HelloSign, now officially called Dropbox Sign, is a popular e-signature solution acquired by Dropbox in 2019. As part of the Dropbox family, it has inherited stringent security measures. This article provides an in-depth overview of Dropbox Sign’s security measures and how they stack up against industry standards.
HelloSign’s Acquisition by Dropbox
In 2019, leading cloud storage provider Dropbox acquired e-signature pioneer HelloSign for $230 million. The deal helped expand Dropbox’s product capabilities beyond storage and file sharing, including legally binding document signing. With the acquisition, HelloSign was rebranded as Dropbox Sign and gained access to Dropbox’s security infrastructure and teams.
For example, Dropbox Sign now leverages Dropbox’s ISO 27001 certification, SOC 2 Type 2 compliance, HIPAA compliance, encrypted data storage, access controls, and other robust security measures. The alignment assures that documents are protected in providing e-signature solutions to small businesses and beyond.
Is HelloSign Secure? A Breakdown
When it comes to e-signature solutions, security is paramount. Users need assurance that their sensitive documents and signature transactions are protected. As part of the Dropbox family, Dropbox Sign (formerly HelloSign) has inherited a formal information security program that helps safeguard data.
General Security Measures
The Dropbox application security program is built to protect Dropbox Sign services and data. This includes employee training, audits, risk assessments, and incident response plans. Dropbox also operates an abuse bug bounty program inviting researchers to identify vulnerabilities through Bugcrowd. In addition, the Dropbox Sign API allows developers to integrate security-related initiatives into signing workflows.
HelloSign Privacy
HelloSign undergoes independent third-party audits annually to evaluate privacy practices and compliance. Audit reports can be provided upon request.
Document Encryption
Documents are encrypted at rest and in transit using industry-standard protocols like AES-256 and TLS 1.2. Each document has a unique encryption key protected by a regularly rotated master key. Backups are also encrypted.
Data Storage
Data centers hosting Dropbox Sign data must comply with rigorous certifications like SOC 2 and ISO 27001. Centers are monitored 24/7 with strict access controls. Though certain subprocessors may access data as needed, storage follows regulatory requirements.
Security Team
An entire team oversees security initiatives, led by the Head of the Security and risk management committee. All employees undergo background checks and annual security awareness training to uphold practices. Dropbox Sign performs regular checks for security-related issues.
Is HelloSign HIPAA Compliant?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law establishing data privacy and security standards for protecting medical information. To be HIPAA compliant, solutions must implement safeguards like encryption, access controls, audits, and employee training.
Given this definition, HelloSign is HIPAA compliant with its standard and premium plans. It has obtained the SOC 2 Type 1 attestation for Security, Confidentiality, and Availability criteria. Dropbox, as a whole, supports HIPAA compliance with stringent policies, technologies, and protocols in place to protect sensitive patient health data. For example, Dropbox leverages ISO 27001 certification, encrypted storage, strict access permissions, and other security best practices. Together, these controls aim to prevent unauthorized access or modification of documents and signatures containing protected health information.
Additionally, HelloSign adheres to the U.S. ESIGN Act of 2000 as a legal framework for using e-signatures. The alignment helps assure healthcare organizations that workflows with electronic documents and signing align with healthcare regulatory obligations.
HelloSign Security: The Downsides
While Dropbox Sign offers robust security protections, there are some weaknesses to note:
- Public Sharing Risks: Files shared via public links can be accessed by anyone, increasing risks. Limitations with tracking file access also make it difficult to audit changes. Public links used for sharing documents can inadvertently expose files to unauthorized access without detailed activity tracking.
- No Native Encryption: Dropbox does not natively provide client-side encryption or private key generation. While users can add encryption, this takes additional effort and resources. Native encryption, private keys, and other security controls must be implemented separately by users.
- Customer Support Limits: As a primarily consumer-focused electronic signature app, HelloSign does not have extensive customer support or dedicated account management typically expected by enterprises. Communication is predominantly digital. Support options lack phone/direct communication and HelloSign account management services common in business-class solutions.
While unlikely to impact individual users, these limitations introduce security and usability risks for larger organizations with sensitive data. Companies with rigorous compliance, encryption, and support needs may find HelloSign alternatives like Signaturely more suitable.
Signaturely is a Secure HelloSign Alternative
Both HelloSign and Signaturely leverage encryption, compliance standards, and authentication to secure different types of signatures. However, Signaturely’s security goes further with ISO 27001 and FISMA-certified Amazon data centers hosting military-grade access controls.
For payments, Signaturely partners with top-tier processor Stripe to enable Level 1 PCI compliance using tokenization. No raw magnetic stripe or sensitive cardholder data is ever stored.
Additionally, Signaturely documents feature anti-tampering controls through AATL compliance for robust evidential weight.
Other advantages include:
- Regular penetration testing and vulnerability scanning to harden defenses and review security-related initiatives
- Matching HelloSign compliance with HIPAA, GDPR, SOC 2 Type 2, and more
- US-based support teams are available 24/7 to solve issues
- Robust audit trail tracking
With comparable protection, leading infrastructure, compliance depth, and dedicated resources,
Signaturely forms the best e-signature software for handling sensitive data. The solution aims to provide complete confidence when sending documents securely.
FAQs About HelloSign Security
Below are some of the most frequently asked questions about HelloSign’s security policies.
Yes, HelloSign complies with the U.S. ESIGN Act as a legal framework for signing papers electronically. Documents signed through HelloSign are considered legally valid and enforceable.
Yes, HelloSign meets the requirements for a qualified electronic signature by capturing the signer’s identity, linking signatures to documents, and showing if documents were altered. These controls ensure authenticity and integrity.
HelloSign and DocuSign have comparable security, using encryption, compliance standards, authentication, and strict access controls. However, DocuSign may have an edge with round-the-clock physical security, while HelloSign relies more on stringent digital controls. For most use cases, both offer adequate protection. However, organizations with rigorous requirements should evaluate if DocuSign aligns better with their specific policies and protocols.
What You Need to Remember About Whether HelloSign is Secure
HelloSign has offered robust security controls since Dropbox’s acquisition. However, some risks exist around public links, supplemental encryption, and support. For most uses, HelloSign is reliable, but high-risk organizations may prefer DocuSign or Signaturely for greater compliance depth and dedicated resources.
