Enterprise Security Review
Security, privacy, data residency, AI provider, and agreement topics available for enterprise procurement review.
Overview
ContractRabbit supports enterprise security and privacy diligence by providing documentation on its security program, cloud architecture, data lifecycle, identity controls, AI processing, and customer data handling.
Some diligence materials are appropriate for public documentation. More detailed materials, including named subprocessors, detailed architecture diagrams, security questionnaires, and customer-specific deployment commitments, may be provided through the enterprise procurement process or under the applicable agreement.
| Review area | Public documentation | Enterprise review materials |
|---|---|---|
| Security program | Security controls, encryption, access governance, monitoring, and compliance alignment. | Security questionnaire responses, control evidence summaries, incident response contacts, and contractual notice terms. |
| Data privacy | Data categories, processing purposes, export, deletion, retention, auditability, and standard residency posture. | Data processing agreement, retention schedule, deletion commitments, and post-termination handling. |
| Identity and access | Supported sign-in paths, Enterprise SAML SSO, SCIM, roles, and workspace authorization. | Customer-specific SSO setup, SCIM mapping, group-to-role mapping, and access policy configuration. |
| Data residency | Standard U.S. production posture and enterprise-scoped regional options. | Region-specific deployment plan, backup boundary, support access terms, and approved provider stack. |
| AI processing | AI processing categories, provider options, derived data, embeddings, and model routing topics. | Approved provider list, model regions, retention controls, no-training terms, fallback restrictions, and BYOK/BYOM configuration. |
| Subprocessors | Service categories used to provide hosting, storage, identity, AI processing, support, operations, and billing. | Named subprocessor list with processing purpose, data category, region, and transfer mechanism. |
Enterprise materials
Enterprise customers may request additional materials as part of vendor risk review or procurement.
| Material | Typical contents |
|---|---|
| Security questionnaire | Responses covering application security, infrastructure security, access governance, encryption, monitoring, vulnerability management, and incident response. |
| Data processing terms | Processing roles, permitted purposes, customer instructions, confidentiality, subprocessors, transfers, deletion, return, and audit rights. |
| Subprocessor list | Provider name, service purpose, data categories, processing locations, and applicable transfer mechanism. |
| Architecture overview | Application, storage, database, cache, queue, identity, AI provider, and observability components at the agreed level of detail. |
| AI processing summary | Provider options, input and output categories, embeddings, retention considerations, training restrictions, regional configuration, and fallback controls. |
| Residency summary | Standard production region, available enterprise region options, backup handling, support access, and deployment assumptions. |
| Identity setup guide | Enterprise SAML and SCIM configuration steps for Microsoft Entra ID, including required attributes and group mapping. |
Residency options
ContractRabbit supports customer choice of data residency for database storage and blob storage. Supported residency options include the United States, European Union / EEA, China for approved enterprise deployments, or another customer-specific deployment boundary where agreed.
Redis caching is currently U.S.-only. Regional Redis caching can be reviewed as part of a customer-specific deployment plan.
| Residency option | Database storage | Blob storage | Redis caching |
|---|---|---|---|
| United States | United States | United States | United States |
| European Union / EEA | European Union / EEA | European Union / EEA | United States |
| China | China for approved enterprise deployments | China for approved enterprise deployments | United States |
| Other deployment boundary | Customer-specific | Customer-specific | United States unless otherwise agreed |
LLM provider options
LLM provider availability may vary by feature, deployment, model availability, customer credentials, and contract terms.
| Provider | United States | European Union / EEA | China |
|---|---|---|---|
| Google Gemini / Vertex AI | United States | EU/EEA regional endpoint where configured | — |
| OpenAI | United States | Europe data residency where configured | — |
| Voyage | United States where configured | EU/EEA only where provider terms and endpoint configuration support the deployment boundary | — |
| DeepSeek | — | — | China |
| Qwen / DashScope | — | — | China |
Enterprise deployments with residency restrictions should define approved providers, models, endpoints, retention controls, no-training terms, and fallback behavior in the applicable agreement or deployment plan.