Security
Last updated: March 18, 2026
Our security commitment
Contracts are among the most sensitive business documents. We built ClauseGuard with a security-first architecture: your documents are processed in memory, encrypted in transit, never permanently stored as raw files, and never used for AI model training. We use enterprise-grade infrastructure from providers with SOC 2 Type 2 certification.
Data handling
Document processing
When you upload a contract, it is sent over TLS 1.3 encrypted connections to our Vercel serverless infrastructure. The document is parsed in memory, sent to the Anthropic API for AI analysis, and the structured results are returned to your browser. The raw document file is not written to disk or permanently stored on our servers.
What we store
| Data | Stored? | Details |
|---|---|---|
| Raw contract files | No | Processed in memory only |
| Analysis results | Yes | Risk scores, findings, recommendations stored in your account |
| Account info | Yes | Email, name, plan, preferences |
| Payment data | No | Handled entirely by Stripe (PCI DSS Level 1) |
Data deletion
You can delete individual contracts and their associated data at any time from your dashboard. If you delete your account, all associated data is permanently removed within 30 days.
AI model security
Zero-training guarantee
Your contracts are never used to train, fine-tune, or improve any AI model. We use Anthropic's Claude API, which has a contractual commitment that API inputs and outputs are not used for model training. Your data goes in, analysis comes out, nothing is retained by the AI provider.
Contract text is sent to Anthropic's API over encrypted connections for real-time analysis. Anthropic does not store API inputs or outputs beyond the duration of the request. See Anthropic's privacy commitments for details.
Infrastructure security
Application hosting
Edge network with automatic TLS, DDoS protection, serverless isolation
Authentication & database
PostgreSQL with row-level security, encrypted at rest (AES-256), hosted on AWS
Payment processing
We never see or store credit card numbers
AI analysis engine
No data retention, no model training on API inputs
Transactional email
DKIM, SPF, and DMARC authenticated sending
Encryption
- In transit: All data transmitted between your browser and ClauseGuard is encrypted using TLS 1.3. All API calls to third-party services (Anthropic, Stripe, Supabase) are also encrypted in transit.
- At rest: Database storage is encrypted at rest using AES-256 encryption, managed by Supabase/AWS infrastructure.
- Authentication tokens: Session tokens are encrypted, HTTP-only, and SameSite protected. API keys are stored as environment variables, never exposed to the client.
Access control
- Authentication: Google OAuth 2.0 or email magic link (passwordless). No passwords stored.
- Authorization: Row-level security (RLS) on all database tables. Users can only access their own data. Team data is scoped to team membership.
- Role-based access: Team collaboration features support Admin, Member, and Viewer roles with appropriate permission boundaries.
- API security: All API endpoints validate authentication tokens. Cron endpoints require a separate secret. Webhook endpoints verify signatures.
Incident response
In the event of a security incident involving your data, we will notify affected users within 72 hours of discovery, provide details about the nature and scope of the incident, describe the measures taken to address it, and recommend steps you can take to protect yourself. We maintain an incident response plan and conduct regular reviews of our security posture.
Responsible disclosure
If you discover a security vulnerability in ClauseGuard, please report it to security@theclauseguard.com. We take all reports seriously and will respond within 48 hours. We ask that you give us reasonable time to address the issue before public disclosure.