TRUST & COMPLIANCE
Where we actually stand.
We would rather tell your security team the precise truth than print a wall of badges. Here is what is implemented today, what is in progress, and every document you can request before you buy.
FRAMEWORK STATUS
The frameworks you’ll ask about.
SOC 2 Type II
Security, Availability, and Confidentiality criteria
The technical controls an auditor tests are already implemented. We are formalizing the policy set and evidence collection ahead of the observation window. We will not describe the platform as SOC 2 attested until a report exists, which we will share under NDA.
GDPR
For customers with EU and EEA data subjects
A Data Processing Agreement is available, subprocessors are published, and customer-initiated deletion removes both rows and files. Records of processing and the data subject request workflow are being finalized with counsel before we describe the platform as GDPR compliant.
CCPA / CPRA
For California consumers and business contacts
Our privacy notice sets out the categories collected, purposes, and consumer rights. We do not sell personal information. The rights intake and service-provider terms are being confirmed with counsel before we describe the platform as CCPA compliant.
SOC 2 is an attestation issued by a licensed CPA firm after an audit, not a self-declared status. GDPR and CCPA have no government certification. We describe a framework as satisfied only when we can show you the evidence.
CONTROLS
The controls behind the status.
These are the technical controls a SOC 2 auditor tests. Most are the foundation the platform was built on, so the gap to attestation is evidence and policy, not new engineering.
Database-level tenant isolation
Postgres row-level security enforces the organization boundary on every query. Buggy app code cannot cross a tenant.
TOTP multi-factor for admins
Platform administrators step up to AAL2. MFA is available to every customer organization.
Encryption in transit and at rest
TLS everywhere, database and storage encrypted at rest, secrets in server-side environment variables only.
Full audit logging
Every view, download, create, update, and delete of contract data is recorded with actor, action, entity, org, IP, and user agent.
Signed, short-lived downloads
Files are served only through signed URLs that expire in roughly 60 seconds. There is no public link to any customer file.
Deletion removes rows and files
Customers can delete their contracts, and deletion clears both the database rows and the stored objects.
Upload validation and signature checks
Uploads are type-restricted, size-capped, and checked against the file's actual byte signature, not just its extension.
Independent penetration test
A third-party penetration test and remediation cycle is scheduled ahead of the SOC 2 observation window.
DOCUMENTS
Everything for the review.
Security overview
The architecture, the isolation model, and the control set in detail.
Security & data FAQ
Contract handling step by step, data lifecycle, and how the AI uses your data.
Data Processing Agreement
The terms under which we process personal data on your behalf.
Subprocessors
Every third party that touches the service, what it does, and the data it handles.
Privacy notice
What we collect, why, how long we keep it, and your rights.
Responsible disclosure
How to report a vulnerability, with safe harbor for good-faith research.
REQUEST ACCESS
Verify it for yourself.
Security teams can request the completed security questionnaire, the SOC 2 report and penetration test summary, our DPA and subprocessor list, and our policies. We review each request and send a secure, NDA-gated link to a document room. The room expires, can be revoked, and logs every open.
- Scoped, time-limited link, no account required.
- Click-through NDA captured before anything opens.
- Short-lived signed downloads, every access audit logged.
Ask us the hard questions.
We complete security questionnaires, walk your team through the isolation model live, and tell you plainly what is and isn’t done.
Request access