Security by architecture,
not by promise.
Pishik routes contracts through review without ever taking custody of a document. This page lays out the real architecture — what we store, what we never see, and how every action stays accountable.
Your documents never touch Pishik
You can't leak what you never had. Pishik stores the review — not the contract.
We store share links
The https:// links you paste from SharePoint, OneDrive, or Google Drive. The document itself stays put — reviewers open it in your storage, with exactly the rights your share link grants.
We store workflow state
Stages, reviewers, approvals and rejections, comments, timestamps — the record of who decided what, and when.
We store delivery metadata
What was emailed to whom, when, and whether it arrived — the delivery log behind the Sent page.
What we never store: your files. Contracts enter Pishik as links, never as uploads — there is no document upload to misuse. Even our own operations tooling is metadata-only: no contract titles, no parties, no comments. And when your share links are scoped to your organization (as we recommend), the documents behind them can't be opened by anyone outside it. Including us.
Isolated workspaces
Every company gets its own workspace. Nothing is shared between tenants.
One organization, one workspace
Every piece of data is keyed to your organization, and every session binds a person to their workspace. Reads and writes resolve through your organization's own store — never across tenants.
Hosting you can see
Pishik runs on Microsoft Azure. Your workspace's data region and tenant ID are shown in the app itself — not buried in a contract.
Fail closed, everywhere
A closed workspace goes dark at every door at once — sign-ins, active sessions, even outstanding review links stop answering. No door gets forgotten.
Accounts & access
Getting in is deliberately unexciting.
Invite-only, email-verified
During the beta, a workspace is created only with a single-use invite code — after a 6-digit code confirms the email address is really yours. Teammate invite links expire after 30 days. Passwords are stored only as bcrypt hashes.
Two-factor, done right
TOTP with any authenticator app — QR enrollment, single-use backup codes shown exactly once and stored only as hashes. Regenerating them invalidates the old set. Admins can require two-factor workspace-wide: anyone without it is walked through setup at their next sign-in, before any session is issued.
Sessions that actually end
Changing or resetting your password signs out every other session. Enabling two-factor does too. The session itself is a single HttpOnly cookie that expires on its own — and sign-in errors never reveal whether an account exists.
Three roles — owner, admin, and user — keep workspace configuration, team administration, and the audit log in admin hands. Sign-in, verification, and reset endpoints are all rate-limited.
Review links that can't be abused
Reviewers never log in — so the link itself carries the security. We designed it like a credential.
Personal, single-purpose
Every reviewer gets their own link, for their own decision, on one contract. It opens nothing else — not your workspace, not other documents, not other reviews.
Nothing counts until confirmed
Approve or reject from the email — nothing is recorded until the reviewer confirms on a dedicated decision page. Mail scanners that prefetch every link in an inbox can't approve a contract by accident.
Single-use, with an expiry
Once a decision is confirmed, the link closes for good. Unused links expire on their own — and every reminder refreshes the clock, so a nudge never points at a dead link.
Malformed, stale, or already-used links get a clear explanation for the reviewer — and a generic answer for everyone else. Nothing about your workspace leaks through the public door.
A true audit trail
Every decision, reminder, and change is recorded — under the name of the person who actually did it.
True-actor attribution
An admin working in a teammate's workspace is logged as themselves, with a label. A delegate covering a colleague's leave is logged under their own name. Nobody acts as somebody else.
On-behalf, on the record
When a reviewer answers by phone or hallway, a team member can record the decision — attributed to the recorder, with the reviewer's comment box locked and the reviewer notified by email. The recorder can never put words in the reviewer's mouth.
Even exports leave a trace
Every export — a contract record, the workspace, a report — is itself written to the audit log. Reading data out is as accountable as changing it.
Email from your own domain
Review requests shouldn't look like phishing. Mail can come from you.
Three delivery channels
Your own Microsoft 365 tenant (via Microsoft Graph), Azure Communication Services, or any SMTP provider — so review email can genuinely come from your domain. Sent through your M365 tenant, it even lands in your own Sent Items.
Replies come to you
Replies go to your team's reply-to address — yours, or a company-wide one your admin sets. A reviewer's answer never disappears into Pishik.
An honest delivery log
Every send is recorded on the Sent page with its real status — Delivered, Failed, or Logged, never optimistic. Open any entry to see a pixel-faithful copy of exactly what the recipient received, and resend in one click.
Your data stays yours
No lock-in. Leaving with everything is a supported feature, not a support ticket.
Any contract record
Export a print-ready record of any contract — documents, flow, decisions, activity — ready for your browser's Save as PDF.
The whole workspace
Admins can export the entire workspace in one file from Settings → Data & export — contracts, reviewers, and settings included.
Your personal data
Every member — not just admins — can download their own contracts and activity with one click: Export my data, in Settings.
This website practices what it preaches
The page you're reading follows the same rules as the product: nothing leaves, nothing watches.
Zero third-party requests
No analytics, no trackers, no CDN scripts, no external images or embeds. Fonts are self-hosted. Your visit here is between you and us.
A strict Content-Security-Policy
Every page instructs your browser to refuse outside scripts, block embedding, and talk only to this site — a header on every response, not a policy on paper.
One cookie, only when you sign in
These pages set no cookies at all. The app sets exactly one — an HttpOnly session cookie. No advertising or tracking cookies exist anywhere.
Herd your contracts. Keep your documents.
Pishik is in private, invite-only beta. We review requests and email you a single-use invite code.