What access controls exist?

Role-based access (Operators vs Viewers). SSO via Google OAuth. API keys scoped per workspace. Passkey support.

Type I report available under NDA. Type II in progress. Contact us for the report.

DPA available. Sub-processor list published. Data retention configurable (30 days to 12 months). Right to deletion honored.

Who are your sub-processors?

Full list published on our DPA page. Key platform providers include Supabase (EU), PostHog (EU), Stripe, Vercel, and AI inference providers.

Does Mission Control auto-commit code?

No. Mission Control drafts reviewed work. It does not push code, merge PRs, or deploy. All exports require human review.

Can I restrict AI inference to EU providers?

Yes. EU-only inference option available on Enterprise plan. Contact us for configuration.

How do I request a security review?

Email security@contractspec.studio or use the contact form on this page.

Enterprise trust

Security Review Kit

Everything your security, legal, and procurement stakeholders need to review the current certified core wedge quickly.

Security controls DPA and sub-processors Privacy policy

Included in the kit

Procurement-ready security summary: controls, data handling, sub-processors, and questionnaire workflow.

Included in the kit

- Security controls summary (auth, encryption, audit trail, retention)
- Data handling overview (PII redaction, deletion workflow, residency options)
- Sub-processor registry and transfer mechanism references

Procurement workflow

- Security questionnaire response in <= 48 business hours
- DPA and privacy references for legal review
- SOC 2 Type I report available under NDA

Recommended review order

- 1. Security posture and controls
- 2. DPA and sub-processors
- 3. Privacy and retention policies

SOC 2 Type I — Available under NDA

Type II audit in progress. Request the report for your security review.

Request report

EU-first data residency

Database, storage, and analytics all hosted in EU regions. Optional EU-only AI inference on Enterprise plan.

Platform sub-processors

Core infrastructure providers that process data as part of normal operations.

Provider	Purpose	Region
Vercel	Hosting, serverless functions	Configurable
Supabase	Managed PostgreSQL database	EU (eu-west-1)
PostHog	Product analytics, feature flags	EU

View full sub-processor list

Security FAQ

Where is my data stored?: Primary database in EU (Supabase EU region). Object storage in EU (GCS europe-west1). No data leaves the EU unless you configure a non-EU inference provider.
Is data encrypted?: Yes. AES-256 at rest, TLS 1.3 in transit. API tokens encrypted with workspace-scoped keys.
How is PII handled?: Automatic PII redaction (emails, phones, names) before feedback is stored. Configurable per source.

Send your questionnaire and timeline

We reply quickly and keep the review trail explicit for every stakeholder.

Email security team Open DPA

Provider

Purpose

Region

Vercel

Hosting, serverless functions

Configurable

Supabase

Managed PostgreSQL database

EU (eu-west-1)

PostHog

Product analytics, feature flags

Security FAQ

Where is my data stored?

Primary database in EU (Supabase EU region). Object storage in EU (GCS europe-west1). No data leaves the EU unless you configure a non-EU inference provider.

Is data encrypted?

Yes. AES-256 at rest, TLS 1.3 in transit. API tokens encrypted with workspace-scoped keys.

How is PII handled?

Automatic PII redaction (emails, phones, names) before feedback is stored. Configurable per source.