Security Policy

Last updated: March 19, 2021

Security is a vital part of the Summer user experience, and the privacy of our users is our top priority. We implement industry-leading data security standards and address security concerns ahead of new features.

SOC2 Compliance
Summer has successfully completed its SOC 2 Type 2 audits for security with no exceptions. This means that an independent third party has both validated our processes and practices with respect to security and confirmed our ability to maintain compliance with the controls we’ve implemented. Audit report available on request.

External Security Measures
Our main application platform is hosted on virtual private cloud environments in Heroku (Private Spaces) and Amazon Web Services (AWS VPC). We utilize HelloSign for secure document signing. HelloSign is ESIGN ACT compliant and all documents are stored at a Tier III, SSAE-16 and ISO 27001 certified data center.


  • Data at rest is encrypted using AES-256. All data in transit are SSL/TLS encrypted.
  • We employ an extra layer of encryption for the storing of particularly sensitive material utilizing
  • AES-256 with off-site encryption key storage (AWS KMS).

Internal Security Measures
Our company utilizes a VPN that is required for all access to admin tools and user data. Two Factor Authentication is required for access to all internal tools. No Summer employee will ever see your customer data unless required to do so for support reasons. We maintain an audit trail of admin access to customer data access to prevent misuse.

Vulnerability Disclosure Program
Summer is committed to ensuring the safety and security of our users. Toward this end, Summer has formalized our policy for accepting vulnerability reports in our products. To read about Summer’s VDP, or to submit a report, see our policy here

Additional questions? Contact