How we handle your data.

How is Ink. protecting my data?

Agreement Data is encrypted at rest using AES-256 at the storage layer (Supabase Storage in AWS ca-central-1 / Montréal) and at the database layer (Postgres tablespace encryption). It travels over TLS 1.2+ between the browser, the database, the Edge Functions, and the storage bucket — there is no intermediate region or relay, no replication outside Canada, and no marketing CDN that sees your data.

On the application layer, every row of Agreement Data is gated by Postgres Row-Level Security scoped to the tenant membership of the requesting session. A request that does not carry a session associated with your tenant cannot read your rows — RLS denies it at the database, not at the application, so an application-layer bug cannot leak across tenants. Cross-device signer links (the URLs you send to recipients) carry an HMAC v2 token bound to a single signer and validated server-side with a timing-safe equality check before any byte of Agreement Data is signed-URL-ed.

What security standards does Ink. follow?

Ink. aligns its security program to PIPEDA (Personal Information Protection and Electronic Documents Act) at the federal level and to Quebec Law 25 (the Act respecting the protection of personal information in the private sector, as amended by Bill 64) at the provincial level. Both are written into the audit certificate that ships with every signed PDF.

We are not yet ISO 27001 or SOC 2 certified. We are a smaller team and the cost of those certifications would land on your invoice. When the customer base supports it, both certifications are on the public roadmap. Until then, we rely on the same technical controls those frameworks audit for — encryption at rest and in transit, separation of environments, multi-factor authentication on privileged accounts, audit logging of administrative actions, principle of least privilege on the service-role key, and quarterly review of the privileged-access logs.

Who can access my data?

We will be honest about what is technically possible. Ink. is a Software-as-a-Service platform; our engineers hold the database and storage service-role keys required to operate it, and those keys bypass the Row-Level Security that protects you from other tenants. Whether or not we ever use those keys against your workspace is therefore a question of policy, not capability. Our policy is the following.

Privileged access to a specific workspace, document, signer record, or audit row is taken only in one of these three situations:

• You asked us to. A support ticket from you that references a specific artifact (a stuck send, a signer who cannot open a link, a misconfigured field) and that artifact is what we look at. We do not browse adjacent workspace state.
• We are legally compelled to. A court order, search warrant, subpoena, or equivalent binding instrument issued by a court of competent jurisdiction in Canada requires production of specific records. We notify you unless legally prohibited and we challenge over-broad or extraterritorial requests.
• An active security investigation requires it. A credible signal of abuse, account compromise, or ongoing breach affecting your workspace or the Service overall. Access is the minimum necessary to scope and contain the incident; the justification is recorded.

We maintain an internal written record of privileged access taken in response to a support ticket, legal compulsion, or security investigation. We are working toward an append-only system log that records who accessed what and when as a first-class signal; until that is in place, the record is the engineer's log entry filed against the ticket or incident that authorised the access.

Automated Edge Functions and webhook handlers that move data between Ink. components (for example, the cross-device signing handler that mints a signed URL for the baked PDF a recipient should see, or the Stripe webhook that updates your plan when a checkout completes) run under service-role credentials by necessity. Their scope is fixed in code that we are happy to walk a customer through on request, and no human reads what they touch. They do not constitute privileged access for the purposes of this commitment.

How can I delete data from my Ink. account?

You control deletion of every piece of Agreement Data inside your workspace, from the workspace UI:

• Per-document delete from the document workspace ⋯ menu (sends the row to Trash; thirty-day soft-delete grace period before purge).
• Trash purge from /app/documents/trash, individually or in bulk.
• Template delete from /app/templates with the same soft-delete grace.
• Workspace deletion from /app/profile → workspace settings — initiates the workspace-wide purge sequence described below.

On workspace deletion, your data remains available for a re-activation window of up to ninety (90) days. After that window we permanently delete tenant data from the authoritative database and storage on request or on our next scheduled purge pass. Encrypted backup snapshots, where present, roll off according to the backup retention policy with our infrastructure provider. The Certificate of Completion that travelled with already-sealed PDFs in your recipients' possession is not affected by workspace deletion — those PDFs live wherever the recipient stored them and contain their own self-contained audit record.

Can I control how long my documents are kept on Ink.?

Workspace-wide document retention is set in the Trust Center (/app/compliance → Document retention). Options are 2 / 5 / 7 / 10 / 15 years, with seven years as the default. The setting applies to new envelopes from the moment of change; previously-sealed envelopes keep the retention policy that was active when they sealed.

Per-document expiry can also be configured at send time (Send for signature → Schedule → expire after) and is independent of the workspace retention. An expired unsigned envelope is voided automatically; a signed envelope retains the audit cert for the workspace retention period regardless of its expiry.

Where is my data physically stored?

One region: AWS ca-central-1 (Montréal, Canada). That is the entire residency story. We do not operate regional pods. Documents, signers, audit events, brand assets, contacts, signing groups, attachments — every byte of Agreement Data is stored in the Supabase project provisioned in that single AWS region.

We do this intentionally. The most common compliance ask we get from Canadian customers is “guarantee that no part of our agreement record routes through, or rests in, a US data center.” Operating only in ca-central-1 lets us answer that with one word. Multi-region availability is not a feature we are working on.

How does Ink. prioritize privacy regulations like PIPEDA?

Ink.'s product, contracts, and operations are built to PIPEDA (federal) and Quebec Law 25 (provincial) compliance. Both regimes assume Canadian residency, recognise electronic signatures as enforceable under the federal Personal Information Protection and Electronic Documents Act, and require organisations to designate a person responsible for privacy (Quebec Law 25 calls this person the “Person in Charge of the Protection of Personal Information”). Ink. has designated this role internally. The contact is privacy@inksign.ca.

Where a customer is subject to provincial public-sector privacy law (Quebec's Public Sector Act, BC's FOIPPA, Alberta's FOIP, etc.) we will sign a province-specific DPA on request. Email legal@inksign.ca.

How can I submit a data privacy rights request regarding my personal data?

Under PIPEDA, Law 25, and equivalent provincial legislation you have the right to:

• Access the personal information we hold about you.
• Correct it where it is inaccurate or incomplete.
• Withdraw consent for processing, where consent is the legal basis, on reasonable notice.
• Request deletion of your account and the associated workspace data, subject to the retention rules in §02 above.
• Request data portability — you can download an individual signed PDF (with its embedded Certificate of Completion) directly from the workspace at any time, and we will work with you to scope and fulfil a broader workspace-level export on written request.
• Object to automated decision-making. Ink. does not currently make decisions about you using automated profiling.
• Lodge a complaint with the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec.

To exercise any of these rights, email privacy@inksign.ca. We respond within thirty (30) days. If you are a signer (not an Ink. account holder) we may direct your request to the sender that dispatched the signing request, because they are the data controller for that document. These rights apply to personal data; they are not the mechanism for closing an Ink. account or deleting workspace-level service data — for those, use the in-app controls described in §02.

How is Ink. prioritizing privacy in its products & business practices?

We follow a privacy-by-design approach informed by the Office of the Privacy Commissioner of Canada's Privacy Guidance. Concretely:

• Every new feature that touches signer or document data requires an internal privacy review before it ships; the review is documented and retained.
• The data model collects the minimum needed to deliver the Service. We do not ship features that exfiltrate usage data for marketing analytics, third-party ad networks, or behavioural fingerprinting.
• We do not train models — ours or third parties — on Agreement Data. The AI field-detection feature (when enabled by the sender) runs locally in your browser on the document you uploaded; bytes do not leave your browser for that detection pass.
• Ink. personnel keep current with PIPEDA and Quebec Law 25 guidance issued by the Office of the Privacy Commissioner of Canada and the Commission d'accès à l'information du Québec. Privileged access is reviewed against the policy in §01 above.

Does Ink. use third-party service providers (sub-processors)?

Yes. A small number of sub-processors are unavoidable for normal operation. Each is subject to a Data Processing Agreement (in most cases, the sub-processor's own standard DPA that we have accepted) and uses encryption in transit and at rest. The public list — kept in sync with the Service — is below:

Postmark sees envelope metadata (sender + recipient name, email address, document title, signing URL) — never the PDF bytes. Stripe sees billing rows (plan, customer id, invoice history) — never Agreement Data. Netlify serves the static marketing site and the Next.js client bundle; the browser then queries the Canadian Supabase project directly. This is the residency wedge — the CDN never holds Agreement Data.

Where can I view your full privacy notice?

The full Privacy Policy is at inksign.ca/privacy. The Terms of Service are at inksign.ca/terms. The privacy officer can be reached at privacy@inksign.ca. Legal-process correspondence (subpoenas, court orders, law enforcement requests) should be sent to legal@inksign.ca.