Containment — stop the incident and prevent expansion
- Investigation — determine root cause and impact
- Notification — notify the Data Protection Board of India and affected users within 72 hours (where applicable under DPDP Act)
- Remediation — fix the underlying issue and prevent recurrence
- Post-mortem — document learnings and update controls
11. Business Continuity
We aim for high availability and resilience:
- Backups: regular automated backups of the database and document storage, retained with encryption
- Recovery: documented recovery procedures for major outages
- Maintenance windows: planned maintenance is communicated in advance where possible
- Force majeure: events outside reasonable control (internet outages, natural disasters, third-party service failures) may cause temporary disruption
Enterprise customers can request our Business Continuity Plan summary via info@kredo.in.
12. Responsible Disclosure
If you discover a security vulnerability in Sign Zone, please report it responsibly to info@kredo.in with the subject “Security Disclosure”. Include:
- A clear description of the issue
- Steps to reproduce
- Potential impact
We commit to:
- Acknowledging your report within 3 business days
- Providing a resolution timeline based on severity
- Crediting you (with your permission) in a security acknowledgements list once we have a public one
- Not pursuing legal action against good-faith researchers who follow this process
A formal bug bounty programme is under consideration for future launch.
13. Document-Specific Compliance
13.1 Stamp Duty
You are responsible for compliance with applicable stamp duty laws for documents that require stamping. Our e-stamp paper integration is currently under development and not yet generally available. When launched, it will support select Indian states. We will not promise specific state coverage or timelines until the feature is live.
13.2 Documents Requiring Physical Signature
Certain documents under Indian law cannot be signed electronically (see Terms §10 for the list). You are responsible for determining whether electronic signing is permissible for your use case.
13.3 Industry-Specific Compliance
Industries with specific compliance requirements (financial services, healthcare, etc.) may have additional obligations. We can assist with compliance discussions for Enterprise customers — contact sales.
14. Certifications Roadmap
We are evaluating, as the platform matures:
- ISO 27001 — Information Security Management
- SOC 2 Type II — Service Organization Controls
- Annual third-party security audits
Enterprise customers requiring formal certifications today should evaluate this gap and contact us to discuss arrangements (e.g. customer-funded audits, contractual commitments).
15. Contact
For security or compliance questions:
- General: info@kredo.in
- Security disclosures: info@kredo.in (subject: “Security Disclosure”)
- Grievance Officer: info@kredo.in (see Privacy Policy §15)
See also our Privacy Policy and Terms & Conditions.