Enterprise-grade Security

Security Policy

Last Updated: January 2026

Your contract data is sensitive. We built Paralegent AI with security as a foundational principle, not an afterthought. Here's how we protect your information.

AES-256

Encryption at Rest

TLS 1.3

Encryption in Transit

SOC 2

Type II Compliant

90 Days

Auto Data Deletion

TL;DR

Paralegent AI uses enterprise-grade encryption (AES-256 at rest, TLS 1.3 in transit), complete data isolation per user, automatic 90-day data deletion, and SOC 2 Type II compliant infrastructure. Your contracts are never used for AI training and are never shared with other users.

Security Overview

1. Data Encryption 2. Data Isolation 3. Infrastructure Security 4. Access Controls 5. Data Retention & Deletion 6. AI Model Security 7. Compliance & Certifications 8. Incident Response 9. Vendor Security 10. Security Contact

1Data Encryption

Encryption at Rest

→AES-256 encryption for all stored data in AWS S3 and DynamoDB
→AWS Key Management Service (KMS) for encryption key management
→Automatic key rotation policies
→Encrypted database backups with separate key management

Encryption in Transit

→TLS 1.3 for all API communications
→HTTPS enforced on all endpoints (no HTTP fallback)
→Certificate pinning for Microsoft Word add-in communications
→Encrypted connections to all third-party AI providers

2Data Isolation

Complete tenant isolation ensures your data is never accessible by other users or organizations.

User ID Filtering

Every database query includes mandatory user ID filtering to prevent cross-tenant data access

Separate Processing

Each contract analysis runs in isolated processing environments

Segregated Storage

Contracts, playbooks, and analysis results are stored in user-specific namespaces

Audit Logging

All data access is logged with user context for security monitoring and compliance

3Infrastructure Security

AWS Infrastructure

→Hosted on AWS US-East-1 region
→AWS Lambda for serverless compute
→DynamoDB for database storage
→S3 for document storage
→CloudFront CDN for global delivery

Network Security

→AWS WAF for web application firewall
→DDoS protection via AWS Shield
→VPC isolation for internal services
→API rate limiting (10 req/sec, 20 burst)
→Intrusion detection monitoring

4Access Controls

User Authentication

→Clerk authentication with enterprise-grade security
→Multi-factor authentication (MFA) support
→Single Sign-On (SSO) for enterprise customers
→JWT tokens with automatic refresh and expiration
→Session management with secure cookie handling

Internal Access

→Principle of least privilege for all team members
→No direct production database access
→All administrative actions require MFA
→Access reviews conducted quarterly

5Data Retention & Deletion

Automatic Data Deletion

All contract data and analysis results are automatically deleted after 90 days using DynamoDB Time-To-Live (TTL) policies. This ensures your sensitive contract data doesn't persist longer than necessary.

What Gets Deleted

→Uploaded contract documents
→Analysis results and risk assessments
→Generated redlines and suggestions
→Vector embeddings
→Temporary processing files

Retention Periods

→Contracts: 90 days (auto-delete)
→Playbooks: While account active
→Account data: 30 days post-closure
→System logs: 30 days
→On-demand deletion: Available anytime

6AI Model Security

Your Data Is Never Used for Training

Your contracts and playbooks are never used to train AI models. We use commercial API agreements with OpenAI, Anthropic, and Google that explicitly prohibit using customer data for model training.

AI Provider Security

→OpenAI: Enterprise API with zero data retention
→Anthropic: Commercial agreement prohibiting training on customer data
→Google: Vertex AI with enterprise data handling
→All providers have SOC 2 Type II certification

Processing Security

→Contract text is processed in memory only
→No persistent storage at AI provider level
→Encrypted API calls with request/response logging disabled
→Isolated processing per analysis request

7Compliance & Certifications

Infrastructure Compliance

→SOC 2 Type II compliant infrastructure (AWS)
→ISO 27001 certified data centers
→GDPR compliant data handling
→CCPA compliant for California users

Security Practices

→Regular penetration testing
→Vulnerability scanning and patching
→Annual security audits
→Employee security training

8Incident Response

Our Incident Response Process

Detection & Containment

Immediate isolation of affected systems and assessment of impact scope

Investigation

Root cause analysis and determination of affected data/users

Notification

Affected users notified within 72 hours as required by GDPR and applicable laws

Remediation & Prevention

Implementation of fixes and preventive measures to avoid recurrence

9Vendor Security

We carefully select vendors who meet our security standards and maintain appropriate certifications.

Vendor	Purpose	Certifications
AWS	Infrastructure & Storage	SOC 2, ISO 27001, GDPR
Clerk	Authentication	SOC 2 Type II
OpenAI	AI Processing	SOC 2 Type II
Anthropic	AI Processing	SOC 2 Type II
Google Cloud	AI Processing (Vertex AI)	SOC 2, ISO 27001
Pinecone	Vector Database	SOC 2 Type II

10Security Contact

Report Security Issues

If you discover a security vulnerability or have concerns about our security practices, please contact us immediately:

Security Email: security@paralegent.ai

General Contact: Contact Form

We take all security reports seriously and will respond within 24 hours. We appreciate responsible disclosure and will work with you to address any valid security concerns.

Questions About Our Security?

Our team is available to discuss our security practices and answer any questions about how we protect your contract data.

Request a Demo Contact Security Team