Security you can trust with your most sensitive contracts
Multi-tenant isolation is enforced at the database level. Every request is authenticated, every mutation is CSRF-protected, and every tenant-scoped table is guarded by row-level security.
What is in the platform today
Every control listed below is shipped today. Enterprise Secure customers can opt into the security bundle (BYOK, dedicated storage, data residency, audit log export, HIPAA BAA) via the request-access form.
Tenant isolation via row-level security
Row-level security policies are enforced at the database layer on every tenant-scoped table. Each transaction sets the current tenant ID; no cross-tenant read or write is possible, even with a bug in application code.
Auth via httpOnly JWT + CSRF
Sessions are stored in an httpOnly, Secure, SameSite cookie. All state-changing requests require a CSRF double-submit token validated by the backend.
Role-based access control
Five customer-facing roles (Admin, Editor, Legal, Procurement, Viewer) with granular permissions. Custom roles available on Enterprise.
Encryption at rest
Contract files are stored with AES-256 server-side encryption. Metadata and clause data are held on managed, encrypted database infrastructure.
Audit logging
Every mutation is logged with actor, action, target, and timestamp. Audit data underpins contract history exports and obligation reviews.
Service-to-service auth
Internal service calls require a dedicated shared-secret header. Production startup refuses to run if a default or weak signing secret is detected.
Synthetic data generation
Generate realistic, fully synthetic contracts and clause corpora for testing, training, and demos. Sandbox environments and model evaluations can run without touching real customer agreements or PII.
SSO / SAML / OIDC
Enterprise tenants can integrate any SAML 2.0 or OIDC identity provider, including Okta, Azure AD, Google Workspace, and OneLogin. Configure under /settings/sso.
Bring Your Own Key (BYOK)
Enterprise Secure customers supply their own AI provider key. Keys are encrypted at rest with a tenant-scoped envelope and resolved per-tenant on every call. AI inference bills to the customer account, never the platform's. The current supported provider list is on the procurement security questionnaire.
Dedicated storage & data residency
Enterprise Secure customers get isolated S3 storage with region selection (US, EU, APAC). Documents never leave the chosen region.
Defense in depth
Access is checked at every layer: cookie authentication at the edge, RBAC in the application, and row-level security at the database. A bug in any single layer cannot leak another tenant's data.
- httpOnly Secure cookies for session tokens
- CSRF double-submit on every mutation
- RBAC across fine-grained permissions
- Row-level security on every tenant-scoped table
- Tenant-scoped vector and full-text search indexes
- Production startup refuses weak JWT secrets
- Synthetic data available for non-production environments
Request path
Client
TLS 1.2+ encrypted connection
Edge layer
httpOnly cookie + CSRF check
Application layer
JWT verification + RBAC enforcement
Async AI processing
Isolated extraction, classification, and embedding jobs
Database layer
Row-level security with per-transaction tenant scope
Compliance posture
We have not yet completed third-party certifications. Controls are designed against the Trust Services Criteria, and we are happy to share technical detail under NDA as part of a procurement review.
SOC 2
Controls are designed against the Trust Services Criteria. A formal Type II audit is on the roadmap and has not yet been completed.
HIPAA
Encryption, access logging, and tenant isolation are in place. A Business Associate Agreement is available on Enterprise Secure; request one through the access form or your account contact.
GDPR
Data export and deletion endpoints exist for every tenant. A formal Data Processing Agreement is available on request.
Have security questions?
We are happy to walk through the architecture, answer questionnaires, or share documentation under NDA as part of your review.