Skip to main content

Data Protection and Security Addendum

Effective date: April 28, 2026

Permissio, Inc.


This Data Protection and Security Addendum describes the administrative, technical, and organizational security measures maintained by Permissio, Inc. ("Permissio") for the Services. It is incorporated into the Terms of Service and Data Processing Addendum.


1. Security Governance

Permissio maintains a security program appropriate to the nature of the Services and Customer Content. Permissio assigns internal responsibility for security, privacy, incident response, and access control, and reviews security controls periodically and after material platform changes.


2. Access Controls

  • Operator access to the Permissio console is managed through Clerk, a supported identity provider with multi-factor authentication support.
  • Role-based access controls apply to tenant workspaces and platform administration.
  • Administrative access to production systems is limited to authorized personnel with a documented business need.
  • API keys and personal access tokens are scoped and should be limited to least privilege. Raw API keys are not stored by Permissio after issuance.

3. Encryption and Secret Handling

  • All customer connections to the Services use TLS 1.2 or higher in transit.
  • Database volumes and object storage are encrypted at rest (AES-256 or equivalent).
  • Webhook signing secrets are used to sign outbound webhook deliveries; customers are responsible for protecting these secrets outside the Services.
  • Production secrets are stored in an approved secrets management system and are not committed to source code repositories.

4. Audit Logging and Integrity

  • Permissio maintains audit events for state-changing actions and security-relevant activity on the platform.
  • Audit logs may include: actor, action, target, time, IP address, user agent, request identifier, and operational metadata.
  • Signed PDF documents are SHA-256 hashed upon completion. The hash is stored on the envelope record and reproduced in the audit certificate to detect post-completion modification.
  • Customers should not treat logs as a complete legal record unless the relevant workflow, retention settings, and export process are validated for their specific requirements.

5. Application Security

  • Permissio applies security controls at the application layer including CSRF protection, rate limiting, input validation, and parameterized queries.
  • Signing sessions use single-use, expiring tokens to prevent unauthorized access to signing workflows.
  • Signer consent is captured as an auditable event before any signature fields are presented.
  • Permissio reviews its application security posture periodically.

6. Data Segregation

  • Customer data is logically segregated at the tenant level. Tenants cannot access other tenants' envelopes, documents, templates, or user records.
  • Sandbox and production environments use separate API credentials. Sandbox activities are suppressed from production workflows.

7. Availability and Resilience

  • Application state is stored in PostgreSQL with ACID guarantees.
  • Outbound webhook deliveries are managed by a transactional job queue. Webhook dispatch is enqueued atomically with the triggering event, so a process restart does not silently drop deliveries.
  • Permissio provides Services on a best-effort basis. See the Service Level and Support Policy and Reliability & Resilience page for details.

8. Vulnerability Management

  • Permissio monitors dependencies and platform components for known vulnerabilities and applies patches on a risk-prioritized basis.
  • Vulnerability reports from external researchers may be submitted under the Security Disclosure Policy.

9. Incident Response

  • Permissio maintains an incident response procedure covering detection, containment, investigation, remediation, and notification.
  • In the event of a confirmed Security Incident affecting Customer Personal Data, Permissio will notify Customer within 72 hours as described in the Data Processing Addendum.

10. Customer Responsibilities

Customers are responsible for:

  • Configuring workspace roles and permissions appropriately
  • Managing Authorized User access and revoking access promptly when users leave
  • Protecting API keys, personal access tokens, webhook secrets, and other credentials issued to or controlled by Customer
  • Reviewing audit logs for suspicious activity
  • Selecting authentication settings appropriate for the intended transaction
  • Ensuring that recipient and signer identities are correctly verified before sending documents
  • Complying with applicable law in their use of the Services

11. Limitations

The security measures in this Addendum describe Permissio's practices as of the effective date. Security technology evolves, and Permissio may update its security measures over time. This Addendum does not constitute a warranty that the Services will be free from all security breaches or unauthorized access.