KontraxaAudit · Enforce · Recover
Trust & Security

How we protect your contracts and invoices

Kontraxa is the operating layer customers run their highest-stakes supplier agreements through. This page documents how we hold that data, who has access, what we share with whom, and the rights you retain over your own information.

At a glance

Encryption at rest
AES-256 (Supabase) for all customer data
Encryption in transit
TLS 1.3 on every wire
Tenant isolation
Three independent layers (app, Postgres FORCE RLS, storage prefix)
Audit chain
HMAC-SHA256 with per-tenant secret
BYOK Anthropic key
Use your own Anthropic account; we never see the API responses
Customer rights
One-click export & deletion (GDPR Articles 17 + 20)

Where your data lives

Customer data — contract PDFs, invoice PDFs, engine analysis results, audit log — lives in your dedicated Supabase project hosted on AWS us-east-1. Object storage is private; downloads happen through short-lived signed URLs we generate per request, never via direct public links. Every storage object is filed under tenants/{your-id}/..., which is enforced both at upload and again before any signed URL is issued.

EU customers can opt for an EU-region Supabase project on the Enterprise tier. Data lives in the chosen region for the lifetime of the workspace.

How tenants are isolated from each other

Three independent layers must all fail before one customer can see another's data:

LayerMechanismWho enforces it
1. Application Every database query carries an explicit tenant_id = $N predicate API code (peer-reviewed; covered by automated tests)
2. Database Postgres FORCE ROW LEVEL SECURITY policies enforce tenant_id = current_tenant_id() on every tenant-scoped table Postgres itself — even a query that forgets the predicate returns no cross-tenant rows
3. Storage Every object lives under tenants/{your-id}/..., asserted before signing URLs Storage adapter — refuses to sign a URL for a path you don't own

Tamper-evident audit chain

Every state change — contract upload, invoice analysis, flag decision, recovery move, settings change, sign-in event — appends one row to an HMAC-chained audit log. Each row's hash is HMAC-SHA256(tenant_secret, prev_hash || canonical_event_json). The per-tenant secret is generated at workspace creation, stored separately from the application's database credentials, and never returned by any API endpoint.

Tampering with any row mathematically breaks every row that follows it. The Activity log in your workspace has a Verify integrity button that walks the chain and tells you the row id of the first break, if any. Auditors and regulators get a single CSV export of the full chain on demand.

What's shared with Anthropic (Claude)

Contract text and invoice text are sent to the Anthropic API for analysis. You have two options for how that happens:

Option 1 — Platform key (default)

We send via Kontraxa's Anthropic account. Anthropic does not train on commercial API data. Default API behavior retains prompts and responses for ~30 days for abuse detection; we operate under Anthropic's Zero Data Retention agreement, which eliminates that retention.

Option 2 — Bring Your Own Key (BYOK) Enterprise default

Configure your existing Anthropic API key in Settings → BYOK. All analysis runs through your Anthropic account, billed to you, governed by your Anthropic agreement (including any ZDR or EU residency terms you've already negotiated). The key itself is encrypted at rest with pgcrypto on our database; we display only the last four characters in the UI and never log the plaintext anywhere.

Sub-processors

Five vendors handle some portion of the data needed to deliver Kontraxa. Full list with regions, compliance, and DPAs at /sub-processors. We notify customers under contract 30 days before adding any new sub-processor.

Who can access your data

The default answer is only the users on your own workspace. Kontraxa platform admins (a fixed allowlist of named individuals) have technical ability to view tenant data when supporting a ticket or investigating an incident — every such access requires a written reason and is logged to a per-tenant access log that you can read yourself in Settings → Trust Center → Admin access log. The same record we have, you have.

Your rights

RightHow to exercise
Export everything
GDPR Article 20 (Portability)		 Settings → Trust Center → Download data export. Returns a single ZIP with every PDF, every analysis, every audit row.
Delete everything
GDPR Article 17 (Erasure)		 Settings → Trust Center → Request deletion. 30-day grace period (cancellable). After grace, every record is purged and an emailed deletion certificate documents the act.
Access log
GDPR Article 15 (Access)		 Settings → Trust Center surfaces your inventory and every Kontraxa-platform-admin access of your data, in real time.
Amend incorrect data
GDPR Article 16 (Rectification)		 You can edit any contract / invoice / analysis through the app UI. For data you can't reach, email [email protected].

Compliance posture

We rely on the SOC 2 / ISO 27001 / HIPAA-eligible compliance of our sub-processors today. Our own SOC 2 Type 1 audit is in progress; Type 2 follows 12 months later. We will not claim a certification we don't hold.

Sub-processor SOC 2 inherited SOC 2 Type 1 — in progress GDPR — DPA available on request HIPAA — by exception via BAA

Incident response

If we detect or are informed of a security incident affecting your data, we follow a documented response playbook: contain, assess, notify. We commit to notifying affected customers within 72 hours of confirming an incident, in line with GDPR Article 33 timing. Notification includes what was affected, what we know about the cause, and what we're doing about it.

Questions

Privacy, security, and compliance: [email protected]
Bug reports: [email protected] (PGP key on request)