SECURITY & DATA FAQ

Ask us the hard ones.

Everything security teams, procurement, and legal ask us about how we handle contracts and data, answered in full. For the architecture itself, start with the security overview.

Validated on arrival

Type allowlist, 40 MB cap, byte-signature check.

Isolated in your tenant

Row-level security and private storage, enforced by the database.

Every touch logged

Views and downloads, yours and ours, in an audit trail you can read.

Deleted for real

Your retention policy, your export, and a hard delete that removes rows and files.

HOW WE HANDLE YOUR CONTRACTS

What happens the moment I upload a contract?
Three things, before anything else touches it. The file is validated: allowed document types only, a 40 MB cap, and a check of the actual byte signature, so a renamed executable is rejected even if the extension says PDF. It is written to a private storage bucket under your organization's path, with storage policies that only your organization's sessions satisfy. And the upload is written to the audit trail. From there it enters the status path you can follow on the contract page: Uploaded, In Review, Benchmarked, Delivered.
Where are contract files stored?
In private storage buckets, encrypted at rest. There is no public URL to any customer file, ever. The storage policies mirror the same organization rule as the database, so a request from outside your organization cannot reach your files even with a direct path.
Who touches my contract while it is being benchmarked?
The analysts who produce your benchmark. Their access runs through the same audited paths as yours: every view and every download of a contract file is logged with the person, the action, the time, the IP, and the user agent, and that trail is inspectable. Multi-factor authentication is mandatory for every member of our staff.
How do file downloads work?
Every download uses a signed URL generated per authorized request, and it expires after roughly 60 seconds. A leaked link is dead before it can be abused. There are no long-lived links to any customer file, and every download lands in the audit log.
Can I share a report with someone outside my organization?
Yes, deliberately and with guardrails. Anything shared outside your organization passes a confidentiality scan for sensitive terms first, and external share links expire on their own. Sharing is an explicit action by someone in your organization, never a default.
Is emailing contracts in safe?
Each organization's inbound address carries an unguessable capability token, so mail sent to it can only land in your workspace. The inbound webhooks that carry the mail verify HMAC signatures before anything is processed. A forged or misdirected message is dropped, not filed.

WHO CAN SEE WHAT

Who can see my contracts?
Members of your own organization, restrictable per contract to named individuals, and the analysts who produce your benchmarks. Nobody else. Every analyst view and download is written to the audit trail you can inspect.
How is tenant isolation actually enforced?
At the database, not in application code. Every customer-facing table carries an organization ID and is covered by Postgres row-level security policies, so a query from your session physically cannot return another organization's rows, even if there were a bug in the application layer. The file buckets enforce the same rule through storage policies. This is the control everything else stands on.
Can I restrict a contract inside my own organization?
Yes. Individual contracts can be limited to named people within your organization, so need-to-know applies inside the tenant boundary too, not just at it.
Can VendorBenchmark employees browse customer data?
Staff access exists for one purpose: producing the deliverables you asked for. Platform staff status lives in a separate table that no customer-facing code path can write to, so it cannot be self-assigned or escalated into from a customer account. And staff access is not quiet access: it flows through the same audit logging as everyone else's.
Is my pricing visible to other customers?
Never in identifiable form. Benchmark aggregates are anonymized and pooled. Nothing that could identify your company, your contract, or your specific terms is ever exposed to another customer.

DATA LIFECYCLE

How long do you keep my data?
As long as you need the service, and no longer. Organization owners set a retention policy under Settings, Data controls, and the same screen shows the whole lifecycle: collected, isolated, retained on your policy, deleted on request.
Can we export everything we have put in?
Yes. Organization owners can export the organization's data as a single file from the data controls screen, without a support ticket. The export includes signed download links for every stored document, so it is the rows and the files they describe, and the audit log has its own full CSV export.
What happens when I delete a contract?
Both the database records and the stored files are removed. Deletion is a data path built into the product, not a request that sits in a queue.
What happens to our data if we leave?
It goes with you. Export everything first, then request full deletion from the data controls screen, and your organization's rows and files are removed.
Are there backups?
Yes, backups are enabled so that an infrastructure failure does not cost you your data. Combined with short-lived file access and full audit logging, the impact of any incident is bounded and reconstructable.

AI AND BENCHMARKS

Is my data used to train AI models?
No. AI features read your tenant-isolated data at request time to answer your questions and generate your deliverables, and that is the whole story. Your contracts are never used to train models, ours or anyone else's.
Which AI provider do you use, and what do they see?
AI features run on Anthropic's Claude models, called from our servers only, never from the browser. Requests carry the tenant-isolated context needed to answer your question, and API traffic is not used to train the models.
How do I know an AI answer is grounded and not invented?
Figures in AI-generated reports are grounded in your stored data and citation tagged, and AI reports pass a groundedness check before they reach you. Curated analyst reports are verified by hand. When Vera cites a clause, the citation points at your actual document.
What goes into the benchmark pool from my deals?
Anonymized aggregates only. The pooled benchmarks are what make your reports sharp, and the pooling is one-way: market low, median, high, and percentile positions come out, but nothing that could identify your company, your contract, or your terms goes in attached to a name.

IDENTITY AND ACCESS

Do you support multi-factor authentication?
Yes. App-based TOTP multi-factor authentication is available to every user, with session step-up enforcement, and it is mandatory for every member of our own staff.
Do you support SSO and automatic provisioning?
SAML and OIDC single sign-on per organization, and the Require SSO switch is enforced: once it is on, password and magic-link sign-in are refused for your domain, with organization owners keeping a break-glass password path so a broken identity provider cannot lock the tenant out. SCIM 2.0 provisioning works today with Okta, Microsoft Entra, and any SCIM-capable IdP: provision, list, and deactivate from your directory, so offboarding in your directory is offboarding here.
Can I see where my account is signed in?
Yes. Settings, Security lists every active session with the device, IP, and last activity. Revoke any single session or sign out everywhere else with one button, and a sign-in from a device your account has never used emails you immediately.
What are the password rules?
Twelve characters minimum, no composition theater, your email handle may not appear in it, and every new password is checked against known breach corpora using a privacy-preserving range query, so the password itself never leaves our server. Password sign-in is throttled per account as well as per IP.
How do roles work inside my organization?
Owner and member roles per organization, managed by your own organization owners. Sensitive actions, member management, data export, retention, and deletion among them, are owner-only.
How are API keys and integration credentials protected?
API keys and SCIM tokens are stored as SHA-256 hashes: we can verify them, nobody can read them back. Both expire within a year, and API key management is restricted to organization owners, enforced at the database. Connector credentials for SAM, spend, and workflow integrations are encrypted at rest, scoped to your organization, and used only server-side. The public API is rate-limited per key.

INFRASTRUCTURE AND ASSURANCE

Where does the platform actually run?
The application runs on Vercel. Your data lives in Supabase: Postgres for records, private buckets for files, both encrypted at rest. AI calls go to Anthropic's API from our servers, and transactional email is sent through Resend. TLS covers everything in transit, and no secret is ever stored in the codebase, keys live in server-side environment variables only.
What hardening is in place at the edges?
HSTS, a strict per-request Content-Security-Policy with nonces, nosniff, and frame-deny on every response. Authentication, upload, and AI routes are rate-limited per user and per IP. Every server route validates its input.
Can our security team review you before we buy?
Please do. We’ll walk your team through the architecture, complete your security questionnaire, and demonstrate the isolation model live, including the cross-tenant access attempt failing. Request access and mention the review; we’ll set up the session.
Can we monitor the platform from our own security stack?
Yes. An audit webhook streams signed batches of audit events to your SIEM every 15 minutes, cursor-tracked so nothing is skipped, and an hourly detector emails your owners when one account's downloads, exports, or permission changes look unusual. The Security Center in Settings shows the whole posture on one page.
How do we report a vulnerability?
Through the responsible disclosure policy, referenced from our security.txt. Good-faith research gets safe harbor and an acknowledgment within 3 business days.
What happens if something goes wrong?
Every action in the platform is audit-logged, backups are enabled, and file access is short-lived by design, which bounds the impact of any incident. If an incident affects your data, you hear it from us directly, with the audit trail to show exactly what was touched.

A question we didn’t answer? Ask it.

Send your security questionnaire. We answer all of it, and we demonstrate the isolation model live.

Request access