Encrypted in transit and at rest
Every connection runs over TLS (HTTPS). Your contract data and uploaded files are stored encrypted at rest on managed, SOC 2-audited infrastructure (Supabase on AWS).
Security & trust
Your contracts, handled with care
Contract data is sensitive. Here is exactly how we protect it - in plain English, with no jargon and no overpromising.
Strict tenant isolation
Each organization's data is separated at the database layer with row-level security policies, so one customer can never read another customer's contracts.
Two-factor authentication
Turn on TOTP-based 2FA from your account settings for an extra layer beyond your password. Works with Google Authenticator, Authy, 1Password, and similar apps.
Single sign-on (Google & Microsoft)
Skip the extra password. Sign in with your existing Google or Microsoft Work account so access follows your company's identity provider and offboarding.
We never touch your card number
Billing is handled entirely by Stripe, a PCI-DSS Level 1 provider. Card details go straight to Stripe and are never stored on our servers.
Role-based access
Invite teammates as Admins or Viewers. Viewers can see contracts and deadlines but can't change billing or delete records.
We don't sell your data
Your contracts are yours. We never sell, rent, or share your data with advertisers or data brokers. We use it only to run the service for you.
You stay in control of your data
Can I export everything?
Yes. Export all of your contracts to CSV at any time from the Reports page. Your data is never locked in.
What happens if I cancel?
You keep access through the end of your billing period. Email us and we will delete your data on request.
Where is my data stored?
On Supabase (PostgreSQL) running on Amazon Web Services in the United States, with encryption at rest and automated backups.
Who can see my contracts?
Only the people you invite to your organization. Our team does not access your contract contents except when you ask us to for support.
Subprocessors we rely on
We build on audited, industry-standard infrastructure rather than rolling our own. Here is every third party that can process your data, what they do, and what they see.
| Provider | Purpose | Data it processes |
|---|---|---|
| Supabase (on AWS, US) | Database, authentication, and encrypted file storage | Contract records, account details, and uploaded documents |
| Amazon Web Services | Underlying cloud infrastructure (us-east region) | All application data, encrypted at rest |
| Stripe | Subscription billing and payments | Billing contact and card details (card data never reaches our servers) |
| Anthropic (Claude) | AI extraction, review, search indexing, and clause-finding | Only the specific documents you submit to an AI feature |
| Resend | Transactional and alert email delivery | Recipient email addresses and alert content |
| Vercel | Application hosting and content delivery | Request metadata and standard server logs |
| PostHog | Product analytics to improve the app | Pseudonymous usage events |
AI features (extraction, review, search, clause-finding) send the specific document you choose to Anthropic for processing. Anthropic does not train on your data via the API. You control when AI runs - it never processes a contract unless you ask it to.
A straight answer
TermSignals is built and run by a small, focused team. We rely on audited infrastructure (Supabase, AWS, Stripe) for the heavy lifting, and we apply security best practices throughout the app. If your procurement team needs specific documentation or has a security questionnaire, email us directly and we will work through it with you.