Included in the kit
- - Security controls summary (auth, encryption, audit trail, retention)
- - Data handling overview (PII redaction, deletion workflow, residency options)
- - Sub-processor registry and transfer mechanism references
Enterprise trust
Security Review Kit
Everything your security, legal, and procurement stakeholders need to evaluate ContractSpec quickly.
Procurement workflow
- - Security questionnaire response in <= 48 business hours
- - DPA and privacy references for legal review
- - SOC 2 Type I report available under NDA
Recommended review order
- - 1. Security posture and controls
- - 2. DPA and sub-processors
- - 3. Privacy and retention policies
Useful references
SOC 2 Type I — Available under NDA
Type II audit in progress. Request the report for your security review.
Request reportEU-first data residency
Database, storage, and analytics all hosted in EU regions. Optional EU-only AI inference on Enterprise plan.
Platform sub-processors
Core infrastructure providers that process data as part of normal operations.
| Provider | Purpose | Region |
|---|---|---|
| Vercel | Hosting, serverless functions | Configurable |
| Supabase | Managed PostgreSQL database | EU (eu-west-1) |
| PostHog | Product analytics, feature flags | EU |
Security FAQ
- Where is my data stored?
- Primary database in EU (Supabase EU region). Object storage in EU (GCS europe-west1). No data leaves the EU unless you configure a non-EU inference provider.
- Is data encrypted?
- Yes. AES-256 at rest, TLS 1.3 in transit. API tokens encrypted with workspace-scoped keys.
- How is PII handled?
- Automatic PII redaction (emails, phones, names) before feedback is stored. Configurable per source.
Send your questionnaire and timeline
We reply quickly and keep the review trail explicit for every stakeholder.