Data & Security Disclosure

SignFlow is a software product developed by Team Palani LLC that enables organizations to collect electronic signatures and manage document signing workflows. SignFlow is available in two deployment models:

• SignFlow SaaS — a hosted platform operated by Team Palani LLC. Data is stored on infrastructure owned and operated by Team Palani LLC on behalf of the Operator. Team Palani LLC has access to this infrastructure for the purposes of operating, maintaining, and supporting the service, but does not use Operator or signer data for any purpose beyond providing the service.
• SignFlow Package — a self-hosted Elixir/Phoenix library that Operators deploy and operate on their own infrastructure. In this model, Team Palani LLC is the software author only and has no access to any data generated through the deployment.

SaaS model: All end-user data — including signer names, email addresses, signature images, completed form responses, and generated PDFs — is stored on infrastructure operated by Team Palani LLC on behalf of the Operator. The Operator controls access to this data through the SignFlow permission system. Team Palani LLC personnel do not access Operator or signer data except as necessary to provide technical support, maintain system security, or comply with legal obligations.

Self-hosted model: All data resides on infrastructure owned or controlled by the Operator. Team Palani LLC has no access to that data.

In both models, SignFlow supports optional integrations with third-party cloud storage providers (Google Drive, Dropbox, OneDrive, Box, Amazon S3, and S3-compatible services). If cloud storage is used, the Operator is responsible for ensuring that the chosen provider meets applicable compliance requirements, including execution of any required data processing agreements.

SignFlow is built with compliance-relevant features, including:

• Field-level encryption for personally identifiable information (AES-GCM)
• Append-only audit logging with no PII stored in log entries
• Role-based access controls governing who may view submissions, documents, and member data
• Hash-verified file storage with optional confirmed-delete
• IP address capture on submission
• Magic link authentication (no passwords stored)

These features are tools, not guarantees. Whether a given SignFlow deployment is HIPAA-compliant, GDPR-compliant, or compliant with any other law depends on how the Operator configures and operates the system.

The Operator is solely responsible for their compliance obligations. Team Palani LLC makes no representations about the compliance of any specific deployment.

Operators who require HIPAA compliance should contact Team Palani LLC to discuss whether a Business Associate Agreement is appropriate for their deployment model.

SignFlow provides a layered permission system:

• System Admins manage the platform but do not have default access to member submissions or clinical data.
• Team Admins may be granted specific permissions by the system admin, including the ability to view member documents, submissions, and audit logs.
• Members have access only to their own data within the member portal.

What any given administrator can see is determined entirely by how the Operator configures permissions. Operators are responsible for ensuring that access grants are appropriate for their context.

SignFlow captures electronic signatures and generates PDF records embedding the signer's name, signature image, timestamp, and IP address. The legal validity and enforceability of electronically signed documents depends on applicable law (including ESIGN, UETA, and equivalent statutes) and the specific circumstances of each transaction. Team Palani LLC makes no representation that documents signed through SignFlow are legally binding or enforceable in any jurisdiction or context.

For questions about a specific SignFlow deployment, contact the Operator who administers the platform you are using. For questions about SignFlow itself, contact Team Palani LLC.