Every contract protected.
Every access controlled.

Every organisation operates in its own isolated space. Contracts, templates, signers, audit trails, reports, and every other data type are tagged to a specific organisation at creation. The data layer refuses to return any data tagged to a different organisation than the requesting user's. This separation is built into the foundation rather than enforced through rules that could be misconfigured, so cross organisation access is structurally impossible.

Three levels cover the access patterns real teams need. Admin has full control over organisation settings, billing, team membership, integrations, and all contracts. Manager can create, send, and manage contracts, templates, and workflows but cannot change organisation settings. Viewer can see contracts they have been granted access to but cannot create, modify, or share anything. Each member's level matches their actual responsibility.

The platform integrates with the company's existing identity system, so members sign in with the same identity they use everywhere else. The identity team configures the connection during onboarding, after which signing in routes through the company's provider. Access is managed centrally, so when someone leaves and is removed from the identity system, they automatically lose access to the platform without anyone revoking it separately.

Multiple failed sign in attempts from the same source within a short window. The threshold balances security with usability. Three or four failures is normal because users mistype passwords. A burst well beyond that is almost certainly a guess attack. Lockout temporarily blocks further attempts from that source while the legitimate user recovers access through verified email or the identity system. It stops guessing without locking out users for normal mistakes.

At the moment of signature, the platform creates a unique fingerprint from the exact contents of the document, stored alongside it. Any later change, even a single character, gives a completely different fingerprint. Comparing the stored fingerprint to a current calculation reveals tampering instantly. A signed contract that gets quietly modified cannot pass the check, so the team and any auditor can verify it is exactly as signed.

Attackers can sometimes learn information from how long a system takes to respond. A sign in for a real user might take slightly longer than one for a non-existent user, revealing which usernames exist. The platform deliberately makes responses take the same time regardless of the outcome, so attackers cannot extract information by comparing response times. This subtle protection matters for serious reviews and rules out a class of attack.