All Legal Documents

At Signa, security is foundational to everything we build. Our customers trust us with their trademark intelligence workflows, and we take that responsibility seriously. This page describes the security practices and controls we have in place to protect your data.

Infrastructure

Signa's core API infrastructure runs on Amazon Web Services (AWS), primarily in the US East region. Our website is served through Vercel's global edge network.

Data residency: All primary data storage — including account information, API request logs, and trademark query data — resides in US East by default. Enterprise customers may discuss data localization requirements with our team.

Network architecture: Our production environment is isolated from development and staging environments through network segmentation. All internal service-to-service communication is encrypted and authenticated.

Encryption

All data is encrypted both in transit and at rest.

In transit: All connections to the Signa API and website are encrypted using TLS 1.2 or higher. We do not support unencrypted HTTP connections. API requests that attempt to connect over HTTP are automatically redirected to HTTPS.

At rest: All data stored in our databases and object storage is encrypted using AES-256 encryption. Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation.

API Keys: Customer API keys are hashed before storage. We do not store your API key in plaintext after initial generation. If you lose your key, we cannot recover it — you will need to generate a new one.

Authentication and Access Control

Customer authentication: API access requires a unique, cryptographically generated API key. Account access is protected by email/password authentication. We support and encourage multi-factor authentication (MFA) for account access.

Internal access: Signa employees access production systems using role-based access control (RBAC) with least-privilege principles. Administrative access requires multi-factor authentication. Access permissions are reviewed quarterly, and accounts are promptly de-provisioned when no longer needed.

Third-party access: No third party has direct access to our production databases. Sub-processors (listed in our Privacy Policy and DPA) receive only the minimum data necessary to perform their specific function.

Application Security

Secure development: We follow secure development practices, including code review, automated static analysis, and dependency vulnerability scanning as part of our CI/CD pipeline.

Dependency management: Third-party dependencies are automatically scanned for known vulnerabilities. Critical and high-severity vulnerabilities are patched within 24 hours and 7 days respectively.

API security: The Signa API implements rate limiting, input validation, and request authentication on all endpoints. We protect against common web application vulnerabilities including injection attacks, cross-site scripting (XSS), and cross-site request forgery (CSRF).

Monitoring and Incident Response

Logging: All access to customer data is logged centrally. Detailed API request logs are retained for 90 days. Security-relevant events are monitored in real time.

Alerting: Automated alerts are configured for suspicious activity, including unusual API usage patterns, failed authentication attempts, and unauthorized access attempts.

Incident response: We maintain a documented incident response plan with defined roles, escalation paths, and communication procedures. The plan is tested annually through tabletop exercises.

Breach notification: In the event of a personal data breach, we will notify affected customers within 72 hours and the Norwegian Data Protection Authority (Datatilsynet) as required by the GDPR. See our Privacy Policy for details.

Vulnerability Management

Vulnerability scanning: Automated vulnerability scans run continuously against our infrastructure and application code.

Penetration testing: We conduct third-party penetration testing at least annually. Findings are triaged, remediated, and verified.

Patch management: Security patches are applied on the following schedule:

| Severity | Target Remediation Time | |---|---| | Critical | 24 hours | | High | 7 days | | Medium | 30 days | | Low | Next release cycle |

Business Continuity

Backups: Automated daily backups with geographic redundancy. Backups are encrypted and stored separately from production data.

Disaster recovery: We maintain and test disaster recovery procedures annually. Our targets:

| Metric | Target | |---|---| | Recovery Point Objective (RPO) | 24 hours | | Recovery Time Objective (RTO) | 4 hours |

Uptime: Signa targets 99.9% API availability. Current and historical uptime is available on our status page at status.signa.so.

Employee Security

Background checks: Personnel with access to production systems or customer data undergo background checks prior to onboarding.

Confidentiality: All employees and contractors sign confidentiality agreements as a condition of engagement.

Training: Security awareness training is provided at onboarding and refreshed annually. Training covers data handling, phishing awareness, incident reporting, and secure development practices.

Offboarding: Access is revoked immediately upon termination of employment or contract. Offboarding procedures are audited quarterly.

Sub-processor Security

We carefully evaluate the security practices of all third-party sub-processors before engagement. Sub-processor requirements include:

• SOC 2 Type II certification or equivalent
• Encryption of data in transit and at rest
• Documented incident response procedures
• Contractual data processing agreements with GDPR-compliant terms
• Regular security audits

A full list of sub-processors is available in our Privacy Policy and DPA.

Compliance

| Framework / Regulation | Status | |---|---| | GDPR (EU General Data Protection Regulation) | Compliant | | Norwegian Personal Data Act (personopplysningsloven) | Compliant | | EU AI Act | Monitoring; compliance program in progress | | SOC 2 Type II | Planned | | ISO 27001 | Planned |

Responsible Disclosure

If you discover a security vulnerability in the Signa Service, we encourage you to report it responsibly.

How to report: Email security@signa.so with a description of the vulnerability, steps to reproduce, and any supporting evidence (screenshots, logs, etc.).

What we commit to:

• Acknowledge your report within 2 business days
• Provide an initial assessment within 5 business days
• Keep you informed of remediation progress
• Not pursue legal action against researchers who act in good faith and follow responsible disclosure practices

What we ask:

• Give us reasonable time to investigate and remediate before public disclosure
• Do not access, modify, or delete other customers' data
• Do not perform denial-of-service testing against production systems
• Do not use social engineering against Signa employees

Enterprise Security

For enterprise customers with additional security requirements, we offer:

• Custom DPA terms: Tailored data processing agreements to meet your compliance needs
• Security questionnaire responses: We maintain responses to common security questionnaires (SIG, CAIQ, VSAQ) and can provide these upon request
• Dedicated support: Priority security incident communication channel
• Data residency options: Discussion of data localization requirements

Contact security@signa.so or legal@signa.so to discuss enterprise security needs.

Contact

For security-related inquiries:

Signa Technologies AS Security reports: security@signa.so General security questions: security@signa.so Privacy inquiries: privacy@signa.so

This page was last updated on March 26, 2026.