Nitro’s Dedication to Security and Compliance

With information security at the heart of all we do, the Nitro team bases our success on how well we earn and maintain our customers’ trust. Every day, we protect the data of more than 650,000 businesses, including Xerox, Swiss Re, Continental, and Constellation Energy.

Over half of the Fortune 500 trust Nitro. You can too.

Our team

Nitro makes working with documents more efficient, more modern, and more secure. Our full-time team of information security experts is dedicated to gaining and maintaining your trust by keeping our information systems secure and your data protected.

Nitro security principles:

  • We are secure by design: Always on. Always reliable. Always secure.
  • All customer assets must be protected on a “need-to-know” and “least-privilege” basis.
  • Nitro security controls are pragmatic and risk-based.
  • Security is an integral part of the design, creation, and implementation of all Nitro components.
  • The tools we use support excellent security, reduce friction, and fit seamlessly into the way you work.
  • We meet and exceed our regulatory compliance obligations through strict observance of standards.

Secure by design

Since we consider data security to be our number-one job and priority, we build security into each stage of the System Development Lifecycle for all Nitro products.

We follow industry best practices to transfer, process, and store customer data. All Nitro Sign–enabled features use state-of-the-art computing facilities that satisfy key industry standards, such as PCI DSS, HIPAA, and SOC. Our primary data center is in the EU in Frankfurt, Germany.

Nitro protects documents in motion and at rest with digital audit trails, TLS, and AES encryption. Through extensive logging and instrumentation, we monitor our production environment to audit security, availability, access, and other metrics for our services.

We use a combination of automated tools and manual inspection to ensure constant oversight of security events. For much of our cloud infrastructure, we use Amazon Web Services (AWS), which provides extensive documentation about their security practices here. AWS employs cutting-edge data security measures, as well as physical access restrictions at server locations. The list of AWS certifications, including ISO 27001 and SOC reports 1, 2, and 3, is available here.

For a full list of Nitro certifications, including SOC 2 Type 2, and HIPAA, please click here.

Click here to see the latest security updates from Nitro »

Trust but verify

Nitro platforms and products are tested on a daily basis. We commission external industry experts to perform regular security audits and penetration tests of Nitro. These rigorous assessments ensure that our practices are not only up to date with current standards, but that we’ve also tested and fortified Nitro against the latest vulnerabilities identified by security professionals.


We go to great lengths to ensure no one sees or processes your data unless they’re authorized to do so—and we strictly limit exceptions. All employees are subject to background checks, and access to production servers is limited solely to engineers who need to work directly with our production systems.



Regulations and Standards Observed

  • NIST SP 800-53
  • ISO 27000 Suite
  • Center for Internet Security (CIS) Framework
  • Cloud Security Alliance (CSA) for Cloud Controls Framework
  • GDPR
  • CCPA
  • UETA & E-Sign Act (U.S.)
  • eIDAS (E.U.)

Equip your workers with the tools they need.

CIS is the Centre for Internet Security, a 501 non profit organisation whose mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace"

The CIS AWS Foundations Benchmark is a set of industry accepted best practices for Amazon Web Services infrastructure. Nitro have adopted and incorporated the CIS AWS Foundations Benchmark as part of our Information Security Management System. Read more about the CIS AWS Foundations Benchmark.

HIPAA is the Health Insurance Portability and Accountability Act , passed by US Congress in 1996 to mandate industry wide standards for handling health care information.

HIPAA is concerned with the Protection and Confidential Handling of Health Information. The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared. Read more about HIPAA.

As of September 2017, Nitro have been audited, assessed and certified as satisfying the HIPAA Final Security Rule with respect to user entities' PHI data.

SOC is the Service Organization Control standard. SOC is controlled by the American Institute of Certified Public Accountants (AICPA), and is the AICPA information security compliance standard. An independent third party conducts an annual audit of Nitro’s availability, security, privacy, confidentiality and integrity controls, certifying they are compliant with the SOC 2 standard. Nitro is certified for both SOC 2 Type 1 and SOC 2 Type 2 requirements. SOC 2 is independent, verified and tangible proof that Nitro values the Security of our Customer’s data as highly as we value our own data. Read more about SOC 2.

NIST is the US - National Institute for Standards and Technology. NIST SP (Special Publication) 800-53 covers Security & Privacy Controls for Information Systems and Organisations. Nitro have adopted and incorporated NIST SP 800-53 as best practice and an integral part of our Information Security Standards. Read more about NIST SP 800-52 standards.

EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. Read more about GDPR.

ISO is the International Organisation for Standardisation. Nitro have licensed the ISO 27000 suite of information security standards as best practice for Information Security Management Systems (ISMS). Nitro have adopted and incorporated the following ISO Standards, guidance and best practice as part of our Information Security Management System:

Read more about ISO 27000.

The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. Privacy Shield enables US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU-US Privacy Shield is a replacement for the International Safe Harbor Privacy Principles.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. Read more about Privacy Shield.