Append-only history
Signatures cannot be deleted. Every record is preserved with timestamp, hash, and session evidence.
CLA automation
for GitHub orgs
Install a GitHub App, upload your CLA in Markdown, and every pull request is checked automatically. Signatures are tracked by immutable GitHub ID and SHA-256 content hash. Self-hostable. MIT licensed.
Free and open sourceNext.js + PostgreSQLNo vendor lock-inWorks with merge queues
Three steps to enforce
Setup takes less time than writing the CLA itself.
Install the GitHub App
Sign in as an org admin, install CLA Bot, and select which repositories to monitor.
Publish your CLA
Paste your agreement in Markdown. Every version is tracked by its SHA-256 hash.
PRs are checked automatically
Non-members get signing guidance. Checks update automatically after signature.
Handles the edge cases
Merge queues, bot accounts, policy changes, manual re-checks — covered.
Auditable
by default
Signatures are cryptographically versioned and immutably stored. Both admins and contributors can download records.
No delete endpoints exist for signature data. Records are append-only at the database level.
SHA-256 versioning
Each CLA version is identified by its SHA-256 hash. Text changes produce a new hash and trigger re-signing.
Immutable identity binding
Signatures are keyed by GitHub user ID, not username. Renames never break compliance records.
Downloadable by both parties
Contributors download every CLA version they signed. Admins download current and archived versions.
Self-host it. Read every line.
MIT licensed. Deploy on your own infrastructure with full control over data residency. The entire stack is Next.js, PostgreSQL, and Drizzle ORM.
Next.jsPostgreSQLDrizzle ORMGitHub App APIVercel-ready
Org Admin
Manage agreements, view signer history, toggle enforcement, and handle CLA version transitions.
Contributor
Read, sign, and track agreement versions. Re-sign prompts appear automatically when a newer CLA is published.