Your contracts. Your data.
Locked down.
A contract is a sensitive document. Here is exactly how we encrypt it, who can see it, who we share infrastructure with, and what happens if something goes wrong.
Encryption
How your data is protected
AES-256 at rest
All contract data is stored on encrypted volumes. Database fields containing PII and contract content are encrypted with AES-256 keys managed by our hosting provider.
TLS 1.3 in transit
Every connection between your browser and Contract.DIY runs over TLS 1.3 with modern cipher suites. HTTP traffic is redirected to HTTPS at the edge.
Strong security headers
HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy, and X-Content-Type-Options are set across the application to harden against common browser-side attacks.
Hardened infrastructure
Production runs in a single hardened container with the database isolated to its own private network. SSH and admin endpoints are scoped to authenticated maintainers only.
Data handling
Who can see your contracts
Who can see your contracts
You and anyone you explicitly share a contract with. Members of our support team can only access your contract content if you grant explicit permission while resolving a support ticket.
How long we keep drafts
Drafts you create stay in your account until you delete them. Account deletion removes your contracts, generation history, and personal information within 30 days.
Backups
Encrypted backups are retained for 30 days for disaster-recovery purposes only. Backups are purged on the same schedule when an account is deleted.
What we never do
We do not sell your data. We do not train AI models on your contract content. We do not share contract content with third parties for marketing purposes.
Sub-processors
Who else handles your data
Every vendor below has been reviewed for security posture and signed a data-processing agreement. We update this list whenever it changes.
Polar
Payments, subscriptions, and credit purchases.
United States / EU
DocuSeal
E-signature workflow when you choose to send a contract for signing.
United States / EU
OpenAI
AI generation of contract drafts. Inputs are submitted under a zero-retention API agreement.
United States
Railway
Production application hosting (single-region container deployment).
United States
Resend
Transactional email — magic links, receipts, signing notifications.
United States / EU
PostHog
Product analytics. PII is hashed at the edge; contract content is never sent.
European Union (EU Cloud)
Compliance
What we are — and what we aren't
We will only claim a certification once we actually hold it. Below is the honest current state.
GDPR aligned
In effect
Lawful basis, data subject rights (access, deletion, export), and a documented data-processing register are in place. Right-to-be-forgotten requests reach security@contract.diy.
SOC 2 Type II
Not yet certified
A SOC 2 Type II audit is on the roadmap once we reach the team and revenue threshold where it materially helps customers. We will not claim certification before it is granted.
HIPAA
Not certified
Contract.DIY is not a HIPAA-covered service and we do not sign BAAs. Do not use the platform to process Protected Health Information.
CCPA / state privacy laws
In effect
California, Colorado, Virginia, and Connecticut residents can exercise data subject rights through the same intake at security@contract.diy.
Want to see security in practice? Create your first contract — free.
Draft my first contract — freeIncident response
If something goes wrong
Detect & contain
Our on-call rotation triages alerts within 30 minutes. Confirmed incidents trigger isolation of the affected component and a forensic snapshot.
Assess scope
We determine what data was accessed, by whom, and for how long. The investigation is logged in an immutable runbook entry.
Notify affected users
GDPR-mandated breach notifications are sent within 72 hours of confirmation. Users receive a plain-language explanation, the data categories involved, and recommended next steps.
Postmortem & fix
A blameless postmortem is published to affected customers within 14 days. Remediation work is tracked publicly through our changelog.
Reporting a vulnerability
Found something? Tell us.
Email security@contract.diy with a clear, reproducible description. We acknowledge reports within 2 business days and keep you updated through resolution.
We do not currently operate a paid bug-bounty program, but we publicly credit researchers who responsibly disclose meaningful findings. We will not pursue legal action against good-faith research that respects user data.
PGP / encrypted submissions: contact security@contract.diy and we will share a current key. We are happy to coordinate over Signal or other secure channels for higher-severity reports.
Need a DPA or vendor questionnaire?
Reach security@contract.diy — we maintain a standard DPA and complete most security reviews within 5 business days.