Trust & Security

• Tenant isolation.Every tenant's data is separated by organization-scoped PostgreSQL Row-Level Security, with row security forced at the database layer — application bugs cannot read across organization boundaries.
• Encryption. All traffic is served over TLS with HSTS. Sensitive fields are encrypted at rest at the application layer — including contract financial terms and vendor connector credentials — not only by underlying disk encryption.
• Access control. Role-based access (owner, admin, member, viewer) governs every action, enforced server-side.
• Authentication. Multi-factor authentication can be enforced per organization, and enterprise SSO / SAML is supported via WorkOS.
• Hardened delivery. A strict Content-Security-Policy, HSTS, X-Frame-Options, nosniff, a strict Referrer-Policy, and a Permissions-Policy are set on every response.

The platform keeps an append-only audit log of sensitive actions. Audit history is made tamper-evident with HMAC-signed, hash-chained checkpoints, and deletions are recorded in a signed, chained ledger — so the record of who did what (and what was removed) cannot be silently altered.

Reconciliation is built on the same principle: every resolved value traces to its source document, page, and quote, and AI-extracted fields are confidence-gated with their provenance attached — so a CFO or auditor can follow any number back to its evidence.

You control the data you provide — contract, subscription, usage, and billing data you import or connect. We process it only to operate the Service (reconciliation, analysis, and reporting). We do not sell your data.

AI extraction.To read contract terms, document text is sent to Anthropic's API for structured extraction. That content is processed under Anthropic's commercial terms and is not used to train models. Extraction output is confidence-gated and carries the source quote/page, so AI is used to surface evidence for your review — never to silently decide.

Data classification. Sensitive tables are tracked against an internal classification taxonomy, enforced in our build pipeline, so new code paths cannot quietly expose sensitive data.

Consent for benchmarking. No data leaves your organization boundary for cross-organization benchmarking unless an owner or admin explicitly opts in. Consent decisions are captured in an append-only ledger that records the notice version each actor saw at the time.

The Service is hosted on Microsoft Azure in a single United States region (Azure East US 2). We rely on the following subprocessors to operate it:

• Microsoft Azure — application hosting (United States).
• Supabase — managed PostgreSQL database and authentication.
• Anthropic — AI contract-term extraction (not used for model training).
• WorkOS — enterprise SSO / SAML.
• Resend — transactional email.

Depending on your location you may have rights to access, export, correct, or delete your data (including under the GDPR and CCPA/CPRA). The platform provides data export and erasure paths; erasure is performed so that audit integrity is preserved (the actor reference is nulled rather than rewriting history). Data is retained while your account is active and as needed for legal, dispute-resolution, and contractual obligations, with scheduled archival of older records. See the Privacy Policy for details.

We believe in being precise about what exists today. The controls described above are live in the platform. The following are not yet in place and are on our roadmap — we will not imply otherwise:

• SOC 2 Type II and ISO/IEC 27001 — planned; not yet certified.
• A formal Data Processing Addendum (DPA) — in preparation.
• Independent third-party penetration test report — planned.
• MFA is available and can be enforced per organization, but is not required by default.
• Single-region deployment today; multi-region residency is not yet offered.

Security or privacy questions, or to request what we can share about our security posture, contact privacy@renewalintel.com or reach us through the contact page.