Skip to content
PactSafe AI
Security & privacy

Your contracts are serious.
We treat them that way.

Nothing you send us ever ends up in a training set, a third-party log, or a data broker’s inbox. Here’s exactly what we do, and how you can verify it.

Encryption everywhere

Your contracts never sit in the clear.

  • TLS 1.3 on every API endpoint and page load
  • HSTS enforced with preload — no downgrade attacks
  • AES-256-GCM at rest on stored uploads and database rows
  • Encrypted backups, rotated every 30 days

Never used for training

Your contracts don’t end up in anyone’s training set.

  • Zero-retention flags set on all Anthropic & Groq API calls
  • No internal training corpus built from customer data
  • No data share with third parties outside the LLM call itself
  • Delete any analysis instantly — purged within 24 hours

Least-privilege access

Only the code and people who need to touch data, can.

  • Engineers use 2FA-protected SSO on all production consoles
  • Role-based database access, audit-logged
  • Secrets managed in a hardware-backed vault
  • Access reviews every 90 days

Infra & monitoring

Built on SOC 2-certified providers and watched 24/7.

  • Hosted on Vercel (frontend) and Fly.io (API) — both SOC 2 Type II
  • Database isolated in a private network; no public internet access
  • Uptime monitoring with 60-second resolution
  • Automated anomaly detection on auth & API patterns

Found a vulnerability?

We welcome responsible disclosure. Email security@pactsafe.ai with details and a proof of concept. We’ll respond within 48 hours, fix valid issues promptly, and credit you publicly (with your consent).

  • • Please don’t run automated scanners.
  • • Please don’t access other users’ data, even if you find a way.
  • • Please give us a reasonable window to fix before public disclosure.
Are you SOC 2 certified?
Not yet — we're in a pre-audit phase. In the meantime, the infrastructure we build on (Vercel, Fly.io, Neon) is SOC 2 Type II certified, and we follow SOC 2-aligned practices internally.
Do you train models on my contracts?
No. Zero-retention flags are set on all LLM API calls, and we do not build internal training corpuses from customer data. This is a hard rule.
Where are my contracts stored?
In an encrypted database in the US region of our cloud provider. Backups are encrypted and also stored in the US. If you need EU data residency, contact us before uploading.
How long do you keep my data?
As long as your account is active and you haven't deleted the analysis. Deleting an analysis triggers a purge within 24 hours; closing an account triggers a full purge within 30 days.

Questions? Email our team.