Compliance & Legal
Permissio is designed from first principles to produce legally admissible electronic signatures under United States law. This page describes the technical basis for that claim and the scope of current compliance coverage.
ESIGN Act and UETA
The Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq., "ESIGN") and the Uniform Electronic Transactions Act ("UETA") define four requirements for an electronic signature to carry the same legal effect as a handwritten signature. Permissio satisfies each requirement technically.
| Requirement | How Permissio satisfies it |
|---|---|
| Intent to sign | Each signer performs an affirmative act on every required field — drawing, typing, or clicking. When the signer submits, a signed event is recorded in the append-only audit log capturing actor identity, all field values, signature modes (draw/type/click), and UTC timestamp. A signer_submitted event then closes the record. |
| Consent to electronic transaction | Before any signature fields are shown, the signing ceremony presents an ESIGN disclosure and requires affirmative acceptance. Consent is captured as a consent_accepted event storing the signer's IP address and user-agent string with a UTC timestamp. |
| Attribution | Each signing session is bound to the signer's email address via a single-use, expiring token. The signer's IP address and browser user-agent are recorded at consent time (consent_accepted), and the signer's identity is attached to every subsequent signed event. |
| Integrity | The executed PDF is SHA-256 hashed immediately after stamping. The hash is stored on the envelope record and reproduced in the audit certificate. Any post-completion modification produces a different hash. |
The audit certificate — downloadable from any completed envelope in the Permissio app — captures the full evidentiary record: signer roster, event timeline, document SHA-256 hash, and completion timestamp. Programmatic download via GET /v1/envelopes/:id/audit-certificate is coming soon.
eIDAS (EU)
Permissio is a US-focused product. Signatures qualify as Simple Electronic Signatures (SES) under the eIDAS Regulation (EU No 910/2014) but do not currently qualify as Advanced Electronic Signatures (AdES) or Qualified Electronic Signatures (QES). Partners routing documents that require eIDAS AdES or QES compliance should use a qualified trust service provider for those workflows.
GDPR and Data Protection
Data residency. All data processed by Permissio is stored in the United States (AWS us-east-1 via Railway). EU/EEA residency zones are not currently available.
Retention model. Default retention windows are approximately 7 years (2,555 days) for completed envelopes and 365 days for voided, declined, and expired envelopes. Tenants may configure shorter windows from Settings → Retention & Compliance. Legal holds prevent deletion of any record subject to litigation or regulatory investigation.
Right to erasure. Deletion requests are executed at the tenant level through the account closure process. Records under active legal holds are excluded until the hold is released. To request account data deletion, contact privacy@permissio.us.
Subprocessors. The current subprocessor list is published on the Subprocessors page. Partners will be notified of material subprocessor changes with at least 30 days notice.
Data Processing Addendum. A DPA is available on the Data Processing Addendum page. Contact the partner team to request a signed copy.
HIPAA
Permissio is not a HIPAA-covered entity. Partners who are covered entities or business associates handling Protected Health Information should evaluate whether a Business Associate Agreement is required before routing PHI through Permissio. Permissio does not currently offer BAAs.
21 CFR Part 11
The Permissio audit trail — append-only event log, signer identity capture, tamper-evident SHA-256 hash, completion certificate — is architecturally aligned with the intent of 21 CFR Part 11 electronic records requirements. Formal attestation requires a third-party audit that has not yet been completed. Partners operating in FDA-regulated environments should consult their regulatory affairs team before using Permissio for records subject to Part 11.
Data Retention
| Envelope status | Default retention |
|---|---|
completed | 2,555 days (~7 years) |
voided | 365 days |
declined | 365 days |
expired | 365 days |
Tenants may configure shorter windows from Settings → Retention & Compliance. Legal holds override the retention policy for the duration of the hold.
Subprocessors
| Subprocessor | Purpose | Data location |
|---|---|---|
| Clerk | User authentication & identity | United States |
| Stripe | Billing & payment processing | United States |
| Resend | Transactional email delivery | United States |
| AWS S3 (via Railway) | Document & evidence storage | US (us-east-1) |
| Railway | Compute & managed Postgres | US (us-east-1) |
SOC 2
A SOC 2 Type 2 audit is on the Permissio roadmap. No audit has been completed. When a report is available it will be shared with partners under NDA upon request.