Legal

Security

How we protect your data and the integrity of every signed contract on the platform.

EffectiveMay 12, 2026·Last updatedMay 12, 2026·Version1.0·

1Data protection§

We implement industry-standard security measures to protect your data, including encryption, secure servers, access controls, and regular security reviews.

2Authentication§

We use email + password authentication. Passwords are hashed with bcrypt before they hit the database — they're never stored in plain text and we cannot recover them, only reset them. Two-factor authentication (TOTP) and SSO / SAML are on the roadmap.

3Data encryption§

All data transmission is encrypted using TLS 1.2 or higher. Sensitive data at rest (including BYOK API keys and signed contract content hashes) is encrypted before storage.

4Access controls§

Role-based access controls govern every project resource. Custom roles + a permission pool let project owners delegate management without giving up control. Every permission change is recorded in an audit trail.

5Monitoring§

We continuously monitor our systems for suspicious activity and maintain incident-response procedures. Rate limiting protects authentication endpoints, AI gateways, and signing flows.

6E-signature integrity§

Every signed contract embeds an audit certificate (signer identity, IP address, user agent, timestamp) and a frozen SHA-256 content hash. If the signed PDF is ever modified, the hash check will fail — so tampering is detectable. The flow is compliant with the U.S. ESIGN Act and UETA.

7Reporting security issues§

If you discover a security vulnerability, please report it to yourva@myva.cc. We appreciate responsible disclosure and will acknowledge within two business days.

Safe harbour for good-faith research. We will not pursue legal action against security researchers who, in good faith, find and report vulnerabilities to us while:

  • Avoiding privacy violations, destruction of data, or interruption of the Service.
  • Only accessing data necessary to demonstrate the issue, and not retaining or sharing it.
  • Giving us a reasonable window to respond before any public disclosure.

8Breach notification§

If a security incident materially affects your personal data, we will notify affected users and, where required, the relevant regulators — without undue delay and in line with applicable law. Notifications will describe what happened, what data was involved, what we’re doing about it, and the steps you can take.

9Compliance§

We comply with applicable data-protection regulations and industry security standards. See our Privacy Policy for data-handling detail and your rights.

10Contact§

Security questions or concerns: yourva@myva.cc

Questions about this document?

Talk to a real person at MyVA — we'll answer in plain English.

Contact usMeet the team