This document has been reviewed for accuracy. Consider having a licensed attorney review before relying on it for legal purposes.
This agreement is entered into between Team Palani LLC ("Licensor") and the individual or entity accessing or deploying SignFlow ("Operator"). Operator's account may include System Administrators, Team Administrators, and Members (collectively "Users"). All actions taken by Users are the sole responsibility of the Operator.
SignFlow is available in two forms:
a. SignFlow SaaS — a hosted service operated by Team Palani LLC. In this model, Licensor provides infrastructure, software, and maintenance. Operator accesses the platform via a subscription and is responsible for how the platform is configured and used within their organization.
b. SignFlow Package — a self-hosted Elixir/Phoenix library distributed as an open package. In this model, Licensor is the software author only. Licensor does not host, operate, or manage any self-hosted installation. Licensor has no access to, and does not receive, process, or store any data generated through a self-hosted Operator deployment.
The responsibilities and obligations below apply to both deployment models unless otherwise noted.
Operator assumes sole and full responsibility for:
a. Infrastructure security (self-hosted model) — including but not limited to server hardening, encryption at rest and in transit, access controls, and routine patching of all systems on which SignFlow is deployed.
b. Data custody — in Standard Mode (SaaS), non-PHI end-user data is stored on Licensor's infrastructure on behalf of the Operator. In HIPAA Mode, no Protected Health Information is transmitted to or stored on Licensor's infrastructure at any time — PHI is processed in the signer's browser and delivered directly to Operator's own cloud storage. In the self-hosted model, all data resides on Operator's own infrastructure. In all cases, Operator is the data controller and is solely responsible for data security and compliance. Licensor strongly recommends that Operators carefully evaluate any third-party cloud storage integrations (Google Drive, Dropbox, OneDrive, Box, S3, etc.) before use with sensitive or regulated data.
c. Regulatory compliance — SignFlow is designed with compliance-relevant features including field-level encryption, audit logging, and role-based access controls. However, the presence of these features does not constitute HIPAA compliance, GDPR compliance, or compliance with any other applicable law or regulation. Compliance depends entirely on correct configuration, operational practices, staff training, and the Operator's broader technical and administrative safeguards. Operator is solely responsible for determining whether and how SignFlow may be used in regulated contexts.
d. Permission and access configuration — SignFlow provides a layered permission system with three levels: System Administrators, Team Administrators, and Members. Each level carries different visibility into submissions, documents, form data, and audit logs. Operator is responsible for configuring all User permissions appropriately. Team Palani LLC makes no representation about what level of access is appropriate for any given use case, and is not liable for any privacy violation, breach of duty, or regulatory violation arising from how Operator or any of its Users configures or grants access.
e. Email and communication setup — features such as magic link authentication and signer confirmation emails require a configured mail provider. Licensor is not responsible for harm arising from misconfigured or undelivered communications.
f. Legal enforceability of signed documents — SignFlow captures electronic signatures and generates PDF records. Licensor makes no representation that documents signed through SignFlow are legally binding or enforceable under applicable law. Operator is responsible for ensuring that their use of electronic signatures complies with applicable laws (including but not limited to ESIGN, UETA, and equivalent statutes) and for obtaining any legal review necessary to confirm enforceability.
Operator agrees to indemnify, defend, and hold harmless Team Palani LLC, its officers, members, employees, agents, successors, and assigns from and against any and all claims, actions, damages, liabilities, costs, and expenses (including reasonable attorney's fees) arising from or related to:
SignFlow is provided "as is" without warranty of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement. Licensor does not warrant that the software is free of defects, secure against all threats, or suitable for use in any regulated environment without additional safeguards.
To the fullest extent permitted by law, Licensor's total liability to Operator for any claim arising from the software shall not exceed the amount paid by Operator to Licensor in the twelve (12) months preceding the claim. In no event shall Licensor be liable for any indirect, incidental, special, consequential, or punitive damages.
This agreement shall be governed by the laws of the State of Michigan. Any dispute shall be brought in the County of Ottawa, State of Michigan.
By accessing the SignFlow platform or deploying the SignFlow package, Operator agrees to be bound by the terms of this agreement.
Updated terms are posted at sign-flow.org/terms with a stated effective date of no less than 14 days from posting. Email notice may also be sent to the address on file and is deemed received three business days after sending. Operators are responsible for keeping their email address current. Continued use after the effective date constitutes acceptance of the updated terms.
Last updated: April 2026