Where is my contract data stored?

All customer data (application, database, and uploaded files) is held in EU data centres operated by providers with ISO/IEC 27001 and SOC 2 Type II attestations.

Are my contracts used to train AI models?

No. Under every AI provider's commercial API terms, customer content is contractually excluded from model training. We are progressively layering Zero Data Retention agreements on top, which also eliminate routine retention of prompt content.

Are you SOC 2 or ISO 27001 certified?

Contracko itself is not yet independently certified. The infrastructure providers we rely on hold ISO/IEC 27001:2022 and SOC 2 Type II attestations.

Do you support single sign-on (SSO)?

Yes. Self-serve single sign-on is available on our Big Business plan. Connect any OIDC identity provider, including Microsoft Entra, Google Workspace, Okta, Auth0, JumpCloud and Keycloak, directly from your settings. SAML and custom identity-provider configuration are available on request.

The safety of your contracts is our priority

Q: Do you offer a Data Processing Agreement (DPA)?

Yes. A signed DPA based on the European Commission's standard contractual clauses is available on request via our contact form.

Q: Can I enable two-factor authentication on my account?

Yes. Every account can enable TOTP-based 2FA with backup codes from account settings, on every plan.

Every infrastructure partner we use, every integration we build, and every architectural decision we make starts from one question: how do we keep your contract data safe?

Start 7-day free trial

No credit card required

GDPR

2FA

Encrypted

Everything starts with security.
From the partners we choose to the integrations we build.

Contracko runs on infrastructure operated by ISO/IEC 27001 and SOC 2 Type II audited providers, with encryption at every layer, two-factor authentication on every account, and a firm "no" to model training on customer contracts.

Audited infrastructure, end to end

Every layer of Contracko runs on infrastructure from carefully chosen partners with internationally recognised security attestations. The certifications below are held by those providers, not by Contracko itself.

Web hosting

Hetzner

EU regionISO/IEC 27001:2022

Our application runs on Hetzner Cloud. Hetzner holds ISO/IEC 27001:2022 certification across its German data centres, the international standard for information-security management, and is audited annually by independent third parties.

Database

PlanetScale on AWS

EU regionSOC 2 Type II

Your contract records live in a managed PlanetScale Postgres cluster running on AWS in the EU. PlanetScale is continuously audited by a US accounting body to the SOC 2 Type II standard.

Object storage

Cloudflare R2

EU regionISO 27001SOC 2 Type II

Uploaded contracts and exports sit in Cloudflare R2 with EU-jurisdiction guarantees. Cloudflare holds both ISO 27001 and SOC 2 Type II attestations.

Data residency

All customer data (application, database, and uploaded files) is held in EU data centres. A signed Data Processing Agreement (DPA) under the European Commission's standard contractual clauses is available on request. Our record of processing activities is published in our privacy policy.

View privacy policy →

Encrypted in transit and at rest

Strong encryption is used wherever your data moves, with industry-standard protocols and ciphers.

TLS 1.2 / 1.3 in transit

Every connection to Contracko is encrypted with TLS 1.2 or 1.3, using certificates that are automatically rotated. We enforce HTTPS via HSTS, so browsers refuse to fall back to unencrypted connections.

What this means: Every connection between your browser and Contracko is protected by the same encryption protocol used by online banking and government services.

AES-256 at rest

Contract records, uploaded files, and operational state are all stored with AES-256 encryption at rest, managed by our infrastructure providers as part of their certified key-management programmes.

What this means: If someone got hold of the physical disks our data lives on, the contracts on them would still be unreadable. Without the encryption keys, the contents stay locked.

Access and security that scale with you

Control who gets access to which contracts, enforce best practices for account security, and offer the enterprise identity standards your IT team already trusts.

Two-factor authentication on every account

Every account can enable TOTP-based 2FA with backup codes from account settings. Available today, free on every plan. Critical actions can require a fresh second factor.

Role-based access, scoped per contract

Permissions are defined per organisation and per contract, with clearly delineated roles for owners, collaborators, and viewers. The right people see exactly what they should.

Single sign-on for enterprises

On the Big Business plan, teams can connect Contracko to their existing identity provider with self-serve OIDC single sign-on, including Microsoft Entra, Google Workspace, Okta, and any OIDC-compliant provider (SAML on request). Your IT team governs who has access, enforces 2FA centrally, and provisions or revokes accounts from one place.

Your contracts are not training data

Contracko uses third-party AI models to power contract analysis and data extraction. Under their default API terms, your content is already excluded from training. We sign Zero Data Retention agreements on top wherever a provider offers them.

Training excluded by default

We use every AI provider through their commercial API terms, which contractually exclude customer prompts and outputs from training future models.

Zero Data Retention

Beyond the default training exclusion, we are progressively signing Zero Data Retention agreements with providers. ZDR also eliminates routine retention of prompt content beyond what is strictly required to return a response.

The full list of AI providers handling customer data is itemised in our Data Processing Agreement, available on request via our contact form.

Frequently asked questions

Find answers to common questions about this feature.

Move faster on contracts without compromising security

AI contract management with audited infrastructure and two-factor authentication on every account. Free to start.

Start 7-day free trial