Encryption at Rest
Encryption at rest is the protection of stored data by encrypting it while it resides on disk, in a database, or in cloud storage, ensuring that unauthorized access to the storage medium does not expose readable data.
What it means
Encryption at rest is distinct from encryption in transit (TLS). It protects against threats such as physical theft of storage media, unauthorized access to backups, and insider threats at the infrastructure level. Modern implementations typically use AES-256 with keys managed by a Hardware Security Module (HSM) or a cloud key management service (KMS).
Why it matters for e-signatures
SignOwl encrypts all stored documents and metadata using AES-256. This is a baseline security control required by frameworks like SOC 2, ISO 27001, HIPAA, and GDPR for platforms handling sensitive documents.
Related terms
Frequently asked questions
If documents are encrypted at rest, can SignOwl staff read my documents?
Encryption key management policies determine access. SignOwl uses envelope encryption — documents are encrypted with a data key, which is itself encrypted with a master key stored in a separate KMS. Access is audit-logged.
Does encryption at rest affect document access speed?
Modern encryption implementations have negligible performance impact. AES hardware acceleration is available in all current CPUs, making decryption near-instantaneous.
Ready to send your first document?
Upload a PDF, add signature fields, and send — your signers get a beautiful page on any device. No accounts, no apps, no friction.
Start free — no card needed