Imprint, privacy & contact

Operator

FreeSign is operated by 2Dynamic Games sp. z o.o. — a limited company based in Kraków, Poland (European Union), in the Register of Entrepreneurs since December 2013 — trading as Coder AI. The registered name is a legacy one from the company’s earlier activity: FreeSign is a serious cryptographic electronic-signature service, not a game or entertainment product. To be clear about what is and isn't new: the free-sign.com service is recent, but the company operating it has existed for over a decade. The service is offered on a best-effort, no-warranty basis. FreeSign is a proprietary, closed-source service; the security-disclosure channel at /.well-known/security.txt is public. Full GDPR controller details are in the privacy policy.

• Legal entity: 2Dynamic Games sp. z o.o., ul. Wadowicka 7, 30-347 Kraków, Poland — KRS 0000489269, NIP 5272716666, REGON 147232452; entered in the Polish Register of Entrepreneurs on 2013-12-05.
• Brand / operator: Coder AI — coderai.dev.
• Contact: support@coderai.dev for general questions, partnerships, and billing. Use the contact form for one-shot questions if you prefer.
• Public docs / AI surface: llms.txt, MCP discovery, OpenAPI.
• Hosting / infrastructure: Cloudflare Workers (single Worker plus Cloudflare Static Assets) and Cloudflare D1. CA key material is hosted on Google Cloud KMS.
• Jurisdiction: the service is offered “as is”; no warranties are made about availability or legal admissibility in any specific jurisdiction.

Contact & security disclosure

The primary contact paths are the embedded form at /support and direct email to support@coderai.dev. For coordinated vulnerability disclosure, see /.well-known/security.txt.

• General questions / bugs: /support (Google Form) or support@coderai.dev.
• Security issues: follow the channel listed in security.txt; please do not disclose publicly until we've had a reasonable window to fix.
• Legal / process service: support@coderai.dev with subject line “Legal”.
• Press / interviews: support@coderai.dev with subject line “Press”.

Privacy posture

The architectural property: no PDF bytes server-side

FreeSign's central design property is that the document you sign never reaches our infrastructure. The browser hashes the PDF locally; the Worker only ever receives the 32-byte SHA-256 of the original PDF and, later, the 32-byte digest of the signature ByteRange. There is no upload route in the public API and no endpoint accepts PDF content. The MCP discovery contract advertises documentUpload: false and an automated public-contract test fails if that flag ever flips.

What the Worker does retain

The signing event is a standard signing-act audit trail. We retain:

• The OTP-verified email, stored as an envelope-scoped HMAC (we don't retain the plaintext after the OTP step).
• The signer's typed legal name (appears in the per-user leaf cert's Subject CN).
• The consent payload (canonical JSON), the OTP challenge id and verification time, and the public half of the browser-resident signing key.
• A request fingerprint — not a separate “IP column,” but a nested object folded into each audit-event row and hash-chained into the audit trail. It captures whatever the Cloudflare edge surfaced for that request: the connecting IP, any X-Forwarded-For chain, x-real-ip, true-client-ip, user-agent, Accept-Language, sec-ch-ua, and Cloudflare's cf geo/ASN/TLS metadata.
• An audit hash chain linking every event (envelope creation, OTP request, OTP verify, sign, seal, finalize) so tampering with one row breaks all later hashes.
• The CMS PKCS#7 seal (which embeds the leaf cert + CA cert + RFC 3161 timestamp + OpenTimestamps anchor) and the OpenTimestamps anchor row.

This is the same audit-event surface DocuSign and Adobe Sign retain for signature events. The privacy invariant is “no PDF bytes,” not “no IPs” — an evidence trail of the act of signing is the entire point of an e-signature service. See the FAQ for what a third-party verifier can independently check from the signed PDF alone (the evidence JSON is embedded inside it).

Retention

• Signed / finalized envelopes: retained for 10 years by default and then purged by the daily cleanup job. There is no document to retain, only hashes, the leaf cert metadata, the audit chain, and the seal evidence.
• Draft envelopes that never reached “signed” (the user dropped a PDF, requested an OTP, abandoned the flow): pruned by a daily cron after expiry (typically ≤7 days).
• OTP challenges: short-lived; expired challenges are deleted by the daily cron.
• Rate-limit buckets: 15-minute sliding window per IP and per email HMAC; old buckets are deleted by the daily cron.
• Session nonces: consumed once per request; expired nonces are deleted after the 5-minute timestamp tolerance.

Third parties involved

• Cloudflare — CDN, Workers runtime, D1 database, edge metadata. Cloudflare sees TLS-terminated request bytes (headers + JSON body), never PDF content because no PDF is ever sent to FreeSign.
• Google Cloud KMS HSM — holds the FreeSign CA private key. The HSM signs only the TBSCertificate digest of each leaf certificate; it never sees the PDF, the signature, or any PII.
• DigiCert RFC 3161 TSA (http://timestamp.digicert.com) — issues the trusted timestamp embedded in each seal. The TSA only sees the SHA-256 of the signature value, never the PDF or even the signature itself.
• OpenTimestamps public calendar pool — receives the byterange SHA-256 to create an independent timestamp proof. Calendars only see the 32-byte hash.
• Mailgun — sends OTP emails when configured. Only the OTP code and the recipient address are sent.

Terms of use

FreeSign is offered as-is to anyone who wants to sign a PDF without uploading it. There is no paid tier today and no signup, so there is no contractual relationship beyond the act of using the service.

• No warranty. The service is provided without warranty of fitness for any particular legal proceeding. We describe the ESIGN / UETA / eIDAS evidence model FreeSign is designed around (see the FAQ), but legal admissibility is always jurisdiction- and fact-specific; consult counsel if the stakes warrant it.
• No QES. FreeSign is not a Qualified Trust Service Provider and does not issue Qualified Electronic Signatures under eIDAS Article 25(2). Filings that require QES need a different tool.
• No AATL. The FreeSign CA is not on Adobe's Approved Trust List. Adobe Reader will show a yellow trust warning. The FAQ unpacks why this is a UX wart, not a verdict on the signature.
• Cert expiry. The per-user leaf certificate is issued for 10 years by default — chosen so Adobe Reader's wall-clock validation keeps the signature shown as valid across the typical “sign now, archive a decade” lifespan. After that window Reader may surface a different message; the underlying signature still verifies cryptographically and the OpenTimestamps proof and RFC 3161 timestamp still attest to the original signing time regardless of the cert window.
• No bulk-abuse use. Don't use the service for spam, phishing, or to coerce signatures from people who haven't consented. We rate-limit per-IP and per-email; serious abuse will get the IP blocked at the edge.
• Service can be discontinued. Already-signed PDFs remain verifiable without us — that's the whole point of standards-based signing. If we ever shut down, the file plus evidence JSON plus the OpenTimestamps proof still attest. See privacy §9 for the self-sufficient-evidence framing.

The scope-of-guarantees and not-legal-advice framing for the privacy/RODO side is in the privacy policy §8.

Cookies / storage

FreeSign does not set tracking cookies. Local storage in the browser is used for:

• IndexedDB session keypair (non-extractable ECDSA P-256) bound to each envelope, used to sign the envelope-scoped session signatures on every protected request. Private key never leaves the browser.
• Standard browser caches for static assets (CSS, fonts, images).

For aggregate, anonymous pageview metrics we use Cloudflare Web Analytics — a cookieless, fingerprintless beacon. It records URL, referrer, country (from the edge), and basic timing. It never sees PDF contents, form field values, OTP codes, or any signing-flow data. No other third-party trackers and no ad scripts.