Compliance & Certifications

Compliance you can verify, not just take our word for.

This page sets out SalesSign’s approach to eSignature compliance, from data-protection law to standards such as ISO/IEC 27001. SalesSign is a Salesforce-native proposal and eSignature platform. This page sets out exactly where we stand on security reviews, data-protection law and eSignature validity — what is in place today, what is in progress, and how your security, legal and procurement teams can request the evidence they need.

Request a Demo → View the Trust Centre

Where We Stand

The three questions reviewers ask first.

Procurement and InfoSec teams want clear answers, not marketing. Here are the headline ones, stated plainly.

AppExchange Security Review

SalesSign is currently undergoing Salesforce’s AppExchange Security Review. We will publish the listing and outcome here once the process completes. We do not claim to have passed or been certified ahead of that.

SOC 2 & ISO 27001

Independent certification status and roadmap: SOC 2 Type II and ISO 27001 are on our roadmap, targeted for January 2027. We would rather state this honestly than imply a certification we do not yet hold.

Data-protection law

We design SalesSign to align with the UK GDPR and EU GDPR, and with the CCPA as amended by the CPRA for California. Our processor commitments are set out in our Data Processing Agreement.

How SalesSign fits your compliance model

SalesSign is built natively on the Salesforce platform: you build, send, track and eSign proposals without leaving Salesforce. That architecture shapes our compliance position in one important way — the documents you create and the CRM records they relate to live inside your own Salesforce org, under your own Salesforce agreement and your own administrative controls. SalesSign acts as a processor of the personal data you instruct us to handle in the course of providing the service.

The SalesSign web application and the salessign.io marketing website are operated as separate systems. We set out our infrastructure, hosting regions, encryption and access controls in full on the Trust Centre, and we name our sub-processors on the Sub-processors page.

Note — This page describes our overall compliance posture for evaluation purposes. The binding commitments live in our contractual documents — primarily the Data Processing Agreement and the terms referenced from it. Where a contract and this page differ, the contract governs.

Salesforce AppExchange Security Review

The AppExchange Security Review is Salesforce’s mandatory assessment of partner applications against Salesforce’s published security requirements, including checks aligned to OWASP guidance. SalesSign is currently undergoing Salesforce’s AppExchange Security Review.

What that means in practice for an evaluating team:

We do not describe SalesSign as “AppExchange-certified”, “approved” or “passed” until the review is complete and the listing is live.
SalesSign installs into your org under a least-privilege permission-set model, so your administrators control who can use it.
Once the review completes, we will link the AppExchange listing and summarise the review scope from this page.

Current AppExchange listing status: currently undergoing Salesforce’s AppExchange Security Review.

SOC 2 and ISO 27001

SOC 2 (a SOC 2 Type II attestation reported under the AICPA Trust Services Criteria) and ISO/IEC 27001 (certification of an Information Security Management System) are the two independent assurances enterprise buyers most often ask for. We are committed to maintaining controls aligned to these frameworks and to being transparent about where we are on the journey to formal attestation and certification.

Current status and roadmap: SOC 2 Type II and ISO 27001 are on our roadmap, targeted for January 2027.

Note — Until a SOC 2 report or ISO 27001 certificate is available, we will not imply that one exists. When it is available, we will describe how to request it under NDA — see “Requesting reports” below.

GDPR and UK GDPR

SalesSign is designed to support customers subject to the EU General Data Protection Regulation and the UK GDPR (as retained in UK law alongside the Data Protection Act 2018).

Roles. For the personal data within the documents and CRM records you process using SalesSign, you are the controller and SalesSign is your processor. We process that data only on your documented instructions.
Article 28 terms. Our processor obligations — including confidentiality, security measures, sub-processor terms, assistance with data-subject requests, and deletion or return of data on termination — are set out in our Data Processing Agreement.
Sub-processors. The vendors we engage to help deliver the service, with their purpose and processing location, are listed on the Sub-processors page, with a mechanism to be notified of changes.
International transfers. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, as detailed in the DPA.
Data-subject rights. Because the data sits in your Salesforce org and our application, we support you in responding to access, rectification, erasure, restriction and portability requests.

Data-protection contact: our Data Protection Officer, Alex Burrell (alexburrell@salessign.io).

CCPA and CPRA

For customers and end users in California, SalesSign is designed to align with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

When we process personal information to provide the service to you, we act as a service provider under the CCPA/CPRA, using that information only for the business purposes set out in our agreement.
We do not “sell” or “share” (as those terms are defined under the CPRA) the personal information you process through SalesSign.
We support you in meeting your obligations to honour consumer rights, including requests to know, delete, correct, and limit the use of sensitive personal information.

Detailed disclosures, including our handling of “Do Not Sell or Share” signals on the marketing site, are covered in our consumer-facing privacy documentation.

eSignature legal compliance

Signatures captured through SalesSign are designed to be legally valid electronic signatures under the principal frameworks our customers operate in:

United States — ESIGN & UETA. SalesSign eSignatures are intended to meet the requirements of the federal Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA) as adopted by US states, including intent to sign, consent to do business electronically, association of the signature with the record, and record retention.
EU — eIDAS. SalesSign supports electronic signatures consistent with Regulation (EU) No 910/2014 (eIDAS), capturing the evidence needed to demonstrate the identity of the signer and the integrity of the signed document.
UK — Electronic Communications Act 2000 & UK eIDAS. In the UK, our eSignatures are designed to align with the Electronic Communications Act 2000 and the retained UK eIDAS regime.

Each completed signature is backed by a tamper-evident audit trail recording the signer, the actions taken, and timestamps — the evidence a court or counterparty expects when the validity of an agreement is questioned. We do not provide legal advice; whether a particular document may be signed electronically can depend on your jurisdiction and document type, so we recommend confirming with your own counsel for regulated or high-value agreements.

Requesting reports, questionnaires and evidence

We aim to make security and compliance review fast. Public artifacts — this page, the Trust Centre, the DPA and the Sub-processors list — are available without contacting us. Documents that contain sensitive detail are available to evaluating and existing customers under a mutual non-disclosure agreement.

Available on request, under NDA where indicated:

Artifact	Availability
This Compliance & Certifications page	Public
Trust Centre (architecture, encryption, access controls)	Public — see /security/
Data Processing Agreement (DPA)	Public — see /legal/dpa/
Sub-processor list	Public — see /legal/subprocessors/
SOC 2 report / ISO 27001 certificate	available under NDA on request once attested
Penetration-test summary	available under NDA on request
Completed security questionnaire (e.g. CAIQ / SIG)	On request under NDA

To request any of the above, or to send your own security questionnaire, contact admin@salessign.io or ask during your demo. We will respond with the relevant documents and, where needed, an NDA to put in place first.

Last updated: 3 June 2026

Read the underlying documents.

This page is the summary. These are the artifacts your reviewers will want to read in full.

Trust

Trust Centre

Hosting, data residency, encryption in transit and at rest, access control, secure development, backups and incident response.

Data Processing Agreement

Our Article 28 processor terms: roles, security measures, sub-processor terms, transfers, audit rights and data return on termination.

Sub-processors

The vendors we engage to deliver SalesSign, with purpose and processing location, plus how to be notified when the list changes.

FAQ

Frequently asked questions.

Has SalesSign passed the Salesforce AppExchange Security Review?

SalesSign is currently undergoing Salesforce’s AppExchange Security Review. We do not describe the app as certified, approved or passed until the review is complete and the listing is live, at which point we will link it from this page.

Do you have SOC 2 or ISO 27001?

We maintain controls aligned to these frameworks and are transparent about where we are on the path to formal attestation and certification. The current status and any roadmap dates are noted above. Where a report or certificate exists, it is available to evaluating customers under NDA.

Is SalesSign GDPR and UK GDPR compliant?

SalesSign is designed to support customers subject to the EU and UK GDPR. For the personal data you process using SalesSign you are the controller and we are your processor; our Article 28 obligations are set out in our Data Processing Agreement, and our sub-processors are listed on the Sub-processors page.

Are signatures captured through SalesSign legally binding?

SalesSign eSignatures are designed to be valid electronic signatures under ESIGN and UETA in the US, eIDAS in the EU, and the Electronic Communications Act 2000 with retained UK eIDAS in the UK. Each signature is backed by a tamper-evident audit trail. We do not provide legal advice, so for regulated or high-value documents we recommend confirming with your own counsel.

Where is our data stored, and who can access it?

The documents you create and the CRM records they relate to live inside your own Salesforce org, under your own controls. The SalesSign web application and the salessign.io marketing site are operated as separate systems. Full detail on hosting, regions, encryption and access control is on the Trust Centre.

How do we request a security questionnaire or evidence pack?

Public artifacts are linked from this page. For a completed CAIQ/SIG questionnaire, a penetration-test summary, or to send us your own questionnaire, contact our security team or raise it during your demo. We will share the relevant documents under a mutual NDA where the content is sensitive.

Ready When You Are

Send us your security questionnaire.

Bring your DPA, your questionnaire and your requirements. We will give you straight answers and the documents to back them up — and show you SalesSign running natively in Salesforce at £19 per user / month.

Request a Demo →