Skip to main content

Compliance & Legal

Permissio is designed from first principles to produce legally admissible electronic signatures under United States law. This page describes the technical basis for that claim and the scope of current compliance coverage.

ESIGN Act and UETA

The Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq., "ESIGN") and the Uniform Electronic Transactions Act ("UETA") define four requirements for an electronic signature to carry the same legal effect as a handwritten signature. Permissio satisfies each requirement technically.

RequirementHow Permissio satisfies it
Intent to signEach signer performs an affirmative act on every required field — drawing, typing, or clicking. When the signer submits, a signed event is recorded in the append-only audit log capturing actor identity, all field values, signature modes (draw/type/click), and UTC timestamp. A signer_submitted event then closes the record.
Consent to electronic transactionBefore any signature fields are shown, the signing ceremony presents an ESIGN disclosure and requires affirmative acceptance. Consent is captured as a consent_accepted event storing the signer's IP address and user-agent string with a UTC timestamp.
AttributionEach signing session is bound to the signer's email address via a single-use, expiring token. The signer's IP address and browser user-agent are recorded at consent time (consent_accepted), and the signer's identity is attached to every subsequent signed event.
IntegrityThe executed PDF is SHA-256 hashed immediately after stamping. The hash is stored on the envelope record and reproduced in the audit certificate. Any post-completion modification produces a different hash.

The audit certificate — downloadable from any completed envelope in the Permissio app — captures the full evidentiary record: signer roster, event timeline, document SHA-256 hash, and completion timestamp. Programmatic download via GET /v1/envelopes/:id/audit-certificate is coming soon.

eIDAS (EU)

Permissio is a US-focused product. Signatures qualify as Simple Electronic Signatures (SES) under the eIDAS Regulation (EU No 910/2014) but do not currently qualify as Advanced Electronic Signatures (AdES) or Qualified Electronic Signatures (QES). Partners routing documents that require eIDAS AdES or QES compliance should use a qualified trust service provider for those workflows.

GDPR and Data Protection

Data residency. All data processed by Permissio is stored in the United States (AWS us-east-1 via Railway). EU/EEA residency zones are not currently available.

Retention model. Default retention windows are approximately 7 years (2,555 days) for completed envelopes and 365 days for voided, declined, and expired envelopes. Tenants may configure shorter windows from Settings → Retention & Compliance. Legal holds prevent deletion of any record subject to litigation or regulatory investigation.

Right to erasure. Deletion requests are executed at the tenant level through the account closure process. Records under active legal holds are excluded until the hold is released. To request account data deletion, contact privacy@permissio.us.

Subprocessors. The current subprocessor list is published on the Subprocessors page. Partners will be notified of material subprocessor changes with at least 30 days notice.

Data Processing Addendum. A DPA is available on the Data Processing Addendum page. Contact the partner team to request a signed copy.

HIPAA

Permissio is not a HIPAA-covered entity. Partners who are covered entities or business associates handling Protected Health Information should evaluate whether a Business Associate Agreement is required before routing PHI through Permissio. Permissio does not currently offer BAAs.

21 CFR Part 11

The Permissio audit trail — append-only event log, signer identity capture, tamper-evident SHA-256 hash, completion certificate — is architecturally aligned with the intent of 21 CFR Part 11 electronic records requirements. Formal attestation requires a third-party audit that has not yet been completed. Partners operating in FDA-regulated environments should consult their regulatory affairs team before using Permissio for records subject to Part 11.

Data Retention

Envelope statusDefault retention
completed2,555 days (~7 years)
voided365 days
declined365 days
expired365 days

Tenants may configure shorter windows from Settings → Retention & Compliance. Legal holds override the retention policy for the duration of the hold.

Subprocessors

SubprocessorPurposeData location
ClerkUser authentication & identityUnited States
StripeBilling & payment processingUnited States
ResendTransactional email deliveryUnited States
AWS S3 (via Railway)Document & evidence storageUS (us-east-1)
RailwayCompute & managed PostgresUS (us-east-1)

SOC 2

A SOC 2 Type 2 audit is on the Permissio roadmap. No audit has been completed. When a report is available it will be shared with partners under NDA upon request.