Skip to content
CS
ClauseSpark
Book a demo
Products
Sentinel Redline
Solutions
In-house legal Law firms Procurement Sales contracts
Resources
All resources Contract redlining: full guide Contract risk management Contract review checklist
Pricing Security Sign in
Security & compliance

Your contracts. Your data. Always.

Contract data is some of the most sensitive material an enterprise produces. We treat it accordingly: encrypted at rest, encrypted in transit, isolated per tenant, and contractually prohibited from being used for model training.

Encryption

In transit
TLS 1.3
At rest
AES-256
Key management
AWS KMS, customer-managed keys (Enterprise)
Backups
AES-256, geographically separated, 30-day retention

Data handling

Training on your data
Never, contractually prohibited
Data residency
EU (Frankfurt) or US (Virginia)
Tenant isolation
Per-customer logical isolation; dedicated tenants on Enterprise
Deletion
Hard-delete on request, within 30 days

Access controls

SSO
Okta, Google Workspace, Azure AD, generic SAML 2.0
MFA
Required for all admin accounts
RBAC
Configurable per-matter and per-document
Audit log
Every access, every edit, retained for 7 years

Compliance

SOC 2 Type II
In progress, expected Q3 2026
GDPR
EU data residency + DPA available
HIPAA
BAA available on Enterprise tier
ISO 27001
Roadmap, target 2027

Infrastructure

Cloud provider
AWS (us-east-1, eu-central-1)
Network
Private VPC, no public DB endpoints
Patch cadence
Security patches within 24h, criticals within 4h
Pen-testing
Annual third-party + continuous bug bounty

Reliability

SLA
99.9% on Enterprise
Status page
status.clausespark.com
Recovery
RTO 4h / RPO 1h
On-call
24/7 engineering, 1h response on Enterprise
The training question

Will you train your models on my contracts? No. Here's why.

Generic AI products — including the major chatbots — typically train their models on customer inputs by default. We don't, and we contractually can't.

Every customer agreement contains an explicit prohibition on using your contract data for model training. Internally, customer data is stored in tenant-scoped databases that are not connected to our model-training pipeline at the network level. The training corpus we do use is exclusively public-domain material (regulatory filings, court records) and a curated dataset of customer-volunteered, fully-anonymised contracts where the customer has explicitly opted in.

On Enterprise, you can have customer-managed encryption keys (CMKs), so even our infrastructure team cannot decrypt your data without your active cooperation.

Get started

Need a security review?

We provide our SOC 2 status report, DPA, BAA, and pen-test summary on request.

Email security@clausespark.com Book a demo
No credit card. 14-day trial. Cancel anytime.
Cookies on ClauseSpark

We use strictly necessary cookies to make the site work, plus optional analytics cookies (Google Analytics) to understand how visitors use it. Read our privacy policy.

Cookie preferences

Choose what you allow

Strictly necessary

Required for the site to function — session, CSRF, authentication. Cannot be disabled.

Analytics

Google Analytics 4. Anonymous usage data so we can see which pages help and which don't.