Security you can trust with your most sensitive contracts
Multi-tenant isolation is enforced at the database level. Every request is authenticated, every mutation is CSRF-protected, and every tenant-scoped table is guarded by row-level security.
What is in the platform today
Controls below reflect what is actually shipped. Items marked Planned are part of the Enterprise Secure roadmap.
Tenant isolation via row-level security
Row-level security policies are enforced at the database layer on every tenant-scoped table. Each transaction sets the current tenant ID — no cross-tenant read or write is possible, even with a bug in application code.
Auth via httpOnly JWT + CSRF
Sessions are stored in an httpOnly, Secure, SameSite cookie. All state-changing requests require a CSRF double-submit token validated by the backend.
Role-based access control
Six built-in roles (super_admin, admin, editor, legal, procurement, viewer) with granular permissions. Custom roles available on Enterprise.
Encryption at rest
Contract files are stored with AES-256 server-side encryption. Metadata and clause data are held on managed, encrypted database infrastructure.
Audit logging
Every mutation is logged with actor, action, target, and timestamp. Audit data underpins contract history exports and obligation reviews.
Service-to-service auth
Internal service calls require a dedicated shared-secret header. Production startup refuses to run if a default or weak signing secret is detected.
Synthetic data generation
Generate realistic, fully synthetic contracts and clause corpora for testing, training, and demos. Sandbox environments and model evaluations can run without touching real customer agreements or PII.
SSO / SAML / OIDC
Planned for Enterprise: integration with any SAML 2.0 or OIDC identity provider, including Okta, Azure AD, Google Workspace, and OneLogin.
Bring Your Own Key (BYOK)
Planned for Enterprise Secure: customer-supplied encryption keys via a cloud key management service. Customers maintain full control over rotation, revocation, and access policies.
Dedicated storage & data residency
Planned for Enterprise Secure: isolated storage per customer with region selection (US, EU, APAC). Data never leaves the selected region.
Defense in depth
Access is checked at every layer: cookie authentication at the edge, RBAC in the application, and row-level security at the database. A bug in any single layer cannot leak another tenant's data.
- httpOnly Secure cookies for session tokens
- CSRF double-submit on every mutation
- RBAC across fine-grained permissions
- Row-level security on every tenant-scoped table
- Tenant-scoped vector and full-text search indexes
- Production startup refuses weak JWT secrets
- Synthetic data available for non-production environments
Request path
Client
TLS 1.2+ encrypted connection
Edge layer
httpOnly cookie + CSRF check
Application layer
JWT verification + RBAC enforcement
Async AI processing
Isolated extraction, classification, and embedding jobs
Database layer
Row-level security with per-transaction tenant scope
Compliance posture
We have not yet completed third-party certifications. Controls are designed against the Trust Services Criteria, and we are happy to share technical detail under NDA as part of a procurement review.
SOC 2
Controls are designed against the Trust Services Criteria. A formal Type II audit is on the roadmap and has not yet been completed.
HIPAA
Encryption, access logging, and tenant isolation are in place. A Business Associate Agreement will be offered with Enterprise Secure at launch.
GDPR
Data export and deletion endpoints exist for every tenant. A formal Data Processing Agreement is available on request.
Have security questions?
We are happy to walk through the architecture, answer questionnaires, or share documentation under NDA as part of your review.
Contact Security