Security & evidence
Built like a system of record, because it is one
A waiver only matters on the worst day of your year. Here is exactly how FlatWaiver makes sure the record holds up — and why you’re never locked in.
Tamper-evident by construction
Every signed waiver is rendered to PDF exactly once, at the moment of signing. A SHA-256 fingerprint of the document is stamped into the PDF itself and recorded in our database. Recompute the hash of the file at any time — in court, for an insurer, years later — and compare it to the recorded value. If a single byte had changed, the hashes wouldn't match.
Immutable records, immutable waiver text
Signed records are append-only: not even we can edit or delete them — the database itself rejects updates. Waiver text is versioned the same way. Every signature is permanently pinned to the exact version of the exact words the signer saw, along with the consent statement they agreed to, their IP address, device, and a timestamp.
Encrypted and access-controlled
All data is encrypted in transit (TLS) and at rest. Signed documents and signature images live in private storage that is never publicly listable — files are served only through short-lived signed URLs, only to authenticated members of your business, only for your own records. Signers never get direct database access; every public submission passes through server-side validation and bot protection.
Your data is never hostage
Export everything, any time: CSV of all records and bulk ZIP downloads of every signed PDF, in the app, with no volume caps and no "storage plan" fees. Exporting and viewing your existing records is never gated on your subscription — if you cancel, your signed waivers remain viewable and downloadable. Compare that to per-waiver vendors before you trust them with legal documents.
What we build on
FlatWaiver runs on audited, industry-standard infrastructure: Supabase (database, authentication, and encrypted storage), Stripe (payments — we never see or store card numbers), Resend (transactional email), and Cloudflare Turnstile (bot protection on public signing pages). Electronic signatures collected through FlatWaiver are recognized in the United States under the federal ESIGN Act and UETA; every signer affirmatively consents before signing, and the exact consent text is stored with the record.
Questions about our security practices, data handling, or a specific compliance requirement? support@example.com — we answer these personally. This page is not legal advice; have a lawyer review your waiver text.