NEXTSUITEby ContractPlan Inc.
ENTERPRISE-GRADE SECURITY

Security & Compliance

Built for government, healthcare, and finance. SOC 2 in progress, GDPR compliant.

SOC 2 Type II Compliance

In Progress - Expected Q2 2026

We are actively working towards SOC 2 Type II certification, the gold standard for security compliance. Our audit is underway with an independent third-party auditor.

Enterprise customers can request our current security documentation and pre-audit reports.

Encryption

  • TLS 1.3 encryption in transit
  • AES-256 encryption at rest (AWS SSE-S3)
  • Encrypted database connections
  • Encrypted backups

Authentication & Access

  • Multi-factor authentication (MFA)
  • SSO / SAML integration (Enterprise)
  • Role-based access control (RBAC)
  • Per-contract permissions

Data Protection

  • Automated daily backups (30-day retention)
  • Point-in-time recovery (7 days)
  • Multi-org data isolation
  • Automatic backup testing

Infrastructure Security

  • Rate limiting on all endpoints
  • DDoS protection via Vercel
  • AWS infrastructure security
  • Private S3 buckets (no public access)

Compliance & Standards

GDPR

Fully compliant with EU General Data Protection Regulation

CCPA

California Consumer Privacy Act ready

HIPAA

HIPAA-ready infrastructure (BAA available for Enterprise)

Audit Logging & Compliance

Complete audit trail for regulatory compliance (FedRAMP, NIST, SOX, FISMA):

  • All user actions logged with timestamps
  • Contract modifications tracked
  • File access and downloads logged
  • Permission changes audited
  • Export audit logs for compliance reporting
  • Tamper-proof log storage

Third-Party Security

We carefully vet all third-party services (subprocessors) and ensure they meet our security standards. All subprocessors are SOC 2 compliant and have signed data processing agreements.

View Complete Subprocessors List →

Security Practices

  • Regular security audits - Quarterly penetration testing and vulnerability assessments
  • Dependency scanning - Automated scanning for vulnerable dependencies
  • Security training - All team members receive security awareness training
  • Incident response plan - 24-hour notification for security incidents
  • Bug bounty program - Coming Q1 2026

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: security@contractplan.com

We commit to responding within 24 hours and will work with you to address the issue. Please do not publicly disclose vulnerabilities until we've had a chance to fix them.

We appreciate responsible disclosure and may offer rewards for valid security reports (bug bounty coming Q1 2026).

Enterprise Trust Pack

Enterprise customers get access to additional security documentation and guarantees:

99.9% Uptime SLA
Data Processing Agreement (DPA)
Business Associate Agreement (HIPAA)
Security questionnaire responses
Penetration test reports
SOC 2 reports (when available)
View SLA →View DPA →Contact Sales

Questions about our security practices?

security@contractplan.com