ContractKen Legal & Security FAQ

We process only what’s needed to deliver the service: the contract text you choose to analyze, your playbooks / precedents / instructions, and minimal account metadata (account data, usage logs). We do not scan your entire Word document repository or inbox, etc. by default.

No. Your documents, prompts, and outputs are never used to train or fine‑tune any public or shared model. They remain your property.

We use strict tenant‑level logical isolation and per‑customer encryption keys. Your data is never mixed with another customer’s corpus.

Primary hosting is on AWS. We can provide EU/US data residency on request and share our current sub‑processor list.

Yes. Admins can request immediate purge of documents, prompts, logs, and backups. Routine retention is 30 days; for operational logs; you can contractually set this to 0.

We treat all content as confidential work product. Access is role‑based, logged, and limited to support engineers on a need‑to‑know basis under NDA and confidentiality obligations.

Yes, ContractKen holds SOC 2 Type II (latest report available under NDA). We align with ISO 27001/27701 controls and share our security white‑paper on request.

TLS 1.2+ in transit; AES‑256 at rest using AWS Key Vault/HSM‑backed keys. Customer‑managed keys are available for enterprise plans.

We have a documented plan with 24×7 monitoring. Clients are notified of any material incident without undue delay (contractually within 72 hours or faster if required by law).

We conduct annual third‑party penetration tests and share executive summaries. Customer audits are welcome under reasonable notice and confidentiality.

Yes, for enterprise customers. SSO via Azure AD, Okta, Google Workspace, etc. MFA is enforced for admins. RBAC lets you control who can upload playbooks, review drafts, or export data.

Yes. Enterprise admins can view/export logs showing who opened, edited, or exported which document and when.

We default to best‑in‑class LLMs (e.g., OpenAI, Google via API) behind our moderation layer. Enterprise customers can bring their own model/endpoint.

Requests are sent via private, no‑training endpoints. Providers contractually commit not to use your data for training. We mask PII/sensitive fields when configured.

You do. We grant no license beyond what’s needed to run the service. Outputs are yours to use, modify, or delete.

We ground the model on your own playbooks/precedents, show sources, and encourage human review. Our UI flags low‑confidence suggestions.

Yes. Admins can enable prompt/history export for audit or compliance reviews.

All bundled sample language is either authored by us, licensed, or sourced from public‑domain materials. You can store your own precedents privately.

We warrant that the service will perform materially as documented and that we won’t knowingly infringe third‑party IP. We don’t warrant legal accuracy of AI outputs-lawyer review is required.

Standard caps are tied to annual fees with carve‑outs for data breach, gross negligence, and IP infringement. We’re open to reasonable adjustments for enterprise deals.

Yes-for third‑party IP infringement claims arising from our service. We also carry cyber/E&O insurance and can share certificates.

99.5 % uptime monthly. Priority support SLAs: P1 within 2 hours, P2 within 8 hours. Service credits apply if we miss targets.

You can export contracts, playbooks, logs, and metadata (DOCX/JSON/CSV) before termination. We’ll assist for 30 days post‑termination if requested.

Typically Delaware law & arbitration (JAMS/AAA). We’re flexible to match your jurisdictional needs.

Minimal: it reads the active document content you choose to analyze and sends it securely to our backend for processing. It does not access other files or emails.

For highly regulated teams, we offer a private deployment where all inference happens in your Azure tenant or VPC.

Typical redline generation is under 10 seconds for a standard agreement; larger agreements (e.g., 100+ pages) average 20–40 seconds.

Absolutely. Upload them securely; ContractKen will screen drafts against your standards and suggest edits accordingly.

We maintain a public changelog and provide 30 days’ notice for any change that could materially affect data handling or SLAs.

Yes. We test models on diverse contract sets and provide transparency on limitations. We also let admins enforce redaction rules to avoid prohibited data in prompts.

Yes. Suggestions are visually distinct in Word, with comments explaining the rationale.

Yes. We sign DPAs, honor data‑subject rights (access, deletion, portability), and act as a processor under GDPR and a service provider under CCPA/CPRA.