top of page
Contract Cloud logo

Contract Cloud Security

At Contract Cloud, security and compliance are integral to our platform. This page outlines the frameworks, controls, and practices that protect your information while you use our AI contract review, legal document management, and contract management software

Untitled design (10).png

Information Security Framework

 

Contract Cloud operates under a formal IT Risk Management Framework aligned to Information Technology Infrastructure Library (ITIL) practices and continuous improvement.


Change, release, and incident management processes are documented and subject to review, ensuring every change is tested, approved, and reversible.

​

Our systems are continuously monitored 24/7 with automated alerting, escalation, and on-call coverage for priority issues. Governance processes define our risk appetite, maintain risk registers, and ensure periodic security reviews are undertaken.

​​

​

Data Residency and Infrastructure

 

All customer data at rest is stored exclusively in Australia, within the Amazon Web Services (AWS) Sydney data centre. AWS provides world-class physical and environmental security under a shared-responsibility model, which we supplement with our own platform-level controls.

 

Data in transit is encrypted using TLS 1.3, and all internal connections use modern cipher suites and transport-layer security. Processing by third parties is restricted to only what is necessary to enable features like AI contract review through large-language-model services.

​​

​

Data Classification and Protection

 

All customer data is treated as Confidential. We apply multiple layers of protection, including:

​​

  • Encryption: AES-256 for data at rest, TLS 1.3 for data in transit.

  • Access Control: Role-based access control (RBAC), least-privilege permissions, and quarterly access reviews.

  • Tenant Isolation: Logical segregation of data between customers using dedicated schemas and identifiers.

  • Backups: Encrypted backups stored in-region on AWS.

  • Security Tooling: Cloudflare for edge security and DDoS protection, and Aikido Security for vulnerability and posture management.

  • Audit Logging: Centralised, tamper-evident logging with continuous monitoring and alerting.

​

​

User Access and Authentication

 

Access to the Contract Cloud platform is secured through strong password policies, configurable session timeouts, and re-authentication requirements.


We support SAML 2.0 Single Sign-On (SSO) with identity providers such as Microsoft Entra ID and ADFS, available as a paid add-on for enterprise customers.


All sign-in events and privileged actions are logged and regularly reviewed.

​

​

Network and Perimeter Security

 

We protect our network perimeter using Cloudflare Web Application Firewall (WAF), bot management, and rate-limiting.


Transport security is enforced with HSTS and TLS 1.3, and the network is segmented between public, application, and data tiers, following the principle of least privilege.

​

 

Data Integrity and Continuity

 

Weekly full backups are retained for four weeks and stored in encrypted form on AWS.
We maintain documented Disaster Recovery (DR) and Business Continuity Plans (BCP), which are reviewed and tested annually.


Our Recovery Time Objective (RTO) is 4 hours, and our Recovery Point Objective (RPO) is 24 hours.


Site availability and integrity are monitored continuously.

​

​

Incident Management

 

Contract Cloud maintains a structured Incident Response Plan to manage potential security events.


All alerts are triaged immediately, with critical events targeted for response within 60 minutes.
 

Each incident follows a contain–eradicate–recover cycle, with root cause analysis and corrective actions.


Customers are notified promptly in line with applicable laws, including Australia’s Notifiable Data Breaches Scheme.

​

​

Data Lifecycle Management

 

Customer data can be exported on request in machine-readable formats such as PDF, DOCX, or ZIP. Exports are provided securely via SFTP or expiring encrypted links.


Following confirmed receipt, data is permanently deleted from active systems and backups in accordance with retention schedules. A certificate of deletion is available upon request.

​

​

Security Testing and Audit

 

We conduct monthly vulnerability scans and apply critical patches within 48 hours of release. Regular maintenance and updates are performed monthly across operating systems and applications to maintain a strong security posture.

​

​

Support and Service Levels

 

Contract Cloud provides support between 08:00 and 22:00 AEST, Monday to Friday (excluding Queensland public holidays), with a 99.0% monthly uptime target.


Our standard maintenance window runs from 20:00 to 04:00 AEST with at least 48 hours’ notice.


We follow commercially reasonable efforts to meet our service level targets, with optional remote diagnostic access available under client consent to accelerate troubleshooting.

​

​

Third-Party Providers

 

We engage a small number of trusted partners to deliver our service, including:

​

  • Amazon Web Services (AWS) – hosting (Sydney region)

  • Cloudflare – edge security and content delivery network

  • Aikido Security – security monitoring and vulnerability management

  • OpenAI API – large-language-model service used for contract analysis

 

Each provider undergoes a risk assessment, is subject to data-minimisation principles, and operates under strict contractual and technical safeguards.
 

We do not permit any provider to train their models on customer data, and retention settings are configured wherever possible.

​

 

Data Loss Prevention

 

Data Loss Prevention (DLP) tools are implemented on managed endpoints for staff with production access. Strict role separation and encrypted network transfers further reduce exposure risk.


Automated alerts and anomaly detection identify unusual data movements, and any potential events are subject to rapid containment procedures.

​

​

bottom of page