Security & privacy

How to lock down your account and read how Pishik protects your work: two-factor authentication, sessions, review-link security, where your data lives, the audit trail, and getting your data in or out. For the architecture overview, see the Security & trust page.

Set up two-factor authentication

Two-factor authentication (2FA) adds a second step to sign-in: after your password, Pishik asks for a 6-digit code from an authenticator app on your phone. Even a stolen password won't get in without it. Pishik uses standard TOTP, so any free authenticator app works — Google Authenticator, Microsoft Authenticator, Authy, or 1Password.

You need: your current password, a free authenticator app, and a hosted (cloud) workspace — two-factor is available in the hosted product.

  1. Open Settings → Your profile and scroll to the Security section.
  2. Next to Two-factor authentication, press Turn on two-factor.
  3. Confirm it's you — enter Your password. (This stops someone at an unlocked machine from quietly pairing their authenticator with your account.)
  4. Scan the QR code with your authenticator app. Can't scan? Choose the manual option and type the setup key shown underneath instead.
  5. Enter the 6-digit code your app now shows and continue. Pishik verifies the code before anything is switched on — if it's rejected, check your phone's clock is set to update automatically and try the next code.
  6. Save your backup codes. Pishik shows you eight one-time backup codes once. Copy them into a password manager or download the .txt file before you close the dialog.
Turning on two-factor signs you out on every other device. Your current session stays active. From then on, every password sign-in asks for a code.

Common snags

  • "That code doesn't match." Authenticator codes are time-based and rotate every 30 seconds. Almost always the culprit is a phone clock that's drifted — turn on automatic date & time on the device, then enter a fresh code.
  • You set it up on a phone you might lose. That's exactly what backup codes are for — don't skip saving them. Read Backup codes and 2FA recovery before you need it.

Backup codes and 2FA recovery — read this before you need it

When you turn on two-factor, Pishik gives you eight single-use backup codes (each looks like K7M2P-9RJ4T). They're your way back in if your phone is ever lost, stolen, or reset. Pishik shows them exactly once and stores only a hashed fingerprint of each — we genuinely cannot show them to you again, so save them somewhere safe now.

Sign in with a backup code

  1. Sign in with your email and password as usual.
  2. At the code prompt, type one of your backup codes instead of an authenticator code (the field accepts either).
  3. You're in. That code is now spent and won't work again. When you're running low, Pishik warns you and points you to make a fresh set.

Make a fresh set of backup codes

Do this after you've used a few, or any time you want to rotate them:

  1. Open Settings → Your profile → Security.
  2. Under Two-factor authentication, press New backup codes.
  3. Confirm with your password and a current authenticator code (or one of your remaining backup codes).
  4. Save the new set. Your old backup codes stop working the moment the new ones are generated.
If you lose both your authenticator and your backup codes, there is no self-serve way back in — a password reset alone can't bypass two-factor, by design. See Lost your authenticator and backup codes for what happens next.

Require 2FA for your whole workspace

Admins can make two-factor mandatory for everyone who signs in with a password — a good baseline for a team that handles contracts.

You need: an admin or owner role, on a hosted (cloud) workspace.

  1. Open Settings → Security.
  2. Turn on Require two-factor.

What your team sees

Anyone who doesn't yet have two-factor is walked through setup at their next sign-in — scan a QR code, enter a code, save backup codes — before any session is issued. People who are already signed in aren't interrupted mid-session. The same enrollment step runs if an un-enrolled member arrives through a password reset or a fresh invite, so there's no side door around the policy.

While you're in Settings → Security, you can also set a Minimum password length (8–32 characters) that applies to every password sign-in in the workspace, and a Session timeout that automatically signs everyone out after a period of inactivity — see Idle sign-out.

Sessions and sign-out: what changing or resetting a password does to other devices

Your session is a single HttpOnly cookie — it can't be read by scripts, and it's only sent back to Pishik. Here's exactly which actions end which sessions, so you always know where you're still signed in.

You do this……and this happens to sessions
Change your password (Settings → Your profile → Security)Signs you out on every other device. Your current session stays active. Requires your current password.
Reset your password (forgot-password link from the sign-in screen)Signs out every session, including the one you're using — then you sign in fresh. If you have 2FA, you must present a code or backup code during the reset too.
An admin sends you a reset linkSame as a self-service reset: all existing sessions end once you set the new password.
Turn on two-factorSigns you out on every other device; your current session stays.
Sign outEnds the current session only.
Your workspace is suspendedEvery session goes dark at once, along with sign-in and any outstanding review links.

Changing your password is the quickest way to boot a device you left signed in somewhere you shouldn't have. The step-by-step for changing it lives in Your profile: name, photo, and password.

By default, sessions are long-lived and quietly renew while you keep using Pishik, then expire on their own after 30 days. Workspaces that want stricter behavior can turn on automatic idle sign-out — see Session timeout below.

Session timeout: automatic idle sign-out

Admins can have Pishik automatically sign people out after a period of inactivity — useful for teams on shared or unattended machines, or wherever policy requires it.

You need: an admin or owner role, on a hosted (cloud) workspace.

  1. Open Settings → Security.
  2. Under Session timeout, pick an idle window — from 15 minutes to 8 hours — or Off.

How it behaves

  • It counts inactivity, not time signed in. Working in Pishik keeps the session alive; walking away lets the clock run.
  • It's enforced on the server. Once the idle window passes, the session is dead — a fresh sign-in (including two-factor, if enabled) is required. Leaving a tab open doesn't keep a session alive.
  • It applies to everyone in the workspace, including admins, the moment you save the setting. People already past the idle window are asked to sign in again on their next action.
  • Unsaved work is protected the usual way — Pishik saves as you go, so an idle sign-out doesn't lose edits that were already made.

How review links stay secure

Reviewers never log in — so the emailed link is the security. Pishik designs it like a credential, not a convenience.

  • Personal and single-purpose. Every reviewer gets their own link, for their own decision, on one contract. It opens nothing else — not your workspace, not other documents, not other reviews.
  • Nothing is recorded until the reviewer confirms. The Approve/Reject buttons in the email open a dedicated decision page; the decision is only saved when the reviewer confirms it there. Mail scanners and inbox tools that quietly fetch every link can't approve or reject a contract by accident.
  • Single-use. Once a decision is confirmed, the link closes for good — reopening it just shows that it's already been used.
  • Expiring. An unused link expires on its own after a set window from when it was sent (about 90 days by default). Every reminder you send refreshes that clock, so a nudge never points at a dead link.
  • Reissued when a review restarts. Sending a rejected contract back to the reviewer, or revising and restarting the flow, mints a brand-new link and permanently retires the old one.

A link that's malformed, expired, or already used shows the reviewer a clear explanation — and everyone else a generic one, so nothing about your workspace leaks through the public door. Reviewers can read their side of this in Your review link is personal, single-use, and expires.

Where your data lives

The short version: Pishik stores the review, never the document. You can't leak what you never held.

Metadata only — never your files

Contracts enter Pishik as share links you paste from SharePoint, OneDrive, or Google Drive — there is no file upload. What Pishik keeps is workflow metadata: the links, the stages and reviewers, approvals and rejections, comments, timestamps, and the delivery log behind the Sent page. Your actual documents stay in your own storage the whole time; reviewers open them there, with exactly the rights your share link grants. (This is also why a whole workspace's data fits inside a small 2.5 MB metadata cap.)

Isolated per workspace

Every record is keyed to your organization, and every session binds a person to their own workspace. Reads and writes resolve through your organization's own store — never across tenants. If a workspace is ever closed or suspended, it fails closed: sign-in, active sessions, and any outstanding review links all stop answering at once.

Hosting you can see

Pishik runs on Microsoft Azure. Your workspace's address, data region, and tenant ID aren't buried in a contract — they're shown in the app at Settings → Security → Workspace.

Even our own tooling is metadata-only. The internal tools Pishik staff use to keep the service running never see contract contents — no document text, and no titles, parties, or comments. And when your share links are scoped to your organization (as we recommend), the documents behind them can't be opened by anyone outside it — us included.

Pishik is a private-beta product and holds no certifications such as SOC 2 or ISO 27001 — we describe only the architecture that actually ships. The full picture is on the Security & trust page.

The audit trail: what's recorded and who can see it

Pishik keeps a security-relevant event log so account and workspace changes are always accountable — recorded under the name of the person who actually did each thing.

What's recorded

  • Accounts and roles — invites, role changes, ownership transfer, offboarding.
  • Delegations, contract assignments, and reassignments.
  • Comments and @mentions — including the original text of any removed comment.
  • Profile changes, password changes, and two-factor changes (enable, disable, new backup codes, backup code used).
  • Every data export — reading data out is logged as carefully as changing it.

Each contract additionally carries its own activity timeline — creation, stage changes, decisions, reminders, emails, status updates, signing, and archiving — visible to anyone with access to that contract.

True-actor attribution

Nobody is ever logged as somebody else. An admin working inside a teammate's workspace is recorded as themselves, with a context label. A delegate covering someone's leave is logged under their own name. And when a decision is recorded on a reviewer's behalf, it's attributed to the person who entered it — the reviewer's own comment box stays locked. See Record a decision on a reviewer's behalf.

Who can see it

You need: an admin or owner role. The workspace audit log lives at Settings → Security → Audit log, newest first, with Show older events to page back through the full history. Regular members don't see the workspace-wide log, but everyone can see the activity timeline on contracts they have access to.

Export and restore your data

No lock-in: leaving with everything is a supported feature, not a support ticket. There are three ways to get data out, and one way to bring a backup back in. Every export is written to the audit log.

Export your own data — any member

You don't need to be an admin to take a copy of your own work.

  1. Open Settings → My data (admins see this tab as Data & export).
  2. Press Export my data. You get a single .json file with your contracts and their activity history.

Export the whole workspace — admins

  1. You need: an admin or owner role. Open Settings → Data & export.
  2. Press Export data to download one .json with everything — contracts, reviewers, users, and settings. The row shows when you last exported.

To export a single, print-ready contract record (for filing or sharing outside Pishik), use the export on the contract itself — see Export a contract record.

Restore from a backup — admins

  1. In Settings → Data & export, press Import data and choose a previously exported workspace file.
  2. Confirm — this replaces the current workspace contents (contracts, reviewers, and settings) for everyone on your team.
What a restore won't touch (hosted workspaces). Your team roster and seats, your plan/subscription, and your workspace identity (name, region, tenant ID) are managed by Pishik's servers, not stored in the backup file — a restore replaces your contracts, reviewers, and settings, but never rewrites who's on your team or your account standing.

Delete data: contracts, accounts, and closing a workspace

Because Pishik never holds your files, "deleting a document" always happens in your own storage — SharePoint, OneDrive, or Google Drive. Removing it there is enough to put the file beyond reach; Pishik only ever holds the record (the link and the workflow history), never the document.

Clear a contract off your board

The self-serve way to take a finished contract off your active board is to archive it — it moves into the Repository, where it stays searchable and can be restored at any time. Archiving is intentionally non-destructive: nothing is erased, so an archived contract still counts toward your workspace contract limit. Walk-through: Approve, track signatures, and archive.

Permanently remove a contract record or close a workspace

During the beta, permanent erasure of contract records — or of an entire hosted workspace and all its data — is handled by support. Contact us and we'll verify the request and process it for you. This is deliberate and permanent: once done, it can't be undone, so export anything you want to keep first (see Export and restore).

Removing a person

You don't delete a teammate outright — you offboard them, which archives their account and offers to hand their contracts to someone else. Nothing is lost, and they can be restored later. The full process is in Offboard a teammate.

If you're a reviewer (you don't have a Pishik account, you just got a review email) and want your contact details removed, see Privacy for reviewers.