SECURITY
Built for the documents you’d never email.
Your contracts are the most commercially sensitive documents your company holds. Security was the first requirement of this platform, not a hardening pass at the end, isolation lives in the database, access is proven, and everything is logged.
ARCHITECTURE
Isolation enforced by the database, not the app.
Most breaches of multitenant apps happen in application code. Ours is designed so that even buggy application code cannot cross a tenant boundary.
Row-level tenant isolation
Every customer table carries your organization ID, and Postgres row-level security policies enforce the boundary on every query. One org can never read another's rows, the database itself refuses.
Private file storage
Contracts live in private buckets with storage policies mirroring the same org rule. There is no public URL to any customer file, ever.
60-second signed downloads
Every file download uses a signed URL that expires in about a minute. A leaked link is dead before it can be abused.
Encrypted everywhere
TLS for everything in transit; database and storage encrypted at rest. No secret is ever stored in the codebase, keys live in server-side environment variables only.
Hardened headers
HSTS, a strict per-request Content-Security-Policy with nonces, nosniff, and frame-deny on every response.
Rate limiting
Authentication, upload, and AI routes are rate-limited per user and per IP, with per-key limits on the public API.
IDENTITY & ACCESS
The right people, proven.
Access control that assumes credentials get phished and roles get misassigned, and limits the blast radius of both.
TOTP multi-factor auth
App-based MFA for all users with session step-up enforcement, and mandatory for every member of our own staff.
SCIM 2.0 provisioning
Okta, Microsoft Entra, or any SCIM-capable IdP provisions and deactivates users automatically, offboarding in your directory is offboarding here.
Role-based access
Owner and member roles per organization, managed by your own org owners. Sensitive actions like member management and deletions are owner-only.
Admin rights can't be self-assigned
Platform staff access lives in a separate table that no customer-facing code path can write to. There is no privilege-escalation route from a customer account.
Per-contract access control
Restrict individual contracts to named people within your own organization, need-to-know inside the tenant boundary too.
Hashed, expiring API credentials
API keys and SCIM tokens are stored as SHA-256 hashes and expire within a year. We can verify them; nobody can read them back.
Enforced SSO
Switch on Require SSO and password and magic-link sign-in are refused for your domain. Owners keep a break-glass path so a broken IdP cannot lock you out.
Session control
See every device your account is signed in on, revoke any one, or sign out everywhere else. A sign-in from a new device emails you the same minute.
Breached-password screening
New passwords need 12 characters and are checked against known breach corpora with a privacy-preserving query before they are accepted.
DATA PROTECTION
Your contracts, accounted for.
Complete accountability for every byte you give us, on the way in, at rest, and on the way out.
Upload validation
Allowed document types only, a 40 MB cap, and a file-signature check on the actual bytes, a renamed executable doesn't get in because the extension says PDF.
Full audit trail
Every view, download, create, update, and delete of contract data is logged with actor, action, entity, organization, IP, and user agent. Analyst access to your files is logged the same way.
Real deletion
When you delete a contract, both the database records and the stored files are removed. Deletion is a data path, not a support ticket.
Confidentiality scanner
Anything shared outside your organization is scanned for sensitive terms first, and external share links expire.
AI without training
AI features run against your tenant-isolated data at request time. Your contracts are never used to train models, ours or anyone else's.
Anonymized benchmarks
Benchmark aggregates are pooled and anonymized. Nothing that could identify your company, contract, or terms is ever exposed to another customer.
Audit stream to your SIEM
Signed batches of audit events push to your SIEM every 15 minutes, and owners can export the complete history as CSV any time.
Automatic security alerts
An hourly detector reads the audit trail and emails your owners when one account's downloads, exports, or permission changes look unusual.
INTEGRATION SECURITY
Connected, without becoming the weak link.
Every connector, webhook, and inbound channel is authenticated in both directions.
Encrypted connector credentials
SAM, spend, and workflow connector credentials are encrypted at rest, scoped to your organization, and used only server-side.
Verified inbound
Email-in and CLM webhooks verify HMAC signatures before anything is processed; each org's inbound addresses carry unguessable capability tokens.
Signed outbound webhooks
Events we send you are HMAC-signed with timestamped signatures, so your systems can verify us the same way we verify them.
COMPLIANCE
What your security team can verify.
The controls below are implemented today, not promised. Our SOC 2, GDPR, and CCPA work is underway, and we say exactly where it stands rather than printing a badge we haven’t earned. Security teams can request our documents through a secure, NDA-gated room where every access is logged.
In place today
- Database-enforced tenant isolation
- TOTP multi-factor for admins
- Encryption in transit and at rest
- 60-second signed file downloads
- Full audit logging of views and downloads
- Upload type and byte-signature checks
- Rate limiting on auth and upload
- HSTS, strict CSP, nosniff, frame-deny
- Deletion removes rows and files
Framework status
- SOC 2 Type II In progressControls in place; report under NDA when issued
- GDPR In progressDPA, subprocessors, deletion live; RoPA with counsel
- CCPA / CPRA In progressPrivacy notice live; no sale of personal data
SOC 2 is auditor-attested and GDPR/CCPA have no government badge, so we mark a framework satisfied only when we can show the evidence.
SECURITY FAQ
What your security team will ask.
This is the short list. The full security & data FAQ goes deeper: contract handling step by step, data lifecycle and deletion, how the AI uses your data, and the infrastructure it all runs on.
Bring your security team. Seriously.
The fastest deals we close are the ones where the security review happens first.
Request access