TRUST & COMPLIANCE

Where we actually stand.

We would rather tell your security team the precise truth than print a wall of badges. Here is what is implemented today, what is in progress, and every document you can request before you buy.

FRAMEWORK STATUS

The frameworks you’ll ask about.

SOC 2 Type II

Security, Availability, and Confidentiality criteria

In progress

The technical controls an auditor tests are already implemented. We are formalizing the policy set and evidence collection ahead of the observation window. We will not describe the platform as SOC 2 attested until a report exists, which we will share under NDA.

GDPR

For customers with EU and EEA data subjects

In progress

A Data Processing Agreement is available, subprocessors are published, and customer-initiated deletion removes both rows and files. Records of processing and the data subject request workflow are being finalized with counsel before we describe the platform as GDPR compliant.

CCPA / CPRA

For California consumers and business contacts

In progress

Our privacy notice sets out the categories collected, purposes, and consumer rights. We do not sell personal information. The rights intake and service-provider terms are being confirmed with counsel before we describe the platform as CCPA compliant.

SOC 2 is an attestation issued by a licensed CPA firm after an audit, not a self-declared status. GDPR and CCPA have no government certification. We describe a framework as satisfied only when we can show you the evidence.

CONTROLS

The controls behind the status.

These are the technical controls a SOC 2 auditor tests. Most are the foundation the platform was built on, so the gap to attestation is evidence and policy, not new engineering.

In place

Database-level tenant isolation

Postgres row-level security enforces the organization boundary on every query. Buggy app code cannot cross a tenant.

In place

TOTP multi-factor for admins

Platform administrators step up to AAL2. MFA is available to every customer organization.

In place

Encryption in transit and at rest

TLS everywhere, database and storage encrypted at rest, secrets in server-side environment variables only.

In place

Full audit logging

Every view, download, create, update, and delete of contract data is recorded with actor, action, entity, org, IP, and user agent.

In place

Signed, short-lived downloads

Files are served only through signed URLs that expire in roughly 60 seconds. There is no public link to any customer file.

In place

Deletion removes rows and files

Customers can delete their contracts, and deletion clears both the database rows and the stored objects.

In place

Upload validation and signature checks

Uploads are type-restricted, size-capped, and checked against the file's actual byte signature, not just its extension.

Planned

Independent penetration test

A third-party penetration test and remediation cycle is scheduled ahead of the SOC 2 observation window.

DOCUMENTS

Everything for the review.

REQUEST ACCESS

Verify it for yourself.

Security teams can request the completed security questionnaire, the SOC 2 report and penetration test summary, our DPA and subprocessor list, and our policies. We review each request and send a secure, NDA-gated link to a document room. The room expires, can be revoked, and logs every open.

  • Scoped, time-limited link, no account required.
  • Click-through NDA captured before anything opens.
  • Short-lived signed downloads, every access audit logged.

Documents are shared under NDA through a secure, expiring link. Every access is logged.

Ask us the hard questions.

We complete security questionnaires, walk your team through the isolation model live, and tell you plainly what is and isn’t done.

Request access