Zero-Storage Architecture
How we protect your most sensitive documents through ephemeral processing.
1. Ephemeral Processing
Unlike traditional providers who write temporary files to disk during PDF generation, IUSign uses an ephemeral byte-stream flow. Your document's raw data exists only in server memory for the milliseconds required to apply signatures.
bytes = io.BytesIO(doc_content)
flattened = service.merge(bytes)
del bytes, flattened; gc.collect()
2. Envelope Encryption (AES-256-GCM)
Every document is encrypted with its own unique data key. This key is then wrapped using your organization's Master Key in Google Cloud KMS. Even if a breach occurs at the storage layer, your documents remain cryptographically isolated and undecipherable.
3. Immutable Hash Chains
Every action performed on an envelope — from creation to the final signature — is recorded in a cryptographically chained audit log. Each record contains the SHA-256 hash of the previous record, ensuring that any tampering with the history is immediately detectable.