Security & privacy
How to lock down your account and read how Pishik protects your work: two-factor authentication, sessions, review-link security, where your data lives, the audit trail, and getting your data in or out. For the architecture overview, see the Security & trust page.
Set up two-factor authentication
Two-factor authentication (2FA) adds a second step to sign-in: after your password, Pishik asks for a 6-digit code from an authenticator app on your phone. Even a stolen password won't get in without it. Pishik uses standard TOTP, so any free authenticator app works — Google Authenticator, Microsoft Authenticator, Authy, or 1Password.
You need: your current password, a free authenticator app, and a hosted (cloud) workspace — two-factor is available in the hosted product.
- Open Settings → Your profile and scroll to the Security section.
- Next to Two-factor authentication, press Turn on two-factor.
- Confirm it's you — enter Your password. (This stops someone at an unlocked machine from quietly pairing their authenticator with your account.)
- Scan the QR code with your authenticator app. Can't scan? Choose the manual option and type the setup key shown underneath instead.
- Enter the 6-digit code your app now shows and continue. Pishik verifies the code before anything is switched on — if it's rejected, check your phone's clock is set to update automatically and try the next code.
- Save your backup codes. Pishik shows you eight one-time backup codes once. Copy them into a password manager or download the .txt file before you close the dialog.
Common snags
- "That code doesn't match." Authenticator codes are time-based and rotate every 30 seconds. Almost always the culprit is a phone clock that's drifted — turn on automatic date & time on the device, then enter a fresh code.
- You set it up on a phone you might lose. That's exactly what backup codes are for — don't skip saving them. Read Backup codes and 2FA recovery before you need it.
Backup codes and 2FA recovery — read this before you need it
When you turn on two-factor, Pishik gives you eight single-use backup codes (each looks like K7M2P-9RJ4T). They're your way back in if your phone is ever lost, stolen, or reset. Pishik shows them exactly once and stores only a hashed fingerprint of each — we genuinely cannot show them to you again, so save them somewhere safe now.
Sign in with a backup code
- Sign in with your email and password as usual.
- At the code prompt, type one of your backup codes instead of an authenticator code (the field accepts either).
- You're in. That code is now spent and won't work again. When you're running low, Pishik warns you and points you to make a fresh set.
Make a fresh set of backup codes
Do this after you've used a few, or any time you want to rotate them:
- Open Settings → Your profile → Security.
- Under Two-factor authentication, press New backup codes.
- Confirm with your password and a current authenticator code (or one of your remaining backup codes).
- Save the new set. Your old backup codes stop working the moment the new ones are generated.
Require 2FA for your whole workspace
Admins can make two-factor mandatory for everyone who signs in with a password — a good baseline for a team that handles contracts.
You need: an admin or owner role, on a hosted (cloud) workspace.
- Open Settings → Security.
- Turn on Require two-factor.
What your team sees
Anyone who doesn't yet have two-factor is walked through setup at their next sign-in — scan a QR code, enter a code, save backup codes — before any session is issued. People who are already signed in aren't interrupted mid-session. The same enrollment step runs if an un-enrolled member arrives through a password reset or a fresh invite, so there's no side door around the policy.
Sessions and sign-out: what changing or resetting a password does to other devices
Your session is a single HttpOnly cookie — it can't be read by scripts, and it's only sent back to Pishik. Here's exactly which actions end which sessions, so you always know where you're still signed in.
| You do this… | …and this happens to sessions |
|---|---|
| Change your password (Settings → Your profile → Security) | Signs you out on every other device. Your current session stays active. Requires your current password. |
| Reset your password (forgot-password link from the sign-in screen) | Signs out every session, including the one you're using — then you sign in fresh. If you have 2FA, you must present a code or backup code during the reset too. |
| An admin sends you a reset link | Same as a self-service reset: all existing sessions end once you set the new password. |
| Turn on two-factor | Signs you out on every other device; your current session stays. |
| Sign out | Ends the current session only. |
| Your workspace is suspended | Every session goes dark at once, along with sign-in and any outstanding review links. |
Changing your password is the quickest way to boot a device you left signed in somewhere you shouldn't have. The step-by-step for changing it lives in Your profile: name, photo, and password.
By default, sessions are long-lived and quietly renew while you keep using Pishik, then expire on their own after 30 days. Workspaces that want stricter behavior can turn on automatic idle sign-out — see Session timeout below.
Session timeout: automatic idle sign-out
Admins can have Pishik automatically sign people out after a period of inactivity — useful for teams on shared or unattended machines, or wherever policy requires it.
You need: an admin or owner role, on a hosted (cloud) workspace.
- Open Settings → Security.
- Under Session timeout, pick an idle window — from 15 minutes to 8 hours — or Off.
How it behaves
- It counts inactivity, not time signed in. Working in Pishik keeps the session alive; walking away lets the clock run.
- It's enforced on the server. Once the idle window passes, the session is dead — a fresh sign-in (including two-factor, if enabled) is required. Leaving a tab open doesn't keep a session alive.
- It applies to everyone in the workspace, including admins, the moment you save the setting. People already past the idle window are asked to sign in again on their next action.
- Unsaved work is protected the usual way — Pishik saves as you go, so an idle sign-out doesn't lose edits that were already made.
How review links stay secure
Reviewers never log in — so the emailed link is the security. Pishik designs it like a credential, not a convenience.
- Personal and single-purpose. Every reviewer gets their own link, for their own decision, on one contract. It opens nothing else — not your workspace, not other documents, not other reviews.
- Nothing is recorded until the reviewer confirms. The Approve/Reject buttons in the email open a dedicated decision page; the decision is only saved when the reviewer confirms it there. Mail scanners and inbox tools that quietly fetch every link can't approve or reject a contract by accident.
- Single-use. Once a decision is confirmed, the link closes for good — reopening it just shows that it's already been used.
- Expiring. An unused link expires on its own after a set window from when it was sent (about 90 days by default). Every reminder you send refreshes that clock, so a nudge never points at a dead link.
- Reissued when a review restarts. Sending a rejected contract back to the reviewer, or revising and restarting the flow, mints a brand-new link and permanently retires the old one.
A link that's malformed, expired, or already used shows the reviewer a clear explanation — and everyone else a generic one, so nothing about your workspace leaks through the public door. Reviewers can read their side of this in Your review link is personal, single-use, and expires.
Where your data lives
The short version: Pishik stores the review, never the document. You can't leak what you never held.
Metadata only — never your files
Contracts enter Pishik as share links you paste from SharePoint, OneDrive, or Google Drive — there is no file upload. What Pishik keeps is workflow metadata: the links, the stages and reviewers, approvals and rejections, comments, timestamps, and the delivery log behind the Sent page. Your actual documents stay in your own storage the whole time; reviewers open them there, with exactly the rights your share link grants. (This is also why a whole workspace's data fits inside a small 2.5 MB metadata cap.)
Isolated per workspace
Every record is keyed to your organization, and every session binds a person to their own workspace. Reads and writes resolve through your organization's own store — never across tenants. If a workspace is ever closed or suspended, it fails closed: sign-in, active sessions, and any outstanding review links all stop answering at once.
Hosting you can see
Pishik runs on Microsoft Azure. Your workspace's address, data region, and tenant ID aren't buried in a contract — they're shown in the app at Settings → Security → Workspace.
Pishik is a private-beta product and holds no certifications such as SOC 2 or ISO 27001 — we describe only the architecture that actually ships. The full picture is on the Security & trust page.
The audit trail: what's recorded and who can see it
Pishik keeps a security-relevant event log so account and workspace changes are always accountable — recorded under the name of the person who actually did each thing.
What's recorded
- Accounts and roles — invites, role changes, ownership transfer, offboarding.
- Delegations, contract assignments, and reassignments.
- Comments and @mentions — including the original text of any removed comment.
- Profile changes, password changes, and two-factor changes (enable, disable, new backup codes, backup code used).
- Every data export — reading data out is logged as carefully as changing it.
Each contract additionally carries its own activity timeline — creation, stage changes, decisions, reminders, emails, status updates, signing, and archiving — visible to anyone with access to that contract.
True-actor attribution
Nobody is ever logged as somebody else. An admin working inside a teammate's workspace is recorded as themselves, with a context label. A delegate covering someone's leave is logged under their own name. And when a decision is recorded on a reviewer's behalf, it's attributed to the person who entered it — the reviewer's own comment box stays locked. See Record a decision on a reviewer's behalf.
Who can see it
You need: an admin or owner role. The workspace audit log lives at Settings → Security → Audit log, newest first, with Show older events to page back through the full history. Regular members don't see the workspace-wide log, but everyone can see the activity timeline on contracts they have access to.
Export and restore your data
No lock-in: leaving with everything is a supported feature, not a support ticket. There are three ways to get data out, and one way to bring a backup back in. Every export is written to the audit log.
Export your own data — any member
You don't need to be an admin to take a copy of your own work.
- Open Settings → My data (admins see this tab as Data & export).
- Press Export my data. You get a single .json file with your contracts and their activity history.
Export the whole workspace — admins
- You need: an admin or owner role. Open Settings → Data & export.
- Press Export data to download one .json with everything — contracts, reviewers, users, and settings. The row shows when you last exported.
To export a single, print-ready contract record (for filing or sharing outside Pishik), use the export on the contract itself — see Export a contract record.
Restore from a backup — admins
- In Settings → Data & export, press Import data and choose a previously exported workspace file.
- Confirm — this replaces the current workspace contents (contracts, reviewers, and settings) for everyone on your team.
Delete data: contracts, accounts, and closing a workspace
Because Pishik never holds your files, "deleting a document" always happens in your own storage — SharePoint, OneDrive, or Google Drive. Removing it there is enough to put the file beyond reach; Pishik only ever holds the record (the link and the workflow history), never the document.
Clear a contract off your board
The self-serve way to take a finished contract off your active board is to archive it — it moves into the Repository, where it stays searchable and can be restored at any time. Archiving is intentionally non-destructive: nothing is erased, so an archived contract still counts toward your workspace contract limit. Walk-through: Approve, track signatures, and archive.
Permanently remove a contract record or close a workspace
During the beta, permanent erasure of contract records — or of an entire hosted workspace and all its data — is handled by support. Contact us and we'll verify the request and process it for you. This is deliberate and permanent: once done, it can't be undone, so export anything you want to keep first (see Export and restore).
Removing a person
You don't delete a teammate outright — you offboard them, which archives their account and offers to hand their contracts to someone else. Nothing is lost, and they can be restored later. The full process is in Offboard a teammate.
If you're a reviewer (you don't have a Pishik account, you just got a review email) and want your contact details removed, see Privacy for reviewers.