Self-hosted document acknowledgment, honestly reviewed. Built for GDPR compliance teams, HR, and legal ops who are tired of “I didn’t see that email.”

TL;DR

What it is: Open-source (AGPL-3.0) proof-of-read platform — employees sign documents with Ed25519 cryptographic signatures, creating an immutable, legally defensible audit trail [1].
Who it’s for: Compliance officers, HR teams, and legal ops at small-to-mid companies that need to prove specific people read specific documents — GDPR acknowledgments, security policies, training attestations [1][2].
Cost savings: DocuSign Business Pro runs roughly $25/user/month. Ackify self-hosted runs on a $5–10/mo VPS. For a 50-person company that only needs internal policy acknowledgment, that’s over $1,200/year saved.
Key strength: Ed25519 cryptographic signatures plus database-enforced one-signature-per-document rules. This is not a checkbox — it’s a tamper-evident record [1].
Key weakness: 197 GitHub stars, French-origin project, minimal English community, zero third-party reviews available. This is early-stage software producing legally significant records. That combination warrants caution [1].

What is Ackify

Ackify answers one narrow question: “Can you prove that this specific person read this specific document?” Not “can you prove they received the email” — that’s delivery confirmation. Not “can you prove they clicked a button” — that’s a checkbox anyone can click past. Ackify generates Ed25519 cryptographic signatures per user per document, stored in PostgreSQL, creating a record that is mathematically tamper-evident [1].

The pitch from the GitHub README is blunt: “Proof of Read. Compliance made simple.” The full description: “Secure document reading validation with cryptographic signatures and irrefutable proof.” [1]

Use cases the project targets: security policy validation, training attestations, GDPR acknowledgment, contractual agreements, compliance procedures [1]. The common thread is internal compliance — situations where you need to demonstrate to a regulator, auditor, or court that named employees acknowledged named documents at a specific time.

The stack is Go 1.24.5 for the backend, Vue.js 3 for the admin dashboard, PostgreSQL for storage, and Docker Compose for deployment. The website domain is .eu, the homepage meta description is in French, and the README explicitly links a French-language README — indicating French-origin software built with EU regulatory context in mind, though the software itself supports five languages [1][2]. As of this review: 197 GitHub stars. That’s not a thriving open-source community — that’s a focused, young tool.

Why people choose it

No independent English-language reviews of Ackify exist at the time of this writing. What follows is based on the README, the website, and the problem domain Ackify sits in.

The internal compliance acknowledgment problem is real and consistently under-served. Most companies handle it with one of these:

Email + “reply to confirm” — Legally useless in most GDPR audit contexts. You have an email trail, not a signed acknowledgment.

LMS platforms (TalentLMS, Docebo) — $3–8/user/month, and primarily designed around course delivery. Using one just for policy acknowledgment means paying for a training management system to get a signing feature.

DocuSign or HelloSign — These are built for external contracts and legal e-signatures. They work for internal policy acknowledgment, but cost $15–25/user/month and introduce workflow friction that makes sense when signing vendor contracts, not when 80 employees need to acknowledge the updated remote work policy by Friday.

SharePoint or Confluence with custom workflows — Requires internal engineering, produces no cryptographic proof, can be modified by an admin after the fact.

Nothing — The most common option, until GDPR audit season arrives.

Ackify targets the gap between “nothing” and “full e-signature platform.” It’s scoped specifically for internal compliance — not external contracts. The cryptographic proof is stronger than what most LMS platforms provide, and the self-hosted model means audit records live on your infrastructure. That’s relevant when demonstrating GDPR compliance to a DPA that asks why employee acknowledgment data is stored in an American cloud [1][2].

Features

From the README [1]:

Core signing engine:

Ed25519 cryptographic signatures per user per document
One signature per user per document — database-enforced, no duplicates possible
Document checksum verification via SHA-256, SHA-512, or MD5 — confirms the document hasn’t been altered after signing
Immutable audit trail in PostgreSQL

Authentication:

OAuth2: Google, GitHub, GitLab, or any custom OAuth2 provider
MagicLink (passwordless email) — signers authenticate via email link with no password required
Both methods can run simultaneously on the same instance

Document workflow:

Expected signers list — define who must sign, track completion
Email reminders to pending signers
Optional document storage: local filesystem or any S3-compatible backend (AWS S3, MinIO, Backblaze B2, Cloudflare R2)
Admin dashboard with dark mode

Embeddability and integration:

Public embeddable widgets — drop a signing widget directly into Notion, Outline, or any iframe-capable tool
REST API for integration with existing HR or compliance systems

Multilingual: French, English, Spanish, German, Italian [1]

What the README doesn’t mention:

No SAML/SSO — this is not an enterprise IAM-integrated tool
No documented webhook support
No bulk signing or template system
No export formats for audit records (CSV, PDF for regulators) — this is a meaningful gap for compliance use cases
No documented version upgrade path — significant for a tool holding legal records

Pricing: SaaS vs self-hosted math

Ackify describes itself as an open-source, self-hosted tool. At the time of this review, no SaaS pricing tier is published on the website or README [2]. You are deploying and managing this yourself.

Self-hosted cost:

License: AGPL-3.0 ($0 for internal use)
VPS: $5–10/month (2GB RAM is sufficient for small orgs)
PostgreSQL: bundled in Docker Compose
SMTP: free tier from Resend, Mailgun, or Postmark for low-volume reminders
Effective annual cost: ~$60–120/year

Alternatives for context (pricing from public pages, not Ackify comparisons):

Tool	Fit for internal acknowledgment	Approximate cost (50 users)
DocuSign Business Pro	Works, but designed for contracts	~$1,500/yr
HelloSign Essentials	Works, limited internal workflow	~$900/yr
TalentLMS (Starter)	Requires full LMS adoption	~$1,200/yr
Ackify self-hosted	Purpose-built for this	~$72–120/yr (VPS only)

The savings aren’t subtle. The question is whether a 197-star project with no public case studies is a safe bet as your compliance record store — and whether your team will maintain it.

Deployment reality check

The README install path is clean. One curl command runs an installation script that downloads compose.yml, generates AES-256 session secrets and a PostgreSQL password automatically, and outputs a .env you then fill with OAuth2 credentials [1]:

bash <(curl -fsSL https://raw.githubusercontent.com/kolapsis/ackify/main/install/install.sh)
cd ackify-ce
nano .env
docker compose up -d

Health check endpoint is documented: curl http://localhost:8080/api/v1/health returns {"status":"healthy","database":"connected"} on a working instance [1].

What you need:

Docker and Docker Compose
At least one auth method: OAuth2 app credentials (Google/GitHub/GitLab) or SMTP server for MagicLink
A domain and reverse proxy (nginx or Caddy) for HTTPS
1–2GB RAM

What can go wrong:

The project has 197 stars and no visible English-language community. No Stack Overflow questions, no forum, no Discord. If the README doesn’t answer your question, you’re reading Go source code.

The website’s homepage body content scrapes as “Skip to content” — suggesting documentation depth beyond the README is limited at this stage [2].

No documented upgrade path between versions. For a tool holding compliance records, this is more than a minor inconvenience — it’s a data integrity risk if you’re upgrading in a GDPR audit context.

AGPL-3.0 is fine for internal use but check with legal if you plan to build a product on top of it.

Realistic setup time: 20–45 minutes for someone comfortable with Docker. OAuth2 app registration in Google Console or GitHub adds 15 minutes if you haven’t done it before. MagicLink requires SMTP credentials.

Pros and cons

Pros

Cryptographic-grade proof. Ed25519 signatures are mathematically verifiable and tamper-evident — stronger than checkbox-based acknowledgment in most LMS or HRIS platforms [1].
Exactly scoped. Does one thing: proves people acknowledged documents. No feature bloat around course delivery, contract lifecycle, or HR records.
Automated installation. Script generates secrets and outputs a ready-to-configure .env. Lower barrier than most self-hosted compliance tools [1].
Embeddable signing widgets. Drop a signing widget into Notion or Outline pages — useful for teams that live in wikis and don’t want a separate portal [1].
S3-compatible document storage. Documents can go to MinIO, Backblaze B2, Cloudflare R2, or any S3-compatible backend [1].
Flexible auth. OAuth2 (Google, GitHub, GitLab, custom) plus passwordless MagicLink simultaneously. Signers don’t create new passwords [1].
AGPL = free for internal use. No licensing cost for private internal compliance tooling [1].

Cons

197 GitHub stars. No track record. No case studies. No “Ackify held up during an EU regulatory audit” stories. For compliance tooling that produces legally significant records, this is the central risk.
French-origin, limited English community. The README is in English but troubleshooting resources in English are essentially absent. No public forum, Discord, or Slack [1][2].
No SSO or SAML. Enterprise identity management — Okta, Azure AD, LDAP — isn’t supported. Google OAuth works, enterprise identity doesn’t [1].
No documented audit record export. An immutable trail in PostgreSQL is good. Handing a PDF attestation report to an auditor is better. Export formats aren’t documented [1].
No documented upgrade path. Migrating compliance records between versions is non-trivial and isn’t addressed in the README [1].
No SaaS tier. If your team can’t maintain infrastructure, there’s no managed option [2].
AGPL copyleft. Any modifications you distribute require source disclosure. Irrelevant for internal use; check with legal for any commercial product [1].

Who should use this / who shouldn’t

Use Ackify if:

You’re an EU company needing GDPR acknowledgment records for employees — privacy notices, data processing agreements, security policies.
You’re running security awareness programs and need proof that employees read the policy, not just that you sent it.
You have 10–200 employees and don’t want to pay DocuSign or LMS rates for internal-only acknowledgment workflows.
Someone on your team can deploy and maintain a Docker Compose service.
You use Google, GitHub, or GitLab for identity.

Skip it (use DocuSign or HelloSign) if:

You need external contract signing with legal e-signature compliance (eIDAS, ESIGN Act). Ackify is built for internal acknowledgment, not binding contracts with external counterparties.
Your compliance auditor requires a recognized e-signature platform with established legal precedent and commercial support.

Skip it (use your existing LMS) if:

You already pay for TalentLMS, Docebo, or Cornerstone — most include acknowledgment tracking. Adding a separate tool for a feature you already have doesn’t make sense.

Skip it entirely if:

You need enterprise SSO, SAML, or LDAP integration.
Your team can’t maintain a Docker service with regular backups. Compliance records need reliable uptime — don’t self-host if you won’t maintain it.
You need an auditable record with documented export formats for regulatory submission. That feature isn’t documented yet.

Alternatives worth considering

DocuSign — the category leader for legal e-signatures. Overkill and expensive for internal-only acknowledgment, but unmatched for external contracts and established legal precedent.
HelloSign (Dropbox Sign) — lighter than DocuSign, similar use case. Closed source, SaaS.
OpenSign — open-source e-signature platform with broader document signing capabilities, more GitHub stars (~4K), more active community.
Docuseal — MIT-licensed open-source e-signature with more established deployment history. More stars (~8K), active community, broader document signing scope.
Your LMS — if you already run compliance training through Moodle, TalentLMS, or similar, check if attestation tracking is built in before adding a standalone tool.
Custom implementation — for organizations with engineering capacity, a PostgreSQL table with signed acknowledgment timestamps and a simple form provides similar proof without software dependency risk.

For EU/GDPR-specific internal acknowledgment at small-to-mid scale, Ackify is the most purpose-built option. For anything requiring external signers, enterprise identity, or established legal precedent, look at DocuSign or OpenSign.

Bottom line

Ackify addresses a real, specific gap: cryptographically verifiable proof that employees acknowledged a document, self-hosted on your own infrastructure, at near-zero licensing cost. The Ed25519 signing architecture is genuinely stronger than what most HR platforms offer, and the Docker deployment is clean. The honest caveat is that this is a young, early-stage project — 197 stars, no English-language community, no third-party reviews, no documented upgrade path, and no audit record export. For a tool intended to produce records that may one day be handed to a GDPR supervisory authority, that immaturity is the primary risk. If you have a real internal compliance problem, a technical person who can maintain a container, and you’ve accepted that you’re an early adopter without a support net, Ackify is worth an afternoon of evaluation. If any of those conditions don’t hold, the savings don’t justify the exposure.

Sources

Ackify GitHub Repository — README and project metadata (197 stars, AGPL-3.0 license, Go 1.24.5). https://github.com/kolapsis/ackify
Ackify Official Website — “Ackify — Proof of Read & GDPR Compliance Software”. https://ackify.eu

Features

Integrations & APIs

REST API

Localization & Accessibility

Multi-Language / i18n

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0