Trust Center/Responsible disclosure

Responsible disclosure

How to report a security issue to Sigill.ai, what is in scope, and what to expect in response.

Contact

ChannelForTarget response
security@sigill.aiSecurity vulnerabilities, suspected key compromise, suspected cross-tenant accessAcknowledgement within 1 business day; status update within 3 business days
raymond@sigill.aiPrivacy and GDPR queries, data subject access requests, DPA queriesWithin statutory deadlines (max 30 days)
/support (signed-in)Operational issues, billing, plan questionsSame business day (Scale and Enterprise: 8h SLA)

Scope and good-faith research

Good-faith security research that stays within the scope of an account you control is welcome. We will not pursue researchers who:

  • Test only against accounts they own, or against accounts the owner has explicitly authorised them to test against.
  • Make a reasonable effort to avoid privacy violations, service degradation, and data destruction during testing.
  • Give Sigill.ai a fair opportunity to fix a confirmed issue before publishing — typically 90 days from the date the issue is acknowledged, shorter if the issue is already public or actively exploited.

The following are out of scope:

  • Denial-of-service or volumetric testing against the production API.
  • Social engineering against Sigill.ai staff, customers, or sub-processors.
  • Physical intrusion of any kind.
  • Issues found in third-party services we use, where the underlying vendor is the right venue for the report (AWS, Stripe, ZITADEL, Cloudflare, GitHub). Forward to the vendor; we are happy to confirm receipt and follow along.

What helps a report move faster

  • A clear description of the issue, the impact, and the minimum reproduction steps.
  • The exact URL, endpoint, or page affected, including the request shape.
  • Whether the issue is reproducible against a fresh, unauthenticated session, or requires a specific account configuration.
  • Any logs, screenshots, or proof-of-concept material that demonstrates the issue without expanding it (do not exfiltrate other tenants' data to demonstrate cross-tenant access — a minimal indicator is enough).

Incident notification

A confirmed security incident that affects customer data, signing-key integrity, or audit-log integrity will result in direct email notification to affected tenant owners. Where required by GDPR Article 33, the relevant supervisory authority will also be notified within 72 hours of awareness.

Honest commitment

Sigill.ai is a small team. We do not operate a 24/7 SOC. The commitment is that a single human looks at every report, every report receives a response, and confirmed incidents trigger customer notification.

Other sections
Security architecture →Sub-processors →Standards →Verification model →Compliance posture → ← Trust Center overview