Get started
Enterprise security

Security built into every document

GingerDocs encrypts your documents, scopes every action to a role, and records the whole lifecycle in a tamper-evident, hash-chained audit log.

How a document is protectedSecure

Encryption
AES-256 at rest
Audit log
SHA-256 chain
Transport
TLS in transit
Compliance-minded

Built around the controls
behind major standards

GingerDocs is designed to support the encryption, access-control, and audit requirements that frameworks like these are built on.

SOC 2 controls

Designed around the security, availability, and confidentiality criteria SOC 2 is built on.

HIPAA in mind

ePHI is encrypted at rest and in transit, with role-scoped access for healthcare workflows.

GDPR principles

Data minimization, account deletion with a 30-day grace period, and full data export.

Strong audit trail

A hash-chained, append-only log gives every document a verifiable record of events.

Defense in depth

Three layers of protection
for every document

Encryption, isolation, and auditability — each implemented independently so a single failure can't compromise your data.

Encryption

Documents are encrypted at rest and protected with TLS in transit. Downloads use short-lived, signed URLs.

  • AES-256 encryption at rest
  • Download URLs expire after 5 minutes
  • Original PDF is never overwritten

Access control

Sessions use httpOnly cookies, recipients sign with revocable tokenized links, and roles scope what each person can do.

  • Owner and member team roles
  • Revocable recipient signing tokens
  • Share links with password & view limits

Auditability

Every lifecycle event — created, sent, viewed, signed, completed — is hashed and chained to the one before it.

  • SHA-256 hash chain, append-only
  • Signer IP address & timestamp recorded
  • Element edits tracked in version history
Architecture

Layered by design

Identity, authorization, encryption, and storage are handled as distinct layers, so each document is protected end to end.

Identity

httpOnly session cookies; tokenized recipient links

Authorization

Owner/member roles; per-document policy

Encryption

AES-256 at rest; TLS in transit

Storage

Encrypted object storage; signed, expiring download URLs

Audit log

Tamper-evident from creation to completion

Each event is hashed together with the previous one, so the whole history is verifiable and any change to an earlier record breaks the chain.

SHA-256 hash chain across every event
Append-only — records are never updated or deleted
Signer IP address and timestamp captured
Element edits recorded in version history
Talk to our team
Document audit log● Verified
2026-01-14T14:08:42.114Z
document.completed
all signers done
hash #4831 ✓
2026-01-14T14:08:39.022Z
recipient.signed
marcus@example.com
hash #4830 ✓
2026-01-14T14:08:01.557Z
document.viewed
192.168.214.92
hash #4829 ✓
2026-01-14T10:42:08.327Z
document.sent
2 recipients
hash #4828 ✓
2026-01-14T10:41:55.001Z
document.created
MSA_GlobalBank_v3
hash #4827 ✓

Have a security or compliance question?

Tell us about your requirements and we'll walk you through how GingerDocs handles encryption, access control, and the audit log for your use case.

Talk to our teamExplore the product