Back to home

Security

At ContractShield, we treat the contracts you upload with the seriousness they deserve. This page explains the measures we take to protect your data and keep the Service secure. This is a living document and will be updated as our controls evolve.

Data protection summary

  • Encryption in transit: all connections use TLS 1.2 or higher.
  • Encryption at rest: data stored using AES-256 encryption.
  • Hosting: our infrastructure runs on DigitalOcean in London, which holds ISO 27001, SOC 2, and other industry certifications.
  • Access control: role-based access, multi-factor authentication for all administrative access, and least-privilege by default.
  • Audit logging: privileged actions on production systems are logged and monitored.

How we handle your contracts

Storage — we do not retain your uploaded contracts. Once a contract has been processed, the original uploaded file is deleted. What we retain is the review output (analysis, risk flags, summaries) so you can access it from your dashboard. You should keep your own copy of any contract you submit for review.

In transit and during processing. While a contract is being processed, it is held in encrypted storage and accessible only to the authenticated account that uploaded it.

AI processing. Contract content is transmitted to Anthropic PBC (via the Claude API) to generate the review. This is governed by:

  • Anthropic's Commercial Terms of Service, which contractually prohibit Anthropic from using your content to train its models;
  • Anthropic's Data Processing Addendum, which governs Anthropic's processing of personal data on our behalf;
  • Standard API retention of up to 30 days by Anthropic for abuse monitoring purposes. [If applicable: We operate under a Zero Data Retention (ZDR) arrangement with Anthropic, under which your content is not stored at rest after the API response is returned, except as strictly required for abuse screening.]

Your content is not used to train Anthropic's models or any general-purpose AI models.

No selling, no advertising. We do not sell your data. We do not share it with advertisers. See our Privacy Policy and DPA for full details.

Application security

  • Secure development. Changes are peer-reviewed before deployment. We use static analysis and dependency scanning on every build.
  • Dependency management. We monitor our dependencies for known vulnerabilities and patch promptly.
  • Authentication. Passwords are stored using industry-standard hashing (bcrypt/argon2). We support [STRONG PASSWORD POLICY / MFA, as applicable].
  • Session management. Sessions are protected with secure, HTTP-only cookies and are invalidated on logout or password change.
  • CSRF, XSS, and injection protections are built into the framework we use and verified in code review.

Infrastructure security

  • Network isolation. Production systems run in a dedicated virtual network. Internal services are not exposed to the public internet.
  • Firewalls and WAF. Inbound traffic is filtered at the edge.
  • Patching. Systems and containers are routinely updated with security patches.
  • Backups. Daily encrypted backups, access-controlled, with defined recovery-time and recovery-point objectives.

Operational security

  • Personnel. All personnel with access to production systems are subject to written confidentiality obligations and receive data protection and security training.
  • Access reviews. Access to systems is reviewed [QUARTERLY / SEMI-ANNUALLY] and revoked on change of role or departure.
  • Vendor management. We carry out due diligence on sub-processors and review their security posture before onboarding.

Payment security

Card payments are handled directly by Stripe, a PCI DSS Level 1 service provider. We do not see or store your full card number, CVC, or expiry date.

Incident response

We maintain an incident response plan with documented roles, escalation paths, and communication templates. In the event of a personal data breach affecting your data, we will notify you without undue delay and in any event within 48 hours, in line with our DPA.

Responsible disclosure

If you believe you have found a security vulnerability in the Service, please report it to security@contractshield.co.uk. We ask that you:

  • give us a reasonable chance to investigate and fix before public disclosure;
  • do not access accounts or data that do not belong to you;
  • do not perform denial-of-service testing or anything that could degrade the Service for other users;
  • do not run automated scans against production without prior written approval.

We will acknowledge your report within 2 business days and keep you informed as we investigate. We do not currently run a paid bug bounty, but we recognise contributors with their consent.

Compliance

  • UK GDPR and Data Protection Act 2018: we are registered with the ICO under number CSN4396481 and handle personal data in accordance with the UK GDPR.
  • PECR (cookies and electronic marketing): see our Cookie Policy.
  • Certifications: [LIST ANY IN-PROGRESS OR COMPLETED CERTIFICATIONS, e.g. "Cyber Essentials (in progress)", or remove this line].

Subprocessor list

A current list of our sub-processors is available at https://contractshield.co.uk/sub-processors.

Contact

Security questions: security@contractshield.co.uk
Privacy questions: privacy@contractshield.co.uk
General support: support@contractshield.co.uk

© 2026 ContractShield (Beecredo Ltd)