GDPR compliance

GDPR Commitments

ContractShield operates with privacy by design. We honor data subject rights across the EU and UK and provide clear processes for access, deletion, and portability.

Right to access

Workspace owners can export project, document, and user activity logs at any time. Our team fulfills personal data requests within 30 days.

Right to rectification

Profile, company, and project data can be edited in app. We provide audit trails for changes and assist with bulk updates when needed.

Right to erasure

ContractShield deletes data within 30 days of a verified request and provides confirmation once backups roll off the retention window.

Data processing addendum

Processing & subprocessors

Our DPA governs data processing on behalf of customers. We publish current subprocessors and notify customers at least 30 days before changes, allowing objection and opt-out if required.

Supabase for managed Postgres database and file storage (USA/EU regions).

Vercel for global edge delivery, serverless functions, and preview infrastructure.

Stripe for payment processing, subscription billing, and invoicing (PCI DSS compliant).

OpenAI for AI-powered features including pricebook advisor, smart notifications, and quote suggestions. Data is processed per API terms and is not used for model training.

Resend for transactional email delivery (account notifications, invoices, alerts).

Mixpanel for product analytics and session recording.

Google for OAuth authentication, Calendar integration, and Maps/Geocoding APIs.

Cloudflare for Turnstile CAPTCHA bot protection during registration.

Need a signed DPA?

Email legal@contractshield.io with your company details. We turn around agreements within five business days.