How we handle your data

No vague promises. Bullets and checkmarks.

Data sources & permissions

  • OAuth or API key. No broad scopes.
  • Read-only by default. We never write back.
  • Permissions scoped per workspace, revocable anytime
  • Tokens encrypted at rest (AES-256)

Redaction options

  • Emails and phone numbers redacted at ingestion
  • Names optional. Toggle per workspace.
  • Custom regex rules for additional PII
  • Raw PII is never stored

Retention controls

  • Workspace-level retention: 30 days to 12 months
  • Hard delete on schedule. No recovery after retention window.
  • On-demand purge available

Audit trail

  • Evidence IDs ingested, patterns clustered, rules fired
  • Briefs created, cards exported, checks scheduled
  • User ID + timestamp + workspace on every entry
  • Export full log as JSON or CSV

No auto-commit in v0

  • ContractSpec drafts artifacts and exports work items
  • No code pushes, PR merges, or deploys
  • Autopilot queues for review. Never commits.
  • No shell access, git write, or CI/CD triggers

Deployment options

  • Managed cloud: EU + US regions, SOC 2 in progress
  • Data stays in your chosen region
  • Single-tenant or on-prem available on Enterprise
  • Custom setup via call for VPC peering or air-gapped

Contact for security review

  • Email security@contractspec.studio for questionnaires
  • We respond to security reviews within 48 hours
  • SOC 2 Type I report available under NDA
  • Penetration test results shared on request

Need a security review?

We'll walk through our posture in detail.

Book a call See the product