About Evisort
Evisort, a Workday company, delivers a complete, AI-native platform for end-to-end contract lifecycle management, including the first large language model built specifically for contracts. The Evisort team selected AuthZed Dedicated to deliver a secure, scalable, and reliable authorization service that centralizes and unifies access control across all contract lifecycle stages, from pre-signature workflows to post-signature document management.
A Complex Challenge: Managing Permissions Across the Contract Lifecycle
Building a scalable permissions system for millions of documents and supporting a wide range of user personas presented a challenge for Evisort. Initially, the team developed two separate permissions systems with two different authorization models: role-based access control (RBAC) for pre-signature workflows and access control lists (ACLs) for post-signature document storage.
These independent systems made updating permissions cumbersome and error-prone, requiring coordination across teams to modify multiple areas of the codebase, resulting in extended engineering timelines and blocked feature development. Additionally, the hardcoded authorization logic became increasingly verbose and complex to audit as the product grew.
Derek Li, Founding Engineer at Evisort, explained, "The hardcoded permissions made it difficult to understand access levels across the system. It was challenging to determine who had access to what, especially with definitions scattered throughout the codebase."
Evisort needed a flexible, scalable, and centralized authorization solution. Building such a system in-house would have diverted resources from their core product, so they began researching other approaches.
Reflecting on these challenges, Derek shared:
"Once we identified the problem, we realized building authorization ourselves wasn't practical. We were hitting system limits, and it was becoming increasingly difficult to manage. We needed to focus on our legal products, not authorization. That's when we decided to look for existing solutions."
Single Solution: SpiceDB
Evisort found Google's publication about its internal authorization service, Zanzibar, to be an ideal template for building a scalable and consistent authorization service. After evaluating various open source Zanzibar implementations, they identified SpiceDB as the most mature option, thanks to its flexible and intuitive schema design, strong consistency guarantees, and efficient caching mechanisms that ensured both scalability and reliable authorization decisions.
With SpiceDB's declarative schema language, Evisort could define subjects, resources, relationships, and permissions for both RBAC and ACL models in a centralized, human-readable format. By making permissions definitions easy to review and modify, engineers could envision a clear path to implement complex collaborative features.
“SpiceDB came up early in our search,” Derek shared. “There were a few things that were really compelling. I loved having the playground to test things out; it was fun to work with. We also really liked the way you define your schema with SpiceDB. We looked at other options, but their schema designs didn’t work the same way. None of them were actually competing in this space, in my opinion.”
Given the sensitive nature of legal documents, ensuring secure access control and protecting data privacy is Evisort’s top priority. Adopting SpiceDB meant Evisort didn't need to compromise on their requirements for strongly consistent authorization decisions or highly performant queries. SpiceDB's graph-based ReBAC authorization engine efficiently computes complex queries, while maintaining consistency guarantees by utilizing a cadre of sophisticated caching strategies and tunable consistency features, such as zed tokens.
AuthZed Dedicated: Secure Authorization at Scale
To speed up development and reduce operational overhead, Evisort chose to purchase AuthZed Dedicated: a private, fully isolated SaaS service that delivers SpiceDB at scale, alleviating the burden of internally managing complex distributed permissions systems.
As Derek put it, “It was a cost-benefit analysis. At the time, we were a startup with a small staff and deadlines to hit, and we wanted to move quickly. It just made sense to use AuthZed Dedicated. We were also impressed with AuthZed’s disaster recovery plans and security stance. We spend a lot of time thinking about those things because we’re in the legal space, and for every question we asked, AuthZed had an answer. They already had solutions and procedures in place, so we were comfortable with AuthZed hosting SpiceDB.”
The AuthZed customer success team worked closely with Derek’s team to ensure that their SpiceDB implementation process went as smoothly as possible. After successfully building a proof of concept that managed millions of relationships, Evisort began migrating other existing services.
“The implementation itself was rather straightforward,” Derek noted. “The initial planning took about one or two months due to the legacy code we had to address. We structured things so that new clients could adopt the SpiceDB solution right away, allowing us to give some clients access within three months. We went into full production within five months.”
With AuthZed Dedicated, Evisort developers no longer needed to build or maintain authorization services themselves.
“It was easy to convince engineers to adopt the service because they didn’t want to be responsible for writing sensitive authz code,” Derek said.
Extending AuthZed to more services
With AuthZed Dedicated running in production, Evisort now relies on a scalable, secure, and reliable authorization service that combines the flexibility of SpiceDB with the operational efficiency of a private SaaS solution.
The new centralized permissions system streamlines the process of shipping new features. Engineers can simply update the SpiceDB schema and add relationships instead of dealing with scattered legacy code. “We’re working on the permissions now, and it’s getting complicated,” Derek said. “In the old system, doing this would have been impossible- it’s crazy to think about the complexity. With AuthZed, it’s easy to define the schema and rules.”
Having successfully implemented SpiceDB as replacement for the RBAC-based model for pre-signature workflows, Evisort now plans to migrate internal tools and the legacy ACL-based document management system to the new SpiceDB permissions system.
Evisort's journey demonstrates how a centralized, flexible, and scalable permissions system can empower development teams to quickly deliver features that enable secure collaboration on sensitive documents for end users.
