TrmTrk Docs

Appearance

Legal/Security And Compliance

Security & Compliance

This page is for security reviewers, compliance officers, and enterprise customers evaluating Term Tracker. It covers what security controls are deployed today, what framework certifications we are working toward, how contract data is handled by AI providers, and what is on the near-term roadmap.

At a Glance

  • Intended audience: security and compliance teams, enterprise buyers, and any customer who wants to know how their contract data is protected.
  • Framework targets (in progress, not yet certified): SOC 2 Type II, GDPR, CCPA/CPRA. ISO/IEC 27001 and ISO/IEC 42001 are longer-term targets.
  • Infrastructure: AWS (us-east-1). All customer data stays in the United States.
  • AI providers: Anthropic (Claude) and Google (Gemini). Contract text only, no account data. See Sub-processors for full detail.
  • What is live today: see the section below.

Compliance Posture

FrameworkStatusNotes
SOC 2 Type IITarget: controls implementation in progressFoundational controls (encryption at rest with customer-managed KMS, account hardening, IAM least-privilege, threat protection, structured logging) are deployed. Audit planned once the remaining items below are closed.
GDPRFoundational requirements live; full compliance in progressPrivacy policy, cookie/storage notice, and acceptable-use policy are live. Self-service account deletion (Article 17 / "right to be forgotten") with a 30-day grace period is live in-app. Sub-processors are publicly disclosed. Remaining work: a customer-facing DPA template and formal records-of-processing documentation.
CCPA / CPRAFoundational requirements live; full compliance in progressSelf-service deletion satisfies §1798.105. Privacy policy covers required disclosures. Same DPA / records-of-processing work as GDPR remains.
ISO/IEC 27001Long-term targetTargeted after SOC 2 Type II is complete.
ISO/IEC 42001 (AI management)Long-term targetRelevant given the AI extraction features. Will be evaluated alongside ISO 27001.
NIST CSF 2.0Reference frameworkSOC 2 and ISO controls map to it. Used to guide gap analysis.
PCI-DSSNot applicableNo payment card data is processed by Term Tracker.
HIPAAOut of scope by Acceptable Use PolicyPHI is not permitted in customer contracts. Users must not upload contracts containing protected health information.

What's Live Today

The following controls are deployed and active in the Term Tracker AWS account (807575525402, us-east-1):

Logging and monitoring

  • Multi-region AWS CloudTrail trail with KMS-encrypted logs and log-file integrity validation
  • AWS Config recorder for continuous configuration change tracking
  • AWS Security Hub with FSBP and CIS AWS Foundations v1.4 standards active
  • AWS GuardDuty threat detection active account-wide
  • AWS GuardDuty Malware Protection scanning every contract file uploaded to S3

Vulnerability management

  • AWS Inspector v2 continuously scanning Lambda functions for known vulnerabilities

Data at rest

  • The Aurora PostgreSQL database is encrypted at rest with a customer-managed KMS key (alias/contract-analyzer-data) with annual rotation. The Aurora master-user-password secret is also encrypted with this key
  • The contracts bucket is encrypted with the same customer-managed KMS key. All contract objects in the bucket — both new uploads and historical ones — use this key
  • The SQS analysis queue and dead-letter queue (which transport contract identifiers and signed S3 keys) are encrypted with the same customer-managed KMS key
  • CloudWatch log groups for the application Lambdas are encrypted with the same customer-managed KMS key
  • Other S3 buckets (frontend, docs site) use AWS-managed AES-256 server-side encryption by default
  • The audit log bucket has its own customer-managed key (alias/contract-analyzer-observability) for separation of data classification

Data in transit

  • All traffic uses TLS 1.2 or higher
  • CloudFront distribution enforces HTTPS; HTTP requests are redirected
  • Security response headers on every page load: HTTP Strict Transport Security (HSTS, max-age one year), X-Content-Type-Options nosniff, X-Frame-Options SAMEORIGIN, Referrer-Policy strict-origin-when-cross-origin
  • AWS WAF sits in front of the application's CloudFront distribution with a 100-request-per-five-minutes per-IP rate limit, the AWS-managed CommonRuleSet (OWASP-style web-app protections), and the AWS-managed KnownBadInputsRuleSet

Authentication and access

  • AWS Cognito user pool with Threat Protection enforced (risk-based authentication, compromised-credential detection, adaptive challenges)
  • Password policy: minimum 12 characters, requires upper + lower + numeric + symbol
  • Email verification required before account activation; sign-in tokens expire every 12 hours; refresh tokens expire after 30 days
  • Per-project role-based access control: Owner, Editor, Viewer
  • Tenant isolation enforced via centralized authorization middleware in the API

Upload validation

  • 50 MB maximum upload size
  • MIME-type validation on contract uploads (PDF and DOCX only)

Abuse and cost controls

  • Per-user and per-project rate limits on chat (10 messages per minute, 100 per hour) and analysis runs (5 per minute, 30 per hour); per-project daily ceilings on both. The limits are visible in the UI with a wait window when reached.
  • 8,000 character cap on chat messages and an output-token cap on each chat reply so a single response cannot drive unbounded cost
  • Reserved Lambda concurrency on the chat-streaming function caps total in-flight chat requests at any moment, bounding the blast radius of a runaway client or anonymous flood
  • Dead-letter-queue depth alarm on the analysis worker — any job that exhausts its retry budget surfaces immediately to the operator

Personnel access

  • Term Tracker is currently operated by a single person (the founder)
  • Production AWS access is restricted to one IAM Identity Center principal with multi-factor authentication required
  • As the team grows, this will move to role-based access reviewed quarterly

Resilience

  • Aurora automated backups with 35-day retention
  • Aurora storage is automatically replicated across three Availability Zones (a built-in Aurora durability feature). The writer instance currently runs in a single AZ; expanding to a multi-AZ writer/reader topology is on the resilience roadmap below
  • Formal recovery time and recovery point objectives are part of the SOC 2 work

Incident Response

  • A documented incident response plan governs how we detect, contain, and communicate about security incidents
  • For personal-data breaches, we commit to notifying affected customers and the relevant supervisory authority within 72 hours of awareness, per GDPR Art. 33
  • A post-incident review within 7 days of every CRITICAL or HIGH severity incident

Data Handling

Contract storage

Contracts are stored in an S3 bucket in us-east-1. Each environment (production, staging) uses an isolated bucket. Access is restricted to the Lambda execution role; no direct public access is permitted.

AI extraction

Term Tracker uses a two-pass AI extraction process. The first pass identifies the structure of the contract; the second pass extracts each field in the project template with a targeted prompt. Contract text is sent to the AI provider for each pass.

Anthropic (Claude models)

Contract text is transmitted to Anthropic's Claude API for extraction. Anthropic retains API request and response data for up to 30 days per their standard data-handling policy. This data is not used to train Anthropic's models. A Zero-Data-Retention (ZDR) addendum is on the roadmap for when an enterprise customer requires it. See the Sub-processors page for current DPA status.

Google (Gemini models)

When a project is configured to use a Gemini model, contract text is transmitted to the Google Gemini API. This usage is covered by the Google Cloud DPA. Google does not use this data to train its models. See Sub-processors for full detail.

Amazon Bedrock (Ask feature)

The Ask feature calls Anthropic Claude through Amazon Bedrock, an AWS managed service. Bedrock processes the request inside AWS under the AWS Customer Agreement and the AWS Service Terms. The direct Anthropic sub-processor entry covers the extraction pipeline (workers calling the Anthropic API directly); chat does not use that path.

Data deletion and export

Account deletion is self-service: any user can permanently delete their account from Account → Danger Zone in the app. Deletion runs on a 30-day grace period (cancellable any time during the grace window) before the cascade fires. The cascade removes the user account, projects they solely owned, contracts they uploaded, and the AI extraction results for those projects. Project memberships where the user was not the sole owner are preserved with the user attribution replaced.

Bulk export of project data is available via the in-app CSV / XLSX export feature (Owner / Editor permissions required). For a full account-data export request that goes beyond what the in-app export covers, email sean@seanpmccauley.com.

Operator metadata retention

Term Tracker maintains a small operator-side counter of daily authenticated user activity (one row per user per UTC day) so the admin dashboard can display usage trends. This counter contains no contract data and no personal information beyond the Cognito user identifier. Rows are deleted automatically after 95 days. Account deletion also removes all entries for that user immediately as part of the standard deletion cascade.

Roadmap

The following controls are in progress or planned. None of these are live today.

  • Multi-AZ writer/reader Aurora topology (planned). Aurora storage is already replicated across three Availability Zones, but the writer instance runs in a single AZ. Adding a reader instance in a second AZ for failover is on the resilience roadmap.
  • MFA enforcement (planned). Cognito Threat Protection (risk-based authentication, compromised-credential detection) is enforced today; full MFA enrollment for all users is the next step.
  • Append-only audit log for all customer-data actions (in progress). A tamper-evident log of every read, write, and delete action on contract data will be available to project Owners.
  • Anthropic Zero-Data-Retention addendum (deferred until an enterprise customer requires it). Anthropic's standard 30-day retention applies until then (see Data Handling above).
  • SOC 2 Type II audit (planned after foundational controls are complete). Date not yet set.
  • GDPR DPA template for customers (planned). Will be available on request once the privacy policy and subject-rights endpoints are in place.

Contact

For security questions, vulnerability reports, or compliance documentation requests, email sean@seanpmccauley.com.

Last updated: 2026-05-21