Security & trust

Security by architecture,
not by promise.

Pishik routes contracts through review without ever taking custody of a document. This page lays out the real architecture — what we store, what we never see, and how every action stays accountable.

Plain talk on certifications. Pishik is a private-beta product and does not yet hold SOC 2, ISO 27001, or similar certifications — and we won't imply otherwise. What we can do is show you exactly how the system is built. Most of what follows you can verify from inside the app.
The core design

Your documents never touch Pishik

You can't leak what you never had. Pishik stores the review — not the contract.

We store share links

The https:// links you paste from SharePoint, OneDrive, or Google Drive. The document itself stays put — reviewers open it in your storage, with exactly the rights your share link grants.

We store workflow state

Stages, reviewers, approvals and rejections, comments, timestamps — the record of who decided what, and when.

We store delivery metadata

What was emailed to whom, when, and whether it arrived — the delivery log behind the Sent page.

What we never store: your files. Contracts enter Pishik as links, never as uploads — there is no document upload to misuse. Even our own operations tooling is metadata-only: no contract titles, no parties, no comments. And when your share links are scoped to your organization (as we recommend), the documents behind them can't be opened by anyone outside it. Including us.

Tenancy

Isolated workspaces

Every company gets its own workspace. Nothing is shared between tenants.

One organization, one workspace

Every piece of data is keyed to your organization, and every session binds a person to their workspace. Reads and writes resolve through your organization's own store — never across tenants.

Hosting you can see

Pishik runs on Microsoft Azure. Your workspace's data region and tenant ID are shown in the app itself — not buried in a contract.

Fail closed, everywhere

A closed workspace goes dark at every door at once — sign-ins, active sessions, even outstanding review links stop answering. No door gets forgotten.

Identity

Accounts & access

Getting in is deliberately unexciting.

Invite-only, email-verified

During the beta, a workspace is created only with a single-use invite code — after a 6-digit code confirms the email address is really yours. Teammate invite links expire after 30 days. Passwords are stored only as bcrypt hashes.

Two-factor, done right

TOTP with any authenticator app — QR enrollment, single-use backup codes shown exactly once and stored only as hashes. Regenerating them invalidates the old set. Admins can require two-factor workspace-wide: anyone without it is walked through setup at their next sign-in, before any session is issued.

Sessions that actually end

Changing or resetting your password signs out every other session. Enabling two-factor does too. The session itself is a single HttpOnly cookie that expires on its own — and sign-in errors never reveal whether an account exists.

Three roles — owner, admin, and user — keep workspace configuration, team administration, and the audit log in admin hands. Sign-in, verification, and reset endpoints are all rate-limited.

Accountability

A true audit trail

Every decision, reminder, and change is recorded — under the name of the person who actually did it.

True-actor attribution

An admin working in a teammate's workspace is logged as themselves, with a label. A delegate covering a colleague's leave is logged under their own name. Nobody acts as somebody else.

On-behalf, on the record

When a reviewer answers by phone or hallway, a team member can record the decision — attributed to the recorder, with the reviewer's comment box locked and the reviewer notified by email. The recorder can never put words in the reviewer's mouth.

Even exports leave a trace

Every export — a contract record, the workspace, a report — is itself written to the audit log. Reading data out is as accountable as changing it.

Delivery

Email from your own domain

Review requests shouldn't look like phishing. Mail can come from you.

Three delivery channels

Your own Microsoft 365 tenant (via Microsoft Graph), Azure Communication Services, or any SMTP provider — so review email can genuinely come from your domain. Sent through your M365 tenant, it even lands in your own Sent Items.

Replies come to you

Replies go to your team's reply-to address — yours, or a company-wide one your admin sets. A reviewer's answer never disappears into Pishik.

An honest delivery log

Every send is recorded on the Sent page with its real status — Delivered, Failed, or Logged, never optimistic. Open any entry to see a pixel-faithful copy of exactly what the recipient received, and resend in one click.

Portability

Your data stays yours

No lock-in. Leaving with everything is a supported feature, not a support ticket.

Any contract record

Export a print-ready record of any contract — documents, flow, decisions, activity — ready for your browser's Save as PDF.

The whole workspace

Admins can export the entire workspace in one file from Settings → Data & export — contracts, reviewers, and settings included.

Your personal data

Every member — not just admins — can download their own contracts and activity with one click: Export my data, in Settings.

This website practices what it preaches

The page you're reading follows the same rules as the product: nothing leaves, nothing watches.

Zero third-party requests

No analytics, no trackers, no CDN scripts, no external images or embeds. Fonts are self-hosted. Your visit here is between you and us.

A strict Content-Security-Policy

Every page instructs your browser to refuse outside scripts, block embedding, and talk only to this site — a header on every response, not a policy on paper.

One cookie, only when you sign in

These pages set no cookies at all. The app sets exactly one — an HttpOnly session cookie. No advertising or tracking cookies exist anywhere.

Read the Privacy Policy

Herd your contracts. Keep your documents.

Pishik is in private, invite-only beta. We review requests and email you a single-use invite code.