Security

Your contracts contain your most sensitive commercial terms. We take that seriously.

Contraqly is built with enterprise security controls in mind. This page describes exactly how we protect the contract data you entrust to us — and what we do not do with it. We do not claim third-party security certification. We describe our controls so you can make an informed decision.

Security Controls

Built with enterprise security controls in mind.

We do not claim SOC 2 certification, ISO 27001 certification, or any other third-party security audit at this time. We describe the controls we have in place so you can evaluate them directly. If you have specific security review requirements, email us at [email protected].

Encryption at rest

All contract data stored in Contraqly's systems is encrypted at rest using AES-256. This includes uploaded documents, parsed clause data, and alert configuration.

Encryption in transit

All data transmitted between your systems and Contraqly is encrypted using TLS 1.3. We do not accept connections over unencrypted HTTP.

Access controls

Access to customer data within Contraqly is governed by role-based access controls and least-privilege principles. Production data access is restricted to authorized personnel only.

Audit logging

Access to contract data and clause records is logged. Enterprise plan customers can export audit logs for their own compliance and internal records purposes.

Infrastructure

Contraqly is hosted on cloud infrastructure within the United States. We use established cloud providers with physical and operational security controls appropriate for commercial data storage.

Authentication

Contraqly supports SSO/SAML for Enterprise customers. All accounts require email verification. Password requirements follow current NIST guidelines for minimum length and complexity.

Data Handling

How we handle your contract data.

Your contracts contain commercially sensitive terms. We understand that sending your executed agreements to a third-party service requires trust. Here is exactly how we handle that data.

We do not train on your data

Contraqly does not use customer contract data to train or fine-tune AI models. Your executed agreements are processed for clause extraction and analysis within your account only — they are not used to improve Contraqly's models for other customers.

Data processing and indexing

Contract text is processed by Contraqly's parsing and clause-extraction pipeline. Parsed clause data and metadata (party names, dates, clause types, deviation scores) are stored and indexed in your account. Original uploaded documents are stored securely for your reference.

Retention and deletion

Contract data is retained for the duration of your active subscription. Upon account termination, we will delete your data within 30 days of account closure, unless a longer retention period is required by applicable law. Deletion requests can be submitted to [email protected].

Subprocessors

Contraqly uses a small number of subprocessors (cloud hosting, email delivery) to operate the service. These subprocessors are contractually bound to handle data only as directed and with appropriate security controls. A current list of subprocessors is available on request.

Have specific security questions? Email our team.

[email protected]