SECURITY

Built for the documents you’d never email.

Your contracts are the most commercially sensitive documents your company holds. Security was the first requirement of this platform, not a hardening pass at the end, isolation lives in the database, access is proven, and everything is logged.

ARCHITECTURE

Isolation enforced by the database, not the app.

Most breaches of multitenant apps happen in application code. Ours is designed so that even buggy application code cannot cross a tenant boundary.

Row-level tenant isolation

Every customer table carries your organization ID, and Postgres row-level security policies enforce the boundary on every query. One org can never read another's rows, the database itself refuses.

Private file storage

Contracts live in private buckets with storage policies mirroring the same org rule. There is no public URL to any customer file, ever.

60-second signed downloads

Every file download uses a signed URL that expires in about a minute. A leaked link is dead before it can be abused.

Encrypted everywhere

TLS for everything in transit; database and storage encrypted at rest. No secret is ever stored in the codebase, keys live in server-side environment variables only.

Hardened headers

HSTS, a strict per-request Content-Security-Policy with nonces, nosniff, and frame-deny on every response.

Rate limiting

Authentication, upload, and AI routes are rate-limited per user and per IP, with per-key limits on the public API.

IDENTITY & ACCESS

The right people, proven.

Access control that assumes credentials get phished and roles get misassigned, and limits the blast radius of both.

TOTP multi-factor auth

App-based MFA for all users with session step-up enforcement, and mandatory for every member of our own staff.

SCIM 2.0 provisioning

Okta, Microsoft Entra, or any SCIM-capable IdP provisions and deactivates users automatically, offboarding in your directory is offboarding here.

Role-based access

Owner and member roles per organization, managed by your own org owners. Sensitive actions like member management and deletions are owner-only.

Admin rights can't be self-assigned

Platform staff access lives in a separate table that no customer-facing code path can write to. There is no privilege-escalation route from a customer account.

Per-contract access control

Restrict individual contracts to named people within your own organization, need-to-know inside the tenant boundary too.

Hashed, expiring API credentials

API keys and SCIM tokens are stored as SHA-256 hashes and expire within a year. We can verify them; nobody can read them back.

Enforced SSO

Switch on Require SSO and password and magic-link sign-in are refused for your domain. Owners keep a break-glass path so a broken IdP cannot lock you out.

Session control

See every device your account is signed in on, revoke any one, or sign out everywhere else. A sign-in from a new device emails you the same minute.

Breached-password screening

New passwords need 12 characters and are checked against known breach corpora with a privacy-preserving query before they are accepted.

DATA PROTECTION

Your contracts, accounted for.

Complete accountability for every byte you give us, on the way in, at rest, and on the way out.

Upload validation

Allowed document types only, a 40 MB cap, and a file-signature check on the actual bytes, a renamed executable doesn't get in because the extension says PDF.

Full audit trail

Every view, download, create, update, and delete of contract data is logged with actor, action, entity, organization, IP, and user agent. Analyst access to your files is logged the same way.

Real deletion

When you delete a contract, both the database records and the stored files are removed. Deletion is a data path, not a support ticket.

Confidentiality scanner

Anything shared outside your organization is scanned for sensitive terms first, and external share links expire.

AI without training

AI features run against your tenant-isolated data at request time. Your contracts are never used to train models, ours or anyone else's.

Anonymized benchmarks

Benchmark aggregates are pooled and anonymized. Nothing that could identify your company, contract, or terms is ever exposed to another customer.

Audit stream to your SIEM

Signed batches of audit events push to your SIEM every 15 minutes, and owners can export the complete history as CSV any time.

Automatic security alerts

An hourly detector reads the audit trail and emails your owners when one account's downloads, exports, or permission changes look unusual.

INTEGRATION SECURITY

Connected, without becoming the weak link.

Every connector, webhook, and inbound channel is authenticated in both directions.

Encrypted connector credentials

SAM, spend, and workflow connector credentials are encrypted at rest, scoped to your organization, and used only server-side.

Verified inbound

Email-in and CLM webhooks verify HMAC signatures before anything is processed; each org's inbound addresses carry unguessable capability tokens.

Signed outbound webhooks

Events we send you are HMAC-signed with timestamped signatures, so your systems can verify us the same way we verify them.

COMPLIANCE

What your security team can verify.

The controls below are implemented today, not promised. Our SOC 2, GDPR, and CCPA work is underway, and we say exactly where it stands rather than printing a badge we haven’t earned. Security teams can request our documents through a secure, NDA-gated room where every access is logged.

In place today

  • Database-enforced tenant isolation
  • TOTP multi-factor for admins
  • Encryption in transit and at rest
  • 60-second signed file downloads
  • Full audit logging of views and downloads
  • Upload type and byte-signature checks
  • Rate limiting on auth and upload
  • HSTS, strict CSP, nosniff, frame-deny
  • Deletion removes rows and files

Framework status

  • SOC 2 Type II In progressControls in place; report under NDA when issued
  • GDPR In progressDPA, subprocessors, deletion live; RoPA with counsel
  • CCPA / CPRA In progressPrivacy notice live; no sale of personal data

SOC 2 is auditor-attested and GDPR/CCPA have no government badge, so we mark a framework satisfied only when we can show the evidence.

SECURITY FAQ

What your security team will ask.

Who can see my contracts?
Members of your own organization, further restrictable per contract to named individuals, and the analysts who produce your benchmarks. Every analyst view and download is written to the audit trail you can inspect.
How is tenant isolation actually enforced?
At the database. Every customer-facing table carries an org ID and is covered by Postgres row-level security policies, so a query from your session physically cannot return another organization's rows, even if there were a bug in the application layer. Storage policies on the file buckets mirror the same rule.
Is my data used to train AI models?
No. AI features read your tenant-isolated data at request time to answer your questions and generate your deliverables, and that's it. Your contracts are never used to train models.
Is my pricing visible to other customers?
Never in identifiable form. Benchmark aggregates are anonymized and pooled; nothing that could identify your company, your contract, or your specific terms is exposed to anyone else.
Do you support SSO and automatic user provisioning?
SAML and OIDC single sign-on per organization, with a Require SSO switch that actually refuses password and magic-link sign-in for your domain once it is on. SCIM 2.0 provisioning works today with Okta, Microsoft Entra, and any SCIM-capable IdP, provision, list, and deactivate from your directory. TOTP multi-factor authentication is available to all users, enforceable org-wide, and mandatory for our staff.
Can we stream audit logs to our SIEM?
Yes. Subscribe an audit webhook and signed batches of audit events arrive every 15 minutes, cursor-tracked so nothing is skipped. Owners can also download the complete history as CSV from the audit log page.
Do you have a vulnerability disclosure policy?
Yes: responsible disclosure, referenced from our security.txt. Good-faith research gets safe harbor and an acknowledgment within 3 business days.
How do file downloads work?
Files are served exclusively through signed URLs that expire after roughly 60 seconds, generated per authorized request. There are no public or long-lived links to any customer file, and every download lands in the audit log.
What stops a malicious file upload?
Uploads are restricted to document types, capped at 40 MB, and checked against the file's actual byte signature rather than its extension. A disguised executable is rejected before it touches storage.
Can we delete our data completely?
Yes. You can delete contracts yourself, and deletion removes both database rows and stored files. If you leave, your organization's data goes with you.
Can our security team review you before we buy?
Please do. We’ll walk your team through the architecture, complete your security questionnaire, and demonstrate the isolation model live, including the cross-tenant access attempt failing. Request access and mention the review; we’ll set up the session.
What happens if something goes wrong?
Every action in the platform is audit-logged, backups are enabled, and file access is short-lived by design, which bounds the impact of any incident. If an incident affects your data, you hear it from us directly, with the audit trail to show exactly what was touched.

This is the short list. The full security & data FAQ goes deeper: contract handling step by step, data lifecycle and deletion, how the AI uses your data, and the infrastructure it all runs on.

Bring your security team. Seriously.

The fastest deals we close are the ones where the security review happens first.

Request access