Security

Overview

ClauseMinds is built for teams that handle sensitive contracts. We design for strong tenancy boundaries, traceable access, and defense in depth. This page summarizes our security posture at a high level. For how we handle personal data, see our Privacy Policy.

Data isolation and access control

The product is structured around workspaces. Users access contracts, obligations, and settings only within workspaces where they are members, enforced by the application and API layers. Role-based permissions limit administrative actions such as billing, team management, and notification configuration where those features are enabled.

Deployment shape affects where primary data resides: the standard product runs on ClauseMinds-managed infrastructure; managed private deployment uses a dedicated ClauseMinds-operated stack; customer-owned deployment (Enterprise) runs in cloud projects your organization controls, such as your Supabase database and storage together with aligned app hosting.

Encryption and transport

Data in transit is protected using TLS for browser and API traffic. Stored customer content and metadata rely on the protections provided by our hosting and storage providers (for example encrypted object storage where configured).

Authentication

Customer authentication is typically provided through a managed identity provider (for example Supabase Auth). We recommend customers enforce strong passwords, SSO where available, and least-privilege workspace membership.

Application security

We apply common secure-development practices, including:

• Scoped authorization checks on sensitive reads and writes.
• Validation of uploads (type, size) to reduce abuse and malicious files.
• Structured logging with care to avoid unnecessary exposure of contract content.
• Dependency maintenance and review of security-relevant changes.

Backups and availability

Database and infrastructure availability and backup practices depend on your deployment (for example managed Postgres and storage from our cloud providers). Enterprise deployments can align retention and recovery objectives in a separate agreement.

Subprocessors

The Service may rely on subprocessors for hosting, authentication, email delivery, analytics, and payments. Customers should review vendor documentation for their environment and our Privacy Policy for data handling.

Your responsibilities

Customers play an important part in security:

• Maintain control of user accounts and remove access when people leave.
• Classify and permission contract data according to internal policy.
• Use supported browsers, keep devices patched, and protect session tokens.
• Report suspected incidents promptly using the contact channel below.

Reporting vulnerabilities

If you believe you have found a security vulnerability in the Service, please contact us with a description and reproduction steps. We ask that you avoid disruptive testing (for example no denial-of-service against production) and give us reasonable time to remediate before public disclosure.

Contact

Security questions or incident reports: use our contact page.