Security FAQs

ContractKen protects your data and your clients' information with top security features and protocols.

Last updated: July 23, 2025
Have a due‑diligence questionnaire (DDQ) or security review? Email hello@contractken.com and we’ll respond quickly.

Yes, ContractKen holds SOC2 Type II (latest report available under NDA). We align with ISO 27001/27701 controls and share our security white paper upon request.

TLS 1.2+ in transit; AES-256 at rest using AWS KeyVault/HSM-backed keys. Customer-managed keys are available for enterprise plans.

We have a documented plan with 24×7 monitoring. Clients are notified of any material incident without undue delay (contractually within 72 hours or faster if required by law).

We conduct annual third-party penetration tests and share executive summaries. Customer audits are welcome under reasonable notice and confidentiality.

Yes, for enterprise customers. SSO via Azure AD, Okta, Google Workspace, etc. MFA is enforced for admins. RBAC allows you to control access permissions.

Yes. Enterprise admins can view/export logs showing who accessed, edited, or exported documents and when.

We default to best-in-class LLMs (e.g., OpenAI, Google via API) behind our moderation layer. Enterprise customers can bring their own models/endpoints.

Requests are sent via private, no-training endpoints. Providers contractually commit not to use your data for training. Sensitive fields are masked when configured.

You own your data. We grant no license beyond what’s necessary to run the service. Outputs are yours to use, modify, or delete.

We ground the model on your own playbooks/precedents, show sources, and encourage human review. Our UI flags low-confidence suggestions.

Yes. Admins can enable prompt/history export for audit or compliance reviews.

All bundled sample language is either authored by us, licensed, or sourced from public domain materials. You can store your own precedents privately.

We warrant that the service will perform materially as documented and that we won’t knowingly infringe third-party IP. Legal accuracy of AI outputs requires lawyer review.

Standard caps are tied to annual fees with carve-outs for data breach, gross negligence, and IP infringement. We’re open to reasonable adjustments for enterprise deals.

Yes, for third-party IP infringement claims arising from our service. We also carry cyber/E&O insurance and can share certificates.

99.5% uptime monthly. Priority support SLAs: P1 within 2 hours, P2 within 8 hours. Service credits apply if we miss targets.

You can export contracts, playbooks, logs, and metadata (DOCX/JSON/CSV) before termination. We’ll assist for 30 days post-termination if requested.

Typically Delaware law & arbitration (JAMS/AAA). We’re flexible to match your jurisdictional needs.

Minimal: it reads the active document content you choose to analyze and sends it securely to our backend for processing. It does not access other files or emails.

For highly regulated teams, we offer a private deployment where all inference happens in your Azure tenant or VPC.

Typical redline generation is under 10 seconds for a standard agreement; larger agreements (e.g., 100+ pages) average 20–40 seconds.

Absolutely. Upload them securely; ContractKen will screen drafts against your standards and suggest edits accordingly.

We maintain a public changelog and provide 30 days’ notice for any change that could materially affect data handling or SLAs.

Yes. We test models on diverse contract sets and provide transparency on limitations. Admins can enforce redaction rules to avoid prohibited data in prompts.

Yes. Suggestions are visually distinct in Word, with comments explaining the rationale.

Yes. We sign DPAs, honor data-subject rights (access, deletion, portability), and act as a processor under GDPR and a service provider under CCPA/CPRA.

• DPA, Sub-processor List & Insurance Certs – available on request