Data Privacy
How ContractRabbit handles customer data ownership, access, export, deletion, residency, retention, AI processing, and auditability.
Privacy posture
ContractRabbit processes confidential contract documents and extracted legal data on behalf of customers. Customers retain control over their workspace data, and ContractRabbit applies safeguards for access, storage, processing, export, deletion, retention, and auditability.
Contract-specific privacy obligations, retention periods, support procedures, subprocessors, and data processing terms are governed by the applicable customer agreement, data processing agreement, or order form.
Data categories
| Data category | Examples | Primary purpose | Standard handling |
|---|---|---|---|
| Customer content | Uploaded contracts, generated documents, document versions, extracted text, and source files. | Contract review, extraction, search, workflow, and reporting. | Stored in managed cloud data stores with encryption at rest and in transit. |
| Structured metadata | Parties, dates, monetary values, citations, governing law, renewal terms, duration, obligations, and other extracted fields. | Search, filtering, review workflows, analytics, and reporting. | Stored as workspace-scoped application records. |
| Derived data | Classifications, recommendations, embeddings, search indexes, analytics records, and AI-generated outputs. | Retrieval, clause analysis, matching, review assistance, and product functionality. | Treated as customer data when derived from customer content. |
| Workflow and audit data | Document lifecycle events, user actions, matter relationships, stage history, approvals, and audit log entries. | Governance, traceability, support, and customer reporting. | Retained according to product settings and applicable customer agreement. |
| Account and access data | Users, invitations, organization membership, roles, authentication identifiers, and API keys. | Authentication, authorization, tenant access control, and account administration. | Access is restricted by role, tenant, and operational need. |
| Operational data | Logs, diagnostics, job status, queue state, performance telemetry, and support context. | Security, reliability, debugging, incident response, and service operation. | Access is limited to authorized personnel and operational use. |
Processing purposes
| Purpose | Description |
|---|---|
| Provide the service | Upload, store, parse, analyze, search, classify, compare, and manage contract documents. |
| Improve workspace workflows | Support document lifecycle management, auditability, review routing, and reporting. |
| Secure the platform | Authenticate users, enforce tenant access, monitor system activity, investigate incidents, and prevent misuse. |
| Support customers | Diagnose issues, respond to support requests, and maintain service reliability. |
| Meet contractual obligations | Provide exports, deletion workflows, retention controls, audit records, and enterprise support commitments where applicable. |
Customer control and export
Customers can request export of application data associated with their workspace. Available exports may include:
| Export area | Examples |
|---|---|
| Documents | Uploaded files, generated documents, document versions, and related file records. |
| Extracted data | Structured document metadata, clauses, entities, citations, dates, monetary values, and review outputs. |
| Enrichment data | External enrichment records associated with extracted entities where applicable. |
| Workflow data | Matter records, lifecycle state, review history, and document relationships. |
| Audit records | User actions, administrative events, and document activity history where supported. |
Enterprise export scope, delivery format, support process, and timing may be defined by contract.
Deletion and retention
Administrative data management controls support deletion of workspace documents and associated records. Deletion is intended to remove related customer data across application records and storage systems, including cached data where applicable.
Deletion behavior may be subject to legal, security, backup, billing, audit, or contractual retention obligations. Customer-specific deletion commitments should be reviewed in the applicable agreement.
| Area | Standard posture | Enterprise agreement topics |
|---|---|---|
| Workspace document deletion | Customer administrators can delete documents and related application records where supported. | Deletion SLA, approval process, and deletion evidence. |
| Derived data | Derived records such as extracted metadata, classifications, embeddings, and search records are treated as customer data when derived from customer content. | Scope of derived-data deletion and exception handling. |
| Audit logs | Audit history may be retained to preserve security, governance, billing, or legal records. | Audit log retention period and export requirements. |
| Backups | Backups may retain deleted data until backup expiration or overwrite. | Backup retention period, recovery objectives, and post-termination deletion. |
| Legal or security holds | Deletion may be delayed where required by law, security investigation, or contractual obligation. | Hold process, notice, and release procedure. |
Data residency
ContractRabbit supports customer choice of data residency for database storage and blob storage. Supported residency options include the United States, European Union / EEA, China for approved enterprise deployments, or another customer-specific deployment boundary where agreed.
Redis caching is currently U.S.-only. Regional Redis caching can be reviewed as part of a customer-specific deployment plan.
| Residency option | Database storage | Blob storage | Redis caching |
|---|---|---|---|
| United States | United States | United States | United States |
| European Union / EEA | European Union / EEA | European Union / EEA | United States |
| China | China for approved enterprise deployments | China for approved enterprise deployments | United States |
| Other deployment boundary | Customer-specific | Customer-specific | United States unless otherwise agreed |
Residency commitments must define which data categories are in scope, including customer content, structured metadata, derived data, embeddings, AI prompts and responses, logs, backups, support records, and operational data.
| Data area | Residency scope | Deployment considerations |
|---|---|---|
| Customer content | In scope. | Stored in the selected blob storage residency boundary. |
| Structured metadata | In scope. | Stored in the selected database residency boundary. |
| Derived data and embeddings | In scope when derived from customer content. | Region-specific vector storage, search indexes, and AI processing controls. |
| AI prompts and responses | In scope when generated from or sent with customer content. | Provider selection, processing region, retention, no-training commitments, and fallback restrictions. |
| Redis cache data | Currently U.S.-only. | Regional cache deployment can be reviewed for customer-specific deployments. |
| Logs and telemetry | Scoped by agreement. | Log redaction, geographic storage, retention limits, and access controls. |
| Backups and disaster recovery | In scope for strict residency commitments. | Backup region, replication boundaries, retention, and recovery objectives. |
| Support access | Scoped by agreement. | Named support team, geographic access restrictions, approval workflow, and customer notice. |
AI processing
ContractRabbit uses AI-assisted processing to analyze documents, extract structured data, classify clauses, generate recommendations, and support natural-language search and review workflows.
| Provider | United States | European Union / EEA | China |
|---|---|---|---|
| Google Gemini / Vertex AI | United States | EU/EEA regional endpoint where configured | — |
| OpenAI | United States | Europe data residency where configured | — |
| Voyage | United States where configured | EU/EEA only where provider terms and endpoint configuration support the deployment boundary | — |
| DeepSeek | — | — | China |
| Qwen / DashScope | — | — | China |
| Topic | Standard posture | Enterprise review topics |
|---|---|---|
| Model inputs | Customer content, extracted text, metadata, prompts, and task instructions may be sent to configured AI providers as needed to provide the service. | Which data categories may be sent to each provider. |
| Model outputs | AI-generated extracted fields, classifications, summaries, recommendations, and review assistance are stored as customer data. | Retention, export, deletion, and auditability of AI outputs. |
| Embeddings | Vector embeddings may be generated to support search, matching, clustering, and retrieval. | Embedding provider, storage region, deletion behavior, and portability. |
| Provider routing | Providers may vary by feature, deployment, and availability. | Approved provider list, fallback behavior, region controls, and customer-managed credentials. |
| Retention and training | Provider-specific retention, abuse monitoring, and training commitments are governed by the applicable provider terms and customer agreement. | No-training commitments, zero-retention options, and data residency configuration. |
Subprocessors and transfers
ContractRabbit uses third-party service providers to deliver hosting, storage, authentication, AI processing, support, security, billing, and operational capabilities. The authorized subprocessor list, transfer mechanisms, and regional commitments are provided through the applicable customer agreement or security package.
| Review area | Enterprise review expectation |
|---|---|
| Subprocessor identity | Provider name, service purpose, and relevant product area. |
| Data categories | Customer content, metadata, derived data, account data, operational data, or billing data. |
| Processing location | Region or country used for storage, processing, support, and backup where applicable. |
| Transfer mechanism | Contractual mechanism for international transfers, such as SCCs, an applicable international transfer addendum, adequacy decision, or Data Privacy Framework participation where applicable. |
| Notice and objection | Customer notice process for new or replacement subprocessors. |
Access to customer data
ContractRabbit limits production data access using role-based access controls and least-privilege principles. Administrative access is restricted to authorized personnel, logged where supported, and reviewed.
Where production data access is required for support, security, or operational purposes, access is governed by internal approval controls and customer-specific contractual requirements.
Auditability
ContractRabbit logs user actions and document history so customers can review activity in their workspace and export records to external governance systems where supported.
| Audit area | Examples |
|---|---|
| User activity | Sign-in activity, document actions, workflow changes, and review activity where supported. |
| Document history | Upload, version, lifecycle, extraction, and review events. |
| Administrative activity | Workspace governance events and privileged actions where supported. |
| Exportability | Audit log exports may be available for enterprise review or downstream governance workflows. |
Enterprise privacy review
For privacy diligence, customers should review the applicable agreement and request any required security or data processing materials.
| Topic | Typical diligence question |
|---|---|
| DPA roles | Is ContractRabbit acting as processor, subprocessor, or independent controller for each data category? |
| Data categories | Which customer data, account data, derived data, and operational data are processed? |
| Subprocessors | Which providers process customer data, in which regions, and for what purpose? |
| Transfers | What legal mechanism supports transfers outside the customer's required geography? |
| Residency | Does the customer require U.S., EU/EEA, China, or another deployment boundary? |
| Deletion | What data is deleted immediately, what remains in backups, and what deletion evidence is available? |
| AI processing | Which AI providers, models, regions, retention terms, and fallback paths are permitted? |
| Support access | Who can access production data, from where, under what approval flow, and with what logging? |