Identity documents are among the most sensitive data your organisation handles. SignMe is engineered with layered security controls — from the moment an image reaches our API to the moment it is permanently deleted.
Golden Developer has been delivering identity infrastructure to Egyptian government agencies and banks since 2009. Security is built into every layer of SignMe — not bolted on after the fact.
Security is embedded at every stage of the product lifecycle — architecture, development, and operations — not applied as an afterthought.
Uploaded images are deleted immediately after processing. We retain only what is necessary to operate the service.
All data in transit is encrypted via TLS 1.2 or higher. Data at rest is encrypted using industry-standard algorithms.
Access to production systems is strictly controlled, audited, and limited to authorised personnel only.
Enterprise clients can deploy the full OCR engine on-premise, ensuring no data ever leaves their own infrastructure.
Our OCR engine is developed and quality-audited in Italy under European AI and security research frameworks.
When you upload an identity document, it is processed in memory and the image is permanently deleted the moment your API response is sent. Nothing is written to permanent storage — not the image, not the raw OCR output.
Only anonymised request metadata (timestamps, status codes, credit usage) is retained for 90 days for operational purposes.
Image Received
Your API call arrives encrypted over TLS. The image is loaded into memory.
OCR Processing
The OCR engine extracts fields from the document entirely in-memory.
Response Sent
Structured JSON is returned to your application over the encrypted connection.
Image Deleted
The original image is immediately deleted. No copy is ever persisted.
Image Retention
0 seconds
Deleted immediately after processing
Metadata Retention
90 days
Request logs (no document content)
Encryption in Transit
TLS 1.2+
All API traffic is encrypted
Access to the SignMe API is protected at multiple layers.
Every request must include a valid Bearer token. API keys can be created, rotated, and revoked instantly from the portal.
Requests without a valid key are rejected at the gateway before reaching the OCR engine. Repeated failures trigger automatic blocking.
The API is only accessible over HTTPS. Plain HTTP connections are rejected. TLS 1.2 is the minimum supported version.
You can generate new keys and revoke old ones instantly, with no downtime. Rotate on a schedule or after any suspected exposure.
Our production environment is designed to minimise attack surface and blast radius.
Isolated Processing Environment
The OCR processing pipeline runs in an isolated environment, separate from account management and billing systems.
Network Segmentation
Production services are segmented from development and staging environments at the network level.
Access Logging & Auditing
All administrative access to production infrastructure is logged and subject to review.
Dependency Management
Dependencies are kept up to date and scanned for known vulnerabilities as part of our development process.
Incident Response Plan
We maintain a documented incident response procedure. Affected customers are notified promptly in the event of a security incident.
Regular Security Reviews
Security controls are reviewed regularly against current best practices and threat models.
For government agencies, banks, and enterprises with strict data residency requirements, SignMe can be deployed entirely within your own infrastructure. No data ever leaves your environment — the OCR engine runs on your servers, under your security policies.
Data never leaves your network
Your security posture matters as much as ours. Follow these practices to protect your integration.
Never hard-code API keys in source code or commit them to version control. Use environment variables, vault systems, or your cloud provider's secrets manager.
Rotate API keys on a regular schedule — monthly or quarterly — and immediately after any suspected exposure or team member departure.
Ensure your application makes API calls over HTTPS only. Reject any configuration that permits plain HTTP, even for internal networks.
Create separate API keys for separate environments (development, staging, production). This limits blast radius if one key is compromised.
Regularly review your API usage dashboard for unusual spikes, which may indicate a compromised key or unauthorised use.
For the highest-risk workflows — government, banking, healthcare — consider our on-premise deployment option to keep data entirely within your own infrastructure.
Our team is happy to discuss your organisation's specific requirements.