Skip to main content
Agent Xero Sign
[SIGN] SECURE PLATFORM

Cookie Policy

Last updated: April 29, 2026

Agent Xero Sign uses the minimum cookies required to operate the signing service securely. We do not use advertising, analytics, fingerprinting, or third-party tracking cookies of any kind. This page describes the cookies you may encounter when using the platform.

01 What Cookies We Use

We set strictly necessary, first-party cookies required for authentication and session continuity:

  • __Host-ax_signing_session — HttpOnly, Secure, SameSite=Strict session cookie issued after successful one-time-password (OTP) authentication. The cookie value is an HMAC-signed session reference; no personal data is stored in the cookie itself. In local development the cookie is named ax_signing_session because the __Host- prefix requires HTTPS.
  • ax_csrf — if present, a SameSite=Strict CSRF token cookie that pairs with a header on state-changing requests to mitigate cross-site request forgery.

We do not use any third-party cookies. Cloudflare Turnstile, when enabled, uses a privacy-preserving challenge mechanism that does not set cookies or fingerprint visitors.

02 Why We Use Them

The session cookie keeps you signed in across page navigations after you complete OTP verification. Without it you would have to re-authenticate on every request, which would make the signing flow unusable. The CSRF cookie, when used, prevents an attacker from forging authenticated requests on your behalf.

Both cookies are classified as strictly necessary under common consent frameworks (ePrivacy Directive, GDPR Recital 30) and do not require opt-in consent.

03 Retention

  • Signer sessions — expire after 7 days of inactivity.
  • Admin and sender sessions — expire after 24 hours.
  • CSRF token — tied to the session lifetime; cleared when the session ends.

Expired session records are removed by the daily data-retention cron and the underlying KV TTL.

04 How to Disable Cookies

You can clear or block cookies for this site in your browser settings. Blocking the session cookie will prevent you from signing in and from completing any signing workflow. Most browsers offer per-site controls under Privacy or Site Settings.

  • Clear on this device — delete cookies for signing.agent-xero.com in your browser's site-data manager.
  • End your session — sign out from the account menu; the session cookie is invalidated server-side immediately.

05 Updates & Contact

If we change the cookies we set, we will update this policy and the date at the top of this page. Material changes will also be announced via the platform.

Questions about our use of cookies may be directed to privacy@agent-xero.com.

[END] COOKIE_POLICY — Last updated April 29, 2026