API Security & Compliance Overview

API Security & Compliance

Build with confidence. Foxit APIs are designed for secure, scalable, and compliant document workflows across industries.

Enterprise-Grade Trust, Built In

Foxit APIs are designed for secure, scalable document workflows across regulated industries. Whether you're generating PDFs, embedding interactive viewers, or collecting electronic signatures, your workflows are protected by infrastructure and compliance standards trusted by healthcare, finance, education, and government organizations.
From authentication to audit trails, every API is built with security and transparency at its core.

Build With Confidence

Your data. Your users. Your documents. Protected at every step.
Foxit offers robust document workflow APIs that meet strict security and compliance requirements without slowing down development. From SAML-based authentication and PKI digital signatures to SOC 2 Type II certified infrastructure, this hub breaks down the technical standards behind our secure architecture—so you can build, evaluate, and scale with peace of mind.

Explore Security by Category

Each section below includes side-by-side comparisons for the Foxit eSign API and our PDF Services & Embed APIs—plus explanations of every feature, framework, and compliance detail.

Authentication & Identity

MFA, KBA, and SSO support for secure access and signer verification.

Signature Standards

PKI digital signatures, audit trails, and compliance with eIDAS and the ESIGN Act.

Security & Document Integrity

Tamper evidence, encryption, redaction, and document access control.

Compliance Frameworks

Support for HIPAA, GDPR, FERPA, CCPA, 21 CFR Part 11, and other global standards.

Certifications & Infrastructure

SOC 2 Type II, HIPAA-ready cloud architecture, and secure development practices.

Archiving & Retention

Support for PDF/A, audit trail retention, metadata control, and long-term storage.

Who This Is For

These resources are designed to support:
  • Security and compliance professionals evaluating Foxit for vendor trust
  • Developers integrating Foxit APIs into regulated workflows
  • IT and legal teams reviewing signature and storage standards
  • Enterprise teams working in healthcare, finance, legal, HR, and education

Ready to Start Building?

Authentication & Identity

Foxit APIs support strong authentication options to protect access, verify signers, and enforce identity management policies across enterprise workflows. This section outlines how each API family handles user and signer identity.

Feature Comparison

Feature Explanations

  • KBA (Knowledge-Based Authentication)
    Enables signer identity validation using public or private data challenge questions. Commonly used in regulated workflows like finance or life sciences.
  • MFA
    Adds a layer of security for API platform access. Can be enforced for user login or for signers via SMS/email codes.
  • SSO (SAML)
    Enables centralized identity control across your organization using existing SAML providers like Okta, Azure AD, or Google Workspace.
  • Signer Identity Verification
    Includes methods like verified email links, access passcodes, and configurable challenge logic for signer-level trust.
  • RBAC
    Define access scopes for API users, clients, or teams—critical for managing dev/test environments, client-specific workflows, or compliance controls.

Why It Matters

Strong identity control protects your documents and data from unauthorized access, fraudulent signers, and human error. Foxit's flexible identity infrastructure ensures your teams can build secure, compliant workflows—without friction.

Key Benefits:

  • Enforce strong security policies across your developer, admin, and signer flows
  • Protect regulated workflows with KBA, MFA, and RBAC support
  • Integrate securely into enterprise infrastructure with SAML-based SSO
  • Reduce risk of unauthorized access or impersonation

Signature Standards

Foxit APIs support legally recognized signature standards to help organizations enforce authenticity, non-repudiation, and regulatory alignment. This section highlights how each API product family supports digital and electronic signatures.

Feature Comparison

Feature Explanations

  • Qualified Electronic Signatures (QES)
    QES are the highest standard of electronic signature under EU eIDAS regulation, offering the legal equivalence of a handwritten signature. Available via Foxit eSign with identity validation services.
  • Digital Signatures
    Digital certificates bind the signer identity to the document. Foxit APIs support cryptographic signature creation, verification, and timestamping using PKI infrastructure.
  • Audit Trail & Certificates
    eSign workflows produce tamper-evident completion certificates that track every interaction with the document, including IP address, device info, timestamps, and signer data.
  • Intent & Consent Capture
    Capturing signer intent and consent is vital for enforceability. Foxit eSign APIs include explicit acceptance checkpoints, clickwrap language, and signature act logs.

Why It Matters

Whether you're complying with eIDAS, the ESIGN Act, or FDA 21 CFR Part 11, your ability to prove who signed, when, and how is essential to legal validity. Foxit APIs provide the flexibility to support high-trust agreements and secure document lifecycles.

Key Benefits:

  • Meets the highest legal standards for electronic and digital signatures
  • Provide verifiable evidence of signer identity, intent, and consent
  • Automate the generation of audit-ready completion certificates
  • Enable PKI workflows in embedded or automated PDF generation

Security & Document Integrity

Foxit APIs are built on a secure foundation, with protection mechanisms designed to preserve the integrity of your documents and ensure trusted interactions throughout the lifecycle—from generation to completion.

Feature Comparison

Feature Explanations

  • Tamper Evidence
    All signed documents include visible indicators and cryptographic sealing to detect unauthorized changes. PDF signature fields and audit logs make tampering attempts immediately detectable.
  • Encryption
    All API traffic is encrypted using TLS 1.2 or higher. Documents at rest are protected with AES-256 encryption—ensuring both secure transmission and long-term protection.
  • Redaction Tools
    The PDF Services API includes certified redaction functionality, allowing sensitive information to be permanently and irreversibly removed from documents.
  • Document Access Control
    eSign API links can be protected with role-based access, authentication codes, and expiration windows. Services and Embed APIs enable document-level password protection and access settings.
  • Time Stamping (RFC 3161)
    Cryptographic time stamping adds trusted timestamps to signed or generated documents—useful for compliance and long-term auditability.

Why It Matters

Security isn't just about keeping data safe—it's about ensuring that signed or generated documents remain unaltered, verifiable, and governed by appropriate access. Foxit APIs deliver the infrastructure to support high-assurance document handling in regulated environments.

Key Benefits:

  • Protect documents from tampering or unauthorized access
  • Ensure encryption at every stage of the document lifecycle
  • Maintain audit-ready records with verified timestamps
  • Enforce access and redaction policies at the API level

Compliance Frameworks

Foxit APIs support a wide range of global and industry-specific compliance requirements to help your organization meet legal obligations, privacy standards, and electronic record regulations.

Feature Comparison

Compliance Explanations

  • eIDAS
    Governs electronic signatures in the EU. The eSign API supports Simple (SES), Advanced (AES), and Qualified Electronic Signatures (QES), the latter having the highest legal value.
  • ESIGN & UETA
    U.S. laws that establish the legal effect of electronic records and signatures. Foxit eSign meets the requirements for enforceability, consent, and retention.
  • FINRA
    Applies to financial services firms. Foxit eSign supports compliance through retention, traceability, and audit logs. PDF Services offers tools like PDF/A and encryption for record fidelity, but does not hold FINRA certification.
  • CCPA
    California's data privacy law. Foxit APIs support data subject request (DSR) handling, deletion workflows, and secure document controls.
  • FERPA
    Applies to educational institutions. Audit controls and document protection help secure student data.
  • GDPR
    EU data privacy regulation. eSign APIs support consent tracking and deletion requests; PDF APIs offer redaction, anonymization, and secure metadata handling.
  • 21 CFR Part 11
    U.S. FDA regulation on electronic records and signatures. The eSign API supports compliant signature flows; PDF APIs include digital signature capabilities but do not implement the full Part 11 environment.

Why It Matters

Meeting regulatory requirements isn't optional—it's essential to doing business in healthcare, finance, education, and beyond. Foxit APIs are designed with compliance in mind, offering tools that align with the world's most important digital trust frameworks.

Key Benefits:

  • Align with U.S., EU, and global electronic signature laws
  • Reduce compliance burden with built-in auditability and traceability
  • Secure sensitive documents across HR, legal, and regulated industries
  • Build with confidence in education, healthcare, and finance environments

Certifications & Infrastructure

Foxit APIs are built on secure, modern cloud infrastructure and adhere to industry-leading certifications that validate our security controls, data protection standards, and operational integrity.

Feature Comparison

Feature Explanations

  • SOC 2 Type II
    An independent audit verifying Foxit's adherence to strict security, availability, and confidentiality controls over time. Applies to both eSign and cloud-hosted PDF APIs.
  • HIPAA Compliance
    For customers in the healthcare space, Foxit supports Business Associate Agreements (BAAs) and offers HIPAA-aligned features like encrypted transmission, access control, and audit tracking.
  • Cloud Isolation
    API services are deployed in logically segmented environments, keeping customer data isolated and secure even in multi-tenant systems.
  • Access Control & Tokens
    API keys, OAuth tokens, and RBAC ensure that data is accessed only by authorized users and systems, with full control over scope and permissions.
  • Monitoring & DevSecOps
    Our systems are monitored for uptime, performance, and threat detection. Secure development practices include vulnerability scanning and regular review.

Why It Matters

Compliance isn't just about features—it's about operational maturity. Foxit's certified infrastructure and transparent development processes help your team build securely, pass vendor assessments, and protect customer trust.

Key Benefits:

  • Confidently deploy Foxit APIs in regulated or security-sensitive environments
  • Streamline vendor security reviews and procurement processes
  • Maintain data integrity with certified controls and logging
  • Scale with a platform that's actively monitored and professionally managed

Archiving & Retention

Whether you're preserving signed documents for legal enforcement or managing long-term PDF accessibility, Foxit APIs provide the tools to support retention best practices and regulatory readiness.

Feature Comparison

Feature Explanations

  • PDF/A Support
    The PDF Services API supports generation and export of ISO-standard PDF/A files—designed for reliable, long-term document storage and regulatory archiving.
  • Audit Trail Retention
    Foxit eSign APIs retain audit trails for every signed document, including signer activity, timestamps, device info, and envelope history.
  • Cloud Document Storage
    eSigned documents are securely stored in the Foxit cloud, with access controls and export capabilities. PDF APIs allow documents to be stored and retrieved by your systems.
  • Redaction for Retention
    Redaction tools ensure that sensitive content can be permanently removed from PDFs before storage, meeting data minimization and compliance standards.
  • Metadata Control
    Control what metadata is embedded in your PDFs—scrub sensitive properties or preserve key attributes for search, filtering, and governance.

Why It Matters

Retention policies and auditability aren't just good practice—they're often required by law. Whether you're storing financial agreements, healthcare records, or HR documents, Foxit APIs offer the technical foundations for secure, standards-based archiving.

Key Benefits:

  • Ensure long-term accessibility and authenticity with PDF/A
  • Meet audit and retention policies with built-in compliance features
  • Prevent over-retention by redacting or removing sensitive data
  • Streamline downstream recordkeeping across industries
Build, Embed, and Automate Document Workflows
eSign, PDF, and Doc Gen APIs that are ready to deploy.