This site works best with JavaScript enabled. Core content is still viewable without it.
Skip to content

Security

How Contract-as-Code protects your agreements, your payroll data, and your employees' privacy. This page summarises our technical and organisational controls for security, procurement, and vendor-risk reviews.

🇨🇦 Canada— data residency shown for this region; switch using the bar above

AI never sees employee data

Our AI rule-extraction step receives only collective agreement clause text — never employee names, identifiers, or payroll values. Employee identifiers are SHA-256 hashed before any processing step, so raw SINs never leave your tenant and are never sent to any AI provider.

Data protection

  • All data in transit is encrypted via TLS 1.2+.
  • All data at rest is encrypted using AES-256.
  • Employee identifiers are hashed (SHA-256) before processing — raw SINs are never stored.
  • Agreement documents and payroll datasets are isolated per tenant.

Data residency

Your data is processed and stored in your selected region. For Canada:

  • Application infrastructure: GCP northamerica-northeast1
  • Database: Neon ca-central-1

AI rule extraction (Anthropic) is processed in the United States and receives clause text only. See Sub-processors for the full list.

Access control and operations

  • Authentication is managed through a dedicated identity provider with role-based access control.
  • Every consequential action is captured in an immutable audit log, including rule approvals and validation runs.
  • No extracted rule becomes active without a human review and approval decision.
  • We conduct annual security audits and penetration testing.

Sub-processors

We maintain a current list of every third-party sub-processor, the data categories it may access, and its processing location. We notify customers at least 30 days before adding a new sub-processor.

View our sub-processors →

Data processing agreements

Custom DPAs, security reviews, and data-residency arrangements are available for enterprise and public sector customers. Contact us to request a DPA or to start a vendor-risk review.

Request a DPA or security review →

Reporting a vulnerability

If you believe you've found a security issue, please email security@contract-as-code.com. We aim to acknowledge reports within one business day.

Not legal advice. Contract-as-Code is decision-support tooling for HR and payroll teams. All findings require human review before action.