Data & Security Disclosure

SignFlow is a software product developed by Team Palani LLC that enables organizations to collect electronic signatures and manage document signing workflows. SignFlow is available in two deployment models:

• SignFlow SaaS — a hosted platform operated by Team Palani LLC. In Standard Mode, non-PHI data is stored on infrastructure operated by Team Palani LLC on behalf of the Operator. In HIPAA Mode, no Protected Health Information is transmitted to or stored on Team Palani LLC infrastructure. Team Palani LLC does not use any Operator or signer data for any purpose beyond operating the service.
• SignFlow Package — a self-hosted Elixir/Phoenix library that Operators deploy and operate on their own infrastructure. In this model, Team Palani LLC is the software author only and has no access to any data generated through the deployment.

SaaS — Standard Mode: Signed documents and associated form data are stored on infrastructure operated by Team Palani LLC on behalf of the Operator. The Operator controls access through SignFlow's permission system. Team Palani LLC personnel do not access Operator or signer data except as necessary to provide technical support, maintain system security, or comply with legal obligations.

SaaS — HIPAA Mode: When HIPAA Mode is enabled, all data is processed entirely within the signer's browser and uploaded directly from the signer's device to the Operator's own cloud storage. Nothing from the signing session reaches Team Palani LLC servers. Form responses, signer information, signature images, and completed documents are assembled and transmitted exclusively from the client's browser directly to the Operator's own storage. The only information our servers receive is a SHA-256 cryptographic hash of the completed document for audit verification purposes. This hash cannot be reversed, cannot identify any individual, and cannot be used to reconstruct any document or any part of its contents.

Self-hosted model: All data — PHI and non-PHI alike — resides on infrastructure owned or controlled by the Operator. Team Palani LLC has no access to any of it.

In both models, SignFlow supports optional integrations with third-party cloud storage providers (Google Drive, Dropbox, OneDrive, Box, Amazon S3, and S3-compatible services). If cloud storage is used, the Operator is responsible for ensuring that the chosen provider meets applicable compliance requirements, including execution of any required data processing agreements.

SignFlow is built with compliance-relevant features, including:

• Field-level encryption for personally identifiable information (AES-GCM)
• Append-only audit logging with no PII stored in log entries
• Role-based access controls governing who may view submissions, documents, and member data
• Hash-verified file storage with optional confirmed-delete (local copy removed only after cloud upload verification)
• IP address capture on submission
• Magic link authentication (no passwords stored)

These features are tools, not guarantees. Whether a given SignFlow deployment is HIPAA-compliant, GDPR-compliant, or compliant with any other law depends on how the Operator configures and operates the system — including server security, encryption key management, staff access controls, mail provider configuration, business associate agreements with any third-party services, and operational policies.

The Operator is solely responsible for their compliance obligations. Team Palani LLC makes no representations about the compliance of any specific deployment.

SignFlow provides a layered permission system:

• System Admins manage the platform but do not have default access to member submissions or clinical data.
• Team Admins may be granted specific permissions by the system admin, including the ability to view member documents, submissions, and audit logs.
• Members have access only to their own data within the member portal.

What any given administrator can see is determined entirely by how the Operator configures permissions. Team Palani LLC does not dictate, recommend, or validate any specific permission configuration. Operators are responsible for ensuring that access grants are appropriate for their context — including any applicable professional, ethical, or legal obligations around data access (e.g., HIPAA minimum necessary standard).

SignFlow captures electronic signatures and generates PDF records embedding the signer's name, signature image, timestamp, and IP address. The legal validity and enforceability of electronically signed documents depends on applicable law (including ESIGN, UETA, and equivalent statutes) and the specific circumstances of each transaction. Team Palani LLC makes no representation that documents signed through SignFlow are legally binding or enforceable in any jurisdiction or context.

For questions about a specific SignFlow deployment or how your data is being handled, contact the Operator who administers the platform you are using. For questions about SignFlow itself or Team Palani LLC's data practices, contact Team Palani LLC directly.