Infrastructure
Encryption in Transit
All data transmitted between clients and KontractAI is encrypted using TLS 1.2+ with strong cipher suites. HSTS headers enforce HTTPS connections.
Encryption at Rest
Contract documents and database contents are stored on encrypted volumes. Backups are encrypted and stored separately from production data.
Isolated Infrastructure
KontractAI runs on dedicated infrastructure with containerized services. Database access is restricted to internal network connections only.
Automated Backups
Database backups run on an automated schedule with retention policies. Backup integrity is verified regularly.
Access Controls
Single Sign-On (SSO)
KontractAI supports SAML-based SSO via Microsoft Entra ID, enabling organizations to enforce their existing identity policies and MFA requirements. For non-SSO users, TOTP two-factor authentication is available with admin enforcement.
Two-Factor Authentication
TOTP-based two-factor authentication compatible with Microsoft Authenticator, Google Authenticator, and all standards-compliant authenticator apps. Administrators can enforce 2FA on a per-user basis. Single-use recovery codes are provided during setup.
Role-Based Access
Five role tiers (Admin, Lawyer, Legal Ops, Requester, Executive) with granular permissions. Users see only the data and functions relevant to their responsibilities.
IP Allow-Listing
Administrators can restrict application access to approved IP addresses or CIDR ranges, limiting exposure to authorized networks.
Audit Logging
Every action in KontractAI is logged with timestamps, user identity, and details. Audit trails are immutable and available for compliance review.
Document Security
Version Control
Every document version is tracked with SHA-256 checksums, uploader identity, and immutable timestamps. Complete audit trail from first draft to execution.
SharePoint Integration
Documents are automatically synced to SharePoint Online with structured naming conventions and folder hierarchies. Final drafts are archived to a dedicated Contract Repository.
Document Tagging
Uploaded documents are embedded with custom XML metadata linking them to their contract request, enabling chain-of-custody tracking and automated association across platforms.
Word Add-in
The KontractAI Word Add-in communicates exclusively over HTTPS with full JWT authentication and 2FA support. Office iframe embedding is controlled via Content-Security-Policy headers.
AI Security
KontractAI uses Anthropic's Claude API for contract extraction and analysis. Documents are sent to Claude's API for processing and are not retained by Anthropic for model training. Anthropic's data handling practices are governed by their commercial API terms, which prohibit the use of customer data for training purposes.
All AI interactions are logged in the audit trail, and extraction results are always subject to human validation before being committed to the repository.
Compliance Roadmap
KontractAI is actively working toward formal compliance certifications. Our current security controls are aligned with the principles of SOC 2 Type II and ISO 27001, and we anticipate commencing formal audit processes as the platform scales to production client deployments.
Responsible Disclosure
If you believe you have identified a security vulnerability in KontractAI, please contact us at security@kontractai.com. We take all reports seriously and will respond within 48 hours.