How it works

The cryptography, in plain English.

Four products run on the same crypto core. Seal and Sign embed two independent signatures over the same digest inside a single PAdES CMS structure: ECDSA P-256 (recognized by every PDF reader today) and ML-DSA-65 (FIPS 204, the post-quantum scheme NIST standardized in August 2024). An RFC 3161 timestamp from a qualified TSA wraps both. Vault and My Vault apply the same hybrid philosophy to confidentiality: AES-256-GCM encrypts the document, and the data key is wrapped per recipient (Vault) or per tenant (My Vault) with a hybrid X25519 + ML-KEM-768 KEM (FIPS 203). All four products share one audit trail and one public verifier surface.

How it works

Sign in. Seal, Vault, Sign, or store. Anyone verifies.

Four products, one workspace, one hybrid post-quantum core. Seal for court-defensible signatures anyone can verify. Vault for encrypted documents only the recipients you name can read. Sign for multi-party PAdES signature workflows with a final workspace PQC seal. My Vault for workspace-shared encrypted storage of any file. We retain hashes and audit metadata, never the original plaintext.

Programmatic API access (POST /v1/seal, /v1/vault, /v1/sign/...) ships from the Pro plan upward. The portal is the default surface — no API key required to seal, send, sign, or verify.

Password plus mandatory 2FA. Every time.

Create a workspace at /sign-up (T&C + Privacy captured) or sign in at /sign-in with your password. Every sign-in then requires a second factor: your authenticator app if enrolled, otherwise a 6-digit code emailed to you. Edge-layer CAPTCHA on the sign-up route. Encrypted session token, no SMS, no SSO needed.

auth · flow

POST /sign-in (credentials)  ↳ memory-hard password verify  ↳ returns MFA_REQUIRED POST /sign-in (second factor)  ↳ TOTP RFC 6238 verify  (or)  ↳ email-OTP 6-digit verify  ↳ encrypted session token  ↳ redirect /app/dashboard

Seal · in your portal

Seal a PDF without leaving the dashboard.

Drag a PDF onto the dashboard. We embed a hybrid PAdES signature — ECDSA P-256 + ML-DSA-65 — and chain an RFC 3161 timestamp from a qualified TSA. You download the sealed PDF plus a Certificate of Sealing. We retain only hashes and audit metadata.

asn.1 · CMS

SignedAttributes {  contentType, messageDigest,  signingTime, signingCertificateV2}Signatures {  ecdsa-p256-sha256        // classical  ml-dsa-65                // FIPS 204}TSA: RFC 3161 token (qualified)

Vault · share confidentially

Encrypt for one or more recipients.

Use Vault when the document content is sensitive. We encrypt with AES-256-GCM and wrap the data key per recipient using a hybrid X25519 + ML-KEM-768 KEM. Recipients prove identity with an email OTP and decrypt in-browser. Every open is logged.

crypto · per envelope

DEK = AES-256 randomciphertext = AES-256-GCM(DEK, pdf) For each recipient:  shared = X25519_DH(eph_sk, rcpt_pk)  (kem_ct, kem_ss) = MLKEM768.Encaps(rcpt_pk)  KEK = HKDF(shared || kem_ss)  wrappedDEK = AES-256-KW(KEK, DEK)

Sign · multi-party workflow

Hybrid PAdES B-LT plus a final PQC seal.

Add signers by email, set the order (sequential or parallel), and we drive the rest. Each signer authenticates with email + OTP and lands a hybrid ECDSA + ML-DSA PAdES B-LT signature. When the last signer finishes, we add the workspace PQC seal on top and emit the final PDF — one document, N signatures, court-defensible.

workflow · per signer

Per signer (i of N):  authenticate(email, OTP)  pades_sig = ECDSA + ML-DSA over byteRange  embed_signature(pdf, pades_sig)  audit(signer_i, ip, ua, signed_at) After last signer:  upgrade_to_BLT(dss + crl)  workspace_seal = PQC seal  emit final_pdf

My Vault · workspace storage

Encrypted file store for your tenant.

Store any file (not just PDFs) up to 100 MB under the same hybrid X25519 + ML-KEM-768 + AES-256-GCM envelope as Vault — but bound to the workspace itself rather than to external recipients. Optional zero-knowledge passphrase layer on sensitive items. Open from any device after sign-in; no second factor needed for retrieval.

envelope · per item

tenant_dek = AES-256 randomciphertext = AES-256-GCM(tenant_dek, file) shared = X25519_DH(eph_sk, tenant_pk)(kem_ct, kem_ss) = MLKEM768.Encaps(tenant_pk)KEK = HKDF(shared || kem_ss)wrapped_dek = AES-256-KW(KEK, tenant_dek)

Verify · public, free

Anyone can verify. No account required.

Send the sealed PDF to opposing counsel, an auditor, or a future judge. They drop it into our public verifier — we re-derive the digest, validate ECDSA + ML-DSA, and confirm the RFC 3161 timestamp. Free, on every plan, forever.

json · response

{  "valid": true,  "ecdsa": "ok",  "mlDsa": "ok",  "tsa":   "qualified TSA · 2026-04-28T03:50Z",  "sealId":     "01HX9F…",  "tenantHash": "bc8a…3f"}

Storage model

The PDF leaves; the hash stays.

Seal: when you upload a PDF, we hold it in memory just long enough to compute its digest, embed the hybrid signature, and stream the sealed file back. The original bytes are dropped — we do not write them to disk and we do not retain a cached copy. The audit record contains the hash, the two signature values, the RFC 3161 token, and the certificate chain. Cross-tenant queries are blocked at the data-access layer.

Vault: encrypted envelope blobs are retained so recipients can decrypt later, but they are AES-256-GCM ciphertext encrypted under a per-document data key that we ourselves cannot recover without the recipient's authentication. Per-recipient wrapped keys live next to the audit row. Recipient private keys are envelope-encrypted under a hardware-backed key alias; Enterprise tenants can BYOK to their own key-management infrastructure so we never see the unwrapping key in plaintext.

Sign: the in-flight PDF is encrypted under the sender tenant's hybrid envelope and rotates after every signer applies their PAdES B-LT signature. Per-signer audit rows capture the email, IP, user-agent, and signing timestamp. Once the last signer finishes we attach the final workspace PQC seal, retain the completed sealed PDF for sender retrieval, and drop all intermediate envelopes.

My Vault: same hybrid envelope as Vault, but the data key is wrapped under the tenant's own X25519 + ML-KEM-768 bundle instead of a recipient's. Files (any type, up to 100 MB) are retrieved from any workspace device after sign-in. Items marked passphrase-protected get an additional zero-knowledge layer the platform itself cannot decrypt.

The Certificate of Sealing PDF — a human-readable summary linked from the public verifier — is the only PDF we retain for the Seal product. It contains no part of your original document and can be deleted on request.

Verification

What the verifier checks, in order.

1. PDF integrity
Re-compute SHA-256 over the byte ranges referenced by the signature dictionary. Confirm it matches the message digest in SignedAttributes.
2. ECDSA signature
Verify with the public key from the embedded certificate chain. Walk the chain to a trusted root.
3. ML-DSA signature
Verify with the matching ML-DSA public key. The chain is co-located with the ECDSA chain inside the same CMS.
4. RFC 3161 timestamp
Verify the TSA token signature, confirm the imprint matches the signature value, and check the TSA cert chain.
5. Audit-log lookup
Cross-reference the hash and seal ID against our tenant-scoped audit trail. Confirms the seal was actually issued, not merely well-formed.
6. LTV proofs
Validate the embedded CRLs / OCSP responses so the document remains verifiable after the certificates expire.

Try the verifier Seal your first PDF