Security & Compliance Overview
Contract-as-Code is designed for HR and payroll teams handling sensitive employee data under strict regulatory obligations. This section documents our security architecture, data handling practices, and compliance posture.
Architecture summary
┌─────────────┐ ┌──────────────┐ ┌───────────────────┐
│ Agreement │ │ Employee │ │ Validation │
│ PDF upload │────▶│ CSV upload │────▶│ Engine │
│ │ │ (PII hashed) │ │ (rules + data) │
└──────┬───────┘ └──────┬───────┘ └──────┬────────────┘
│ │ │
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌───────────────────┐
│ OpenAI API │ │ Regional │ │ Findings & │
│ (clause │ │ GCP storage │ │ Reports │
│ text only) │ │ (encrypted) │ │ (audit trail) │
└──────────────┘ └──────────────┘ └───────────────────┘Key boundaries
| Boundary | What crosses it | What doesn't |
|---|---|---|
| OpenAI API | Agreement clause text | Employee data, PII, payroll records |
| Regional GCP storage | Encrypted agreement PDFs, hashed employee data | Unencrypted PII, cross-border transfers |
| Client browser | Application UI, validation results | Raw CSV data (processed server-side) |
Security controls
| Control | Implementation |
|---|---|
| Encryption at rest | AES-256 (GCP managed keys) |
| Encryption in transit | TLS 1.2+ everywhere |
| Employee PII | SHA-256 hashed before processing or storage |
| Authentication | Firebase Authentication with MFA support |
| Authorization | Role-based access control (Admin, Reviewer, Viewer) |
| Infrastructure access | MFA required, least-privilege IAM |
| Audit logging | All data access and modifications logged, 7-year retention |
| Penetration testing | Annual third-party testing (results available under NDA) |
| Dependency scanning | Automated vulnerability scanning in CI/CD |
| Incident response | Documented incident response procedure |
Compliance
| Framework | Status |
|---|---|
| PIPEDA (Canada) | Compliant |
| CCPA/CPRA (California) | Compliant |
| UK GDPR / DPA 2018 | Compliant |
| Australian Privacy Act (APPs) | Compliant |
| SOC 2 Type II | In progress |
For procurement teams
If you are evaluating Contract-as-Code for enterprise deployment, we can provide:
- Security questionnaire responses (SIG, CAIQ, or your custom format)
- Data Processing Agreement (DPA) under your applicable privacy law
- Penetration test summary (under NDA)
- Architecture diagram with network boundaries and data flows
- Subprocessor list with DPAs for each third-party service
Contact security@contract-as-code.com for procurement materials.
Related pages
- Data Privacy — PII handling, AI processing scope
- Data Residency — regional infrastructure and cross-border transfers
- Authentication — login, MFA, SSO, and roles