Trust Portal
Welcome to our Trust Portal for ContractPodAi services - your gateway to understanding our unwavering commitment to data security, privacy, and compliance. Here, you can access our comprehensive compliance documentation, find answers to frequently asked questions related to security and privacy, and explore our robust security practices. We believe in maintaining transparency and building trust with our customers, and this portal is designed to provide you with the information and assurance you need to feel confident in our ability to protect your data.
Compliance
- SOC 1 Type II
- SOC 2 Type II
- HIPAA/HITECH
- GDPR
Product Security
Audit Logging
ContractPodAi has implemented comprehensive audit logging to maintain the integrity and accountability of all system activities. Our centralized logging system ensures all actions are recorded and regularly reviewed to detect and mitigate potential security threats.
Data Security
Our data security measures include robust encryption for data at rest and in transit, regular data backups, and stringent data retention and deletion policies to ensure data integrity and protection against unauthorized access.
Multi-Factor Authentication
ContractPodAi supports multi-factor authentication (MFA) via integration with the customer’s chosen identity provider (IdP).
Role-Based Access Control
Role-based access control (RBAC) capabilities exist to manage permissions, ensuring that users only have access to the data and systems necessary for their role, reducing the risk of unauthorized access.
Service-Level Agreements
As an MS Azure hosted platform, we guarantee 99.9% uptime, with maintenance always scheduled on weekends.
SSO Support
ContractPodAi supports single sign-on (SSO) integration through multiple identify providers (IdPs). Two-factor authentication is configured through the IdP provider when SSO integration is enabled.
Data Security
Backups
Regular backups are performed to ensure data integrity and availability. Our backup processes facilitate quick recovery in case of data loss, ensuring business continuity.
Data Deletion / Data Retention
ContractPodAi have strict data retention and deletion policies to manage the lifecycle of sensitive information, ensuring compliance with legal and regulatory requirements.
Encryption-at-rest
All customer data is encrypted at-rest using AES-256. ContractPodAi is committed to following encryption best practices per industry guidelines and continually reviews the rigor of current encryption standards.
Encryption-in-transit
All customer data is encrypted in-transit using TLS 1.2. ContractPodAi is committed to following encryption best practices per industry guidelines and continually reviews the rigor of current encryption standards.
Physical Security
All physical security and environmental controls are managed and maintained by the Azure cloud. https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security
App Security
Code Analysis
Static application security testing, dynamic application security testing, open-source scanning and secrets scanning are employed to detect and mitigate vulnerabilities during the development lifecycle, ensuring the security of our application.
Software Development Lifecycle
ContractPodAi follows a secure software development lifecycle (SDLC) to integrate security into every stage of our software development process, ensuring robust and secure applications.
Vulnerability & Patch Management
Regular vulnerability assessments and timely patch management practices are in place to address security weaknesses and protect against threats, maintaining system security.
Additionally, ContractPodAi undergoes annual independent penetration testing over the in-scope external network surface, CLM web application, and all CLM APIs. Results of the aforementioned penetration tests are fed into our Vulnerability Management Program and remediated in accordance with our policy timelines.
Web Application Firewall
ContracPodAi has implemented a WAF within all environments across all available regions.
Legal
Sub processors
ContractPodAi carefully vets and monitors the sub processors to ensure they meet our stringent security and privacy standards, maintaining the integrity and security of our supply chain. View our DPA for more information.
Cyber Insurance
ContractPodAi has extensive insurance coverage to mitigate the potential loss due to a cybersecurity incident.
Privacy Policy
Our privacy policy outlines how ContractPodAi collects, uses, and protects personal data, ensuring transparency and compliance with applicable regulations. View our Privacy Policy.
Data Privacy
Data Breach Notifications
ContractPodAi has a robust process for detecting, managing, and notifying affected parties of data breaches in a timely manner, minimizing impact and ensuring compliance.
Employee Privacy Training
Regular privacy training is provided to all employees, ensuring they understand their responsibilities and best practices for data protection.
Privacy Office
ContractPodAi has designated a Privacy Officer who is responsible for implementing measures and a privacy governance framework to manage customer data in compliance with applicable laws and regulations.
Access Control
Data Access
Access to data is restricted based on role and necessity, ensuring that only authorized personnel can access sensitive information, thus minimizing the risk of unauthorized access.
Access to internal systems is adherent to the principles of least privilege and separation of duties, subject to regular review by administrators, documented with clear rationales for provisioning and changes, and revoked according to strict termination policies.
Logging
All activity and corresponding logs are logged in ContractPodAi’s Security Incident Event Manager (SIEM) tool. The SIEM tool is configured to generate alarms for suspicious activity and is monitored 24/7/365. All logs which track access, use, modifications, or deletions of Collected Data are ingested into ContractPodAi’s SIEM for monitoring. Logs are retained for forensic purposes.
Password Security
Strong password policies are enforced, including complexity requirements and regular changes, to enhance account security and protect against unauthorized access.
Infrastructure
Azure
ContractPodAi infrastructure is hosted by Azure in multiple regions. Additional information on Azure infrastructure security can be found at https://learn.microsoft.com/en-us/azure/security/fundamentals/infrastructure
Anti-DDoS
Anti-DDoS protections are in place to defend against distributed denial-of-service attacks, ensuring service availability and resilience against external threats.
BC/DR Planning & Testing
Business continuity and disaster recovery (BC/DR) plans are regularly tested to ensure rapid recovery and minimal disruption in the event of a disaster, ensuring business resilience.
Network Time Protocol
Network time protocol (NTP) is used to synchronize the clocks of our systems, ensuring accurate timekeeping and consistency across the network.
Separate Production Environment
Our production environment is segregated from development and testing environments to enhance security, ensuring that production systems are isolated from potential risks during development and testing.
Endpoint Security
Endpoint Detection & Response
Advanced endpoint detection and response (EDR) solutions are deployed to detect and mitigate threats at the endpoint level,
Mobile Device Management
ContractPodAi centrally manages and secures all employee endpoints through a Mobile Device Management (MDM) solution. This systematic management allows us to enforce security policies, distribute software and updates, and monitor endpoint integrity.
Threat Detection
ContractPod AI’s Security team continuously monitors the environment for known attacker tactics, techniques, and procedures (TTPs), as well as for malicious binaries and other suspicious activities. These ongoing efforts are supported by periodic reviews and investigations into unusual activities to identify previously unknown threats, conducted on a regular schedule.
DNS Filtering
To improve endpoint security, ContractPodAi uses DNS filtering mechanisms to block access to malicious web traffic. This preventive measure is supported by regular monitoring.
Network Security
Firewall
Network access to both internal and external services is regulated through the use of firewalls and a Demilitarized Zone (DMZ) to safeguard internal systems and services.
IPS/IDS
Intrusion prevention and detection systems (IPS/IDS) are employed to identify and mitigate potential threats in real-time, enhancing network security.
SIEM
ContractPodAi has 24/7 SOC monitoring provided by a third-party MSSP. All relevant security logs are logged into a central SIEM solution, correlated, and detected for any threat or anomalous activity.
Data Exfiltration Monitoring
ContractPodAi monitors for potential data exfiltration attempts to prevent unauthorized data transfers out of the network, safeguarding sensitive information.
DMARC
Domain-based Message Authentication, Reporting & Conformance (DMARC) is used to protect our email domain from being used in phishing and email spoofing attacks, ensuring secure email communications.
Corporate Security
Asset Management
ContractPodAi maintains an up-to-date inventory of all IT assets to ensure proper management and security controls, protecting company resources.
Email Protection
Advanced email protection solutions are deployed to detect and block phishing and malware attacks, ensuring secure email communications.
Employee Training
Regular security training programs are conducted to educate employees about the latest threats and best practices, fostering a security-aware culture.
Governance
Our governance framework ensures that all security policies and procedures are adhered to and regularly reviewed, maintaining compliance and security standards.
Incident Response
ContractPodAi has a documented Incident Response Plan outlining the procedures for addressing potential security incidents. This plan undergoes systematic annual reviews, testing, and approval by relevant stakeholders to ensure it remains effective and ready for any security incidents.
Operational Risk Management
Our operational risk management practices identify, assess, and mitigate risks to ensure business continuity and security, aligning with industry best practices.
Third-Party Risk Management
ContractPodAi assesses and manages risks associated with third-party vendors to ensure they meet our security standards, protecting our supply chain and business operations.
HR Security
To ensure the integrity and security of our operations, all new ContractPodAi employees undergo a thorough background check and sign a non-disclosure agreement upon joining. These measures are part of our annually reviewed HR security policy, which mandates compliance with company policies and procedures designed to safeguard organizational assets and information.
Penetration Testing
ContractPodAi engages in third-party penetration testing every 6 months and upon the release of new products to proactively identify and address security vulnerabilities within our systems. The outcomes of these tests are documented, and any findings are prioritized for remediation according to their severity.
ContractPodAi does not use user data to develop, improve, or train generalized AI and/or ML models.
