Security & Compliance

Audit-ready from day one.

SpitShake was built for teams where signatures are evidence — not just a checkbox.

HIPAA-ready

Business Associate Agreement (BAA) support. PHI encrypted at rest with AES-256.

SOC 2 controls

Access control, change management, incident response, and vendor review practices.

Immutable audit

Every field change, submitter status transition, and document version is chained via SHA-256 and stored in append-only tables with PostgreSQL triggers.

Digital signatures

Cryptographic PDF signatures with RFC 3161 TSA timestamps from FreeTSA (with fallback) for long-term validation.

MFA enforcement

Organization-wide MFA enforcement. TOTP + recovery codes. Session invalidation on key security events.

IP allowlisting

CIDR-based admin access control. Lockout-prevention guardrails on save.

Encryption at rest

Document uploads and sensitive PII fields are encrypted at rest with Rails Active Record Encryption. Key rotation supported via HKDF-derived key lineage.

30-day session limit

Sliding session timeout (30 min inactivity) enforced per HIPAA §164.312(a)(2)(iii).

Need a BAA, SOC 2 report, or security questionnaire response?

Contact security team