Security at KontractAI

Your contracts contain your most sensitive business terms. We treat their protection as a first-order obligation.

Infrastructure

Encryption in Transit

All data transmitted between clients and KontractAI is encrypted using TLS 1.2+ with strong cipher suites. HSTS headers enforce HTTPS connections.

Encryption at Rest

Contract documents and database contents are stored on encrypted volumes. Backups are encrypted and stored separately from production data.

Isolated Infrastructure

KontractAI runs on dedicated infrastructure with containerized services. Database access is restricted to internal network connections only.

Automated Backups

Database backups run on an automated schedule with retention policies. Backup integrity is verified regularly.

Access Controls

Single Sign-On (SSO)

KontractAI supports SAML-based SSO via Microsoft Entra ID, enabling organizations to enforce their existing identity policies and MFA requirements.

Role-Based Access

Five role tiers (Admin, Lawyer, Legal Ops, Requester, Executive) with granular permissions. Users see only the data and functions relevant to their responsibilities.

IP Allow-Listing

Administrators can restrict application access to approved IP addresses or CIDR ranges, limiting exposure to authorized networks.

Audit Logging

Every action in KontractAI is logged with timestamps, user identity, and details. Audit trails are immutable and available for compliance review.

AI Security

KontractAI uses Anthropic's Claude API for contract extraction and analysis. Documents are sent to Claude's API for processing and are not retained by Anthropic for model training. Anthropic's data handling practices are governed by their commercial API terms, which prohibit the use of customer data for training purposes.

All AI interactions are logged in the audit trail, and extraction results are always subject to human validation before being committed to the repository.

Compliance Roadmap

KontractAI is actively working toward formal compliance certifications. Our current security controls are aligned with the principles of SOC 2 Type II and ISO 27001, and we anticipate commencing formal audit processes as the platform scales to production client deployments.

Responsible Disclosure

If you believe you have identified a security vulnerability in KontractAI, please contact us at security@kontractai.com. We take all reports seriously and will respond within 48 hours.

Have security questions?

Our team is available to discuss KontractAI's security posture in detail.

Contact Us