Security & Privacy
How ContractRabbit protects customer data, secures its cloud infrastructure, and supports enterprise security reviews.
Overview
ContractRabbit is designed for legal teams working with confidential contracts, structured deal data, and sensitive business records. The platform combines cloud security controls, tenant isolation, access governance, encryption, auditability, and data management processes to protect customer information throughout the document lifecycle.
This section summarizes the security and data privacy controls available for enterprise review. Specific commitments, retention terms, support obligations, data residency requirements, and isolation requirements are defined in the applicable customer agreement, data processing terms, or order form.
| Area | Standard posture | Enterprise review topics |
|---|---|---|
| Tenant isolation | Logical tenant separation using tenant-scoped authorization and data access controls. | Dedicated infrastructure, customer-managed keys, or additional isolation requirements. |
| Data storage | Customers can choose United States or European Union / EEA residency for database storage and blob storage. | China or other residency requirements require enterprise deployment review. Redis caching is currently U.S.-only unless otherwise agreed. |
| Encryption | Customer data is encrypted in transit and at rest using managed cloud controls. | Key management, rotation, customer-managed keys, and evidence requests. |
| Access governance | Production access is restricted, role-based, logged, and limited to operational need. | Support access approvals, customer notification, and named support procedures. |
| AI processing | AI-assisted review is used to provide extraction, classification, search, and review workflows. | Provider selection, region, retention, no-training terms, fallback behavior, and BYOK/BYOM requirements. |
| Data lifecycle | Export, deletion, retention, audit, and backup handling are governed by product capability and contract terms. | Deletion SLA, backup retention, post-termination return or deletion, and audit exports. |
Security program
ContractRabbit's security program is built around defense in depth:
- Cloud infrastructure - Documents and application data are stored in managed cloud services, including object storage for documents, PostgreSQL for structured application data, Redis for caching and session-related workflows, and search or derived indexes where configured.
- Encryption - Persistent data is encrypted at rest, and network traffic is encrypted in transit using TLS.
- Tenant isolation - Customer data is separated by tenant using application-level authorization and tenant-scoped data access patterns, with additional enterprise isolation options handled by agreement.
- Access governance - Administrative access is limited, role-based, logged, and subject to approval controls for production data access.
- Secure development - Changes pass through automated tests, vulnerability checks, peer review, preview validation, and controlled production deployment.
- Monitoring and response - Security-relevant events are logged and monitored, with documented processes for investigating and responding to incidents.
Read more in Security Controls.
Data privacy
ContractRabbit's data privacy posture is centered on customer control, limited access, and transparent data lifecycle management:
- Customer control - Customers can request export of application data, documents, versions, extracted metadata, enrichment data, audit logs, and lifecycle records.
- Deletion - Workspace data can be deleted through administrative controls, with deletion intended to remove associated records across storage systems, including cached data.
- U.S. data storage - Current production data storage is in the United States.
- Auditability - User actions and document history are logged and can be exported for enterprise review or downstream governance workflows.
- Enterprise terms - Data retention, licensing-specific retention, support procedures, and other contractual controls are governed by the applicable customer agreement.
Read more in Data Privacy.
Enterprise review
For security questionnaires, vendor risk reviews, or procurement diligence, ContractRabbit can provide architecture, control, subprocessor, and data lifecycle information based on the scope of the customer relationship. Enterprise deployments may include custom requirements for identity, retention, audit export, support access, geographic processing, and infrastructure isolation.
Read more in Enterprise Review.
Identity and onboarding
ContractRabbit supports email/password, Google, and Microsoft sign-in for self-serve workspaces, and Microsoft Entra ID SAML + SCIM for Enterprise workspaces. Workspace access is separately authorized by invitations, verified-domain policy, approved access requests, seat limits, and organization roles.
Read more in Identity and onboarding.