Compliance Framework
One Sign Pte. Ltd. is committed to maintaining the highest standards of data protection and compliance with applicable regulations in Singapore and internationally.
🇸🇬 PDPA (Singapore)
Compliant with the Personal Data Protection Act 2012, governing the collection, use, and disclosure of personal data.
🇪🇺 GDPR (EU)
Our practices align with GDPR principles for customers in the European Economic Area, including data minimization and right to erasure.
🔐 eIDAS
Our signing processes are compatible with eIDAS regulation standards for electronic signatures and trust services.
📋 ISO 27001
Our security practices follow ISO 27001 information security management principles.
Data Processing Principles
- Zero-Knowledge Signing: We never access, read, or store the contents of documents being signed. Files are processed in memory and immediately discarded after signing.
- Data Minimization: We only collect data necessary for providing our services and billing.
- Purpose Limitation: Personal data is used only for the purposes stated in our Privacy Policy.
- Storage Limitation: Data is retained only for as long as necessary for business and legal purposes.
- Security by Design: Security is built into every aspect of our platform, from architecture to deployment.
Cryptographic Standards
- RSA 2048/4096-bit and ECDSA P-256/P-384 key support
- SHA-256, SHA-384, SHA-512 digest algorithms
- FIPS 140-2 Level 2 certified hardware tokens (YubiKey 5 FIPS)
- RFC 3161 compliant timestamping
- PKCS#11 and Microsoft CNG/CSP key storage
Physical Security (Cloud Service)
- Hardware tokens stored in access-controlled, monitored facilities
- Multi-factor authentication for all administrative access
- 24/7 monitoring and intrusion detection
- Regular security audits and penetration testing
- Disaster recovery and backup procedures
Data Transfer
For international data transfers, we ensure appropriate safeguards are in place, including:
- TLS 1.2+ encryption for all data in transit
- Cloudflare Tunnel for secure remote access without exposing ports
- Data processing agreements with sub-processors
Incident Response
In the event of a data breach, we will:
- Notify affected customers within 72 hours
- Report to the Personal Data Protection Commission (PDPC) as required
- Take immediate remedial action to contain and resolve the breach
- Provide a full incident report and corrective measures
Data Protection Officer
For compliance inquiries, data access requests, or to report a concern:
Email: dpo@onesign.sg
Address: One Sign Pte. Ltd., 10 Anson Road #22-02, International Plaza, Singapore 079903