Imprint · privacy · contact

Imprint, privacy & contact

The operator behind free-sign.com, the data we receive (and the data we structurally can't), the terms under which the service is offered, and how to reach a human.

Operator

FreeSign is operated by Coder AI. The service at free-sign.com is offered on a best-effort, no-warranty basis. FreeSign is a proprietary, closed-source service; the security-disclosure channel at /.well-known/security.txt is public.

Operator: Coder AI — coderai.dev.
Contact: support@coderai.dev for general questions, partnerships, and billing. Use the contact form for one-shot questions if you prefer.
Public docs / AI surface: llms.txt, MCP discovery, OpenAPI.
Hosting / infrastructure: Cloudflare Workers (single Worker plus Cloudflare Static Assets) and Cloudflare D1. CA key material is hosted on Google Cloud KMS.
Jurisdiction: the service is offered “as is”; no warranties are made about availability or legal admissibility in any specific jurisdiction.

Contact & security disclosure

The primary contact paths are the embedded form at /support and direct email to support@coderai.dev. For coordinated vulnerability disclosure, see /.well-known/security.txt.

General questions / bugs: /support (Google Form) or support@coderai.dev.
Security issues: follow the channel listed in security.txt; please do not disclose publicly until we've had a reasonable window to fix.
Legal / process service: support@coderai.dev with subject line “Legal”.
Press / interviews: support@coderai.dev with subject line “Press”.

Privacy posture

The architectural property: no PDF bytes server-side

FreeSign's central design property is that the document you sign never reaches our infrastructure. The browser hashes the PDF locally; the Worker only ever receives the 32-byte SHA-256 of the original PDF and, later, the 32-byte digest of the signature ByteRange. There is no upload route in the public API and no endpoint accepts PDF content. The MCP discovery contract advertises documentUpload: false and a public-contract test (test/public-contract.test.mjs) fails if that flag ever flips.

What the Worker does retain

The signing event is a standard signing-act audit trail. We retain:

The OTP-verified email, stored as an envelope-scoped HMAC (we don't retain the plaintext after the OTP step).
The signer's typed legal name (appears in the per-user leaf cert's Subject CN).
The consent payload (canonical JSON), the OTP challenge id and verification time, and the public half of the browser-resident signing key.
A request fingerprint — not a separate “IP column,” but a nested object folded into each audit-event row's event_data_json and hash-chained into the audit trail. It captures whatever the Cloudflare edge surfaced for that request: the connecting IP, any X-Forwarded-For chain, x-real-ip, true-client-ip, user-agent, Accept-Language, sec-ch-ua, and Cloudflare's cf geo/ASN/TLS metadata.
An audit hash chain linking every event (envelope creation, OTP request, OTP verify, sign, seal, finalize) so tampering with one row breaks all later hashes.
The CMS PKCS#7 seal (which embeds the leaf cert + CA cert + RFC 3161 timestamp + OpenTimestamps anchor) and the OpenTimestamps anchor row.

This is the same audit-event surface DocuSign and Adobe Sign retain for signature events. The privacy invariant is “no PDF bytes,” not “no IPs” — an evidence trail of the act of signing is the entire point of an e-signature service. See the FAQ for what a third-party verifier can independently check from the signed PDF alone (the evidence JSON is embedded inside it).

Retention

Signed / finalized envelopes: retained indefinitely — they are the evidence. There is no document to retain, only hashes, the leaf cert, the audit chain, and the seal.
Draft envelopes that never reached “signed” (the user dropped a PDF, requested an OTP, abandoned the flow): pruned by a daily cron after expiry (typically ≤7 days).
OTP challenges: short-lived; expired challenges are deleted by the daily cron.
Rate-limit buckets: 15-minute sliding window per IP and per email HMAC; old buckets are deleted by the daily cron.
Session nonces: consumed once per request; expired nonces are deleted after the 5-minute timestamp tolerance.

Third parties involved

Cloudflare — CDN, Workers runtime, D1 database, edge metadata. Cloudflare sees TLS-terminated request bytes (headers + JSON body), never PDF content because no PDF is ever sent to FreeSign.
Google Cloud KMS HSM — holds the FreeSign CA private key. The HSM signs only the TBSCertificate digest of each leaf certificate; it never sees the PDF, the signature, or any PII.
DigiCert RFC 3161 TSA (http://timestamp.digicert.com) — issues the trusted timestamp embedded in each seal. The TSA only sees the SHA-256 of the signature value, never the PDF or even the signature itself.
OpenTimestamps public calendar pool — receives the byterange SHA-256 to create an independent timestamp proof. Calendars only see the 32-byte hash.
Mailgun — sends OTP emails when configured. Only the OTP code and the recipient address are sent.

Terms of use

FreeSign is offered as-is to anyone who wants to sign a PDF without uploading it. There is no paid tier today and no signup, so there is no contractual relationship beyond the act of using the service.

No warranty. The service is provided without warranty of fitness for any particular legal proceeding. We describe the ESIGN / UETA / eIDAS evidence model FreeSign is designed around (see the FAQ), but legal admissibility is always jurisdiction- and fact-specific; consult counsel if the stakes warrant it.
No QES. FreeSign is not a Qualified Trust Service Provider and does not issue Qualified Electronic Signatures under eIDAS Article 25(2). Filings that require QES need a different tool.
No AATL. The FreeSign CA is not on Adobe's Approved Trust List. Adobe Reader will show a yellow trust warning. The FAQ unpacks why this is a UX wart, not a verdict on the signature.
Cert expiry. The per-user leaf certificate is issued for 10 years by default — chosen so Adobe Reader's wall-clock validation keeps the signature shown as valid across the typical “sign now, archive a decade” lifespan. After that window Reader may surface a different message; the underlying signature still verifies cryptographically and the OpenTimestamps proof and RFC 3161 timestamp still attest to the original signing time regardless of the cert window.
No bulk-abuse use. Don't use the service for spam, phishing, or to coerce signatures from people who haven't consented. We rate-limit per-IP and per-email; serious abuse will get the IP blocked at the edge.
Service can be discontinued. Already-signed PDFs remain verifiable without us — that's the whole point of standards-based signing. If we ever shut down, the file plus evidence JSON plus the OpenTimestamps proof still attest.

Cookies / storage

FreeSign does not set tracking cookies. Local storage in the browser is used for:

IndexedDB session keypair (non-extractable ECDSA P-256) bound to each envelope, used to sign the envelope-scoped session signatures on every protected request. Private key never leaves the browser.
Standard browser caches for static assets (CSS, fonts, images).

For aggregate, anonymous pageview metrics we use Cloudflare Web Analytics — a cookieless, fingerprintless beacon. It records URL, referrer, country (from the edge), and basic timing. It never sees PDF contents, form field values, OTP codes, or any signing-flow data. No other third-party trackers and no ad scripts.