Security at every layer

Built from the ground up with Fortune 500 security standards. Your documents deserve nothing less.

AES-256HIPAA ReadyESIGNUETAeIDASGDPRBitcoin AnchoredPolygon AnchoredOpen Spec
AES-256 encryption protecting documents at rest and in transit with TLS 1.2+ and zero-knowledge client-side encryption
Encryption

Encryption

At Rest

All documents encrypted with AES-256 server-side encryption in AWS S3. Encryption keys managed through AWS Key Management Service.

In Transit

TLS 1.2+ enforced on all connections. HSTS headers with preload prevent downgrade attacks.

Client-Side (Enterprise)

Optional zero-knowledge encryption. Documents encrypted in your browser before upload. We never see the plaintext.

Multi-factor authentication with bcrypt password hashing, JWT tokens, and automatic account lockout protection
Authentication

Authentication

Passwords

Hashed with bcrypt at cost factor 12. Minimum 10 characters with complexity requirements (uppercase, lowercase, number, special character).

Tokens

Short-lived JWT access tokens (15 minutes) with secure HttpOnly refresh cookies (7 days). SameSite=Strict prevents CSRF.

Account Protection

Automatic lockout after 5 failed attempts (15 min). Two-factor authentication available. Session timeout after 30 minutes of inactivity.

SHA-256 hash chain anchored to Bitcoin (via OpenTimestamps) and Polygon, with Merkle tree audit trails and an open verification spec
Document Integrity

Document Integrity

SHA-256 Hash Chain

Every document gets a cryptographic hash at upload. Every subsequent action (view, sign, complete) extends the chain. Tampering breaks the chain.

Bitcoin Anchor (OpenTimestamps)

Every signed document — every plan tier, free included — has its Merkle root timestamped to Bitcoin via the OpenTimestamps protocol. The .ots proof file can be verified offline against any public Bitcoin node, indefinitely.

Polygon Anchor (Pro+)

Professional and Enterprise tier documents are also anchored directly to the ZdottedlineAnchor smart contract on Polygon — instant tx hash + EVM-friendly verification via any public RPC.

Open Verification Spec

Full data formats and verification procedure are published at github.com/zdottedline/zdl-verify. The reference CLI is open source (MIT-licensed). Anyone can audit, fork, or reimplement.

Merkle Tree Audit

All events hash into a Merkle tree. Any modification to any record invalidates the root. Third-party auditors verify independently — without zdottedline in the loop.

Global compliance coverage including ESIGN Act, UETA, eIDAS Advanced Electronic Signatures, and GDPR data protection
Compliance

Compliance

ESIGN Act & UETA

Electronic signatures are legally binding under US federal (ESIGN Act) and state (UETA) law. We capture all required evidence.

eIDAS (EU)

Advanced Electronic Signature (AES) support under the European eIDAS regulation for cross-border legal validity.

GDPR

Full GDPR compliance with data processing agreements, right to erasure support, and EU data residency options.

AWS cloud infrastructure with multi-availability-zone redundancy, WAF DDoS protection, GuardDuty threat detection, and 24/7 monitoring
Infrastructure

Infrastructure

AWS Cloud

Hosted on Amazon Web Services with multi-availability-zone redundancy, automated backups, and disaster recovery.

Network Security

AWS WAF for DDoS protection, rate limiting on all endpoints, IP-based access controls for admin interfaces.

Monitoring

24/7 infrastructure monitoring with automated alerting. CloudWatch metrics, GuardDuty threat detection, and Security Hub compliance checks.

Your documents are in safe hands

Every layer of Zdottedline is engineered for security, compliance, and trust. From the moment you upload a document to the moment it's anchored to two independent public networks — and decades after, when anyone with a copy can verify it via our open-source CLI.

256-bit
AES Encryption
15 min
Token Expiry
100%
Audit Coverage