Security
Security and data handling for uploaded contracts
AuditGuard is built for sensitive BAAs, DPAs, vendor contracts, and policies. This page explains how uploaded documents are handled before you trust us with confidential content.
Document handling
- Uploaded files are accepted only for supported document workflows: PDF, DOCX, and TXT.
- File uploads are size-limited, associated with the authenticated user, and stored in user-scoped namespaces.
- Generated filenames and database identifiers are used internally instead of trusting user-provided filenames.
- Audit results stay scoped to the account that created the audit unless the user explicitly shares a report link.
Encryption and transport
- Traffic is encrypted in transit with HTTPS/TLS.
- Sensitive document and audit data is encrypted at rest using AES-256-GCM where supported by the application layer.
- Passwords are stored as salted hashes, not plaintext.
- Authentication uses short-lived access tokens and refresh-token controls.
AI processing and training
- Customer documents are processed only to provide clause extraction, compliance validation, remediation drafting, and critic verification.
- Customer documents are not used by AuditGuard to train foundation models.
- OpenAI API processing is used for parts of the audit pipeline under API terms that do not train on API inputs by default.
- PII redaction and output validation are applied as guardrails before audit results are returned.
Retention and deletion
- Audit data is retained while the account is active so users can access reports and history.
- Users may request deletion of uploaded documents and audit data by contacting info@auditguard.org.
- Account closure triggers deletion workflows, except records we must retain for billing, tax, security, or legal obligations.
- Security logs are retained separately for abuse prevention and incident investigation.
Subprocessors
AuditGuard uses third-party subprocessors to operate the service:
- Railway for application hosting, database, and Redis infrastructure.
- OpenAI for AI model processing.
- Pinecone for vector search where enabled.
- Polar.sh for billing and merchant-of-record payment processing.
- Resend for transactional email.
- Sentry for error monitoring and performance diagnostics.
Human access
- Production access is limited to operational needs such as support, debugging, security, and legal compliance.
- Support access to customer content should be requested by the user or required to investigate a service issue.
- Administrative access is kept limited and reviewed as the product grows.
Important legal note
AuditGuard AI is not a law firm and does not provide legal advice. Audit results and suggested replacement language are software-generated compliance assistance and should be reviewed by qualified counsel before use.
Review the output before uploading a contract
See a public sample report with cited findings, risk summaries, and suggested remediation language.
View sample report →