Data Privacy
Contract-as-Code processes two types of data: agreement documents and employee payroll data. Each is handled differently.
Agreement documents
What happens to your PDF
- The PDF is uploaded to encrypted storage in your regional data centre
- Text is extracted from the PDF
- Clause text is sent to OpenAI for rule extraction
- Extracted rule candidates are stored in your regional database
- The original PDF remains in encrypted storage until you delete it
AI processing scope
The AI (OpenAI) receives agreement clause text only:
| Sent to AI | NOT sent to AI |
|---|---|
| Clause text (e.g., "overtime shall be paid at 1.5× for hours beyond 37.5") | Employee names |
| Page numbers and clause references | Employee identifiers (SIN, SSN, NI, TFN) |
| Section headings | Payroll data |
| Salary or wage amounts for specific employees | |
| Organisation name (stripped from context) |
OpenAI processes clause text under their Enterprise API terms — no data is used for model training.
Employee payroll data
PII hashing
Before any processing, employee identifiers are hashed:
Input: "Jane Smith" / "123-456-789"
Process: SHA-256 hash
Output: "a7f3b2c8d4e5f6..." (irreversible)
Stored: Only the hash — never the original valueThe hash is used to:
- Correlate findings to specific employees across multiple validation runs
- Group findings by employee in reports
- Allow you to map findings back to real employees in your own HRIS
The hash is one-way — Contract-as-Code cannot reverse the hash to determine the original employee name or identifier.
What is hashed
| Field | Hashed | Stored as-is |
|---|---|---|
| Employee name | ✓ | ✗ |
| SIN / SSN / NI / TFN | ✓ | ✗ |
| Employee ID / badge number | ✓ | ✗ |
| Email address | ✓ | ✗ |
| Hours worked | ✗ | ✓ |
| Hourly rate | ✗ | ✓ |
| Classification | ✗ | ✓ |
| Shift times | ✗ | ✓ |
| Department | ✗ | ✓ |
Data retention
| Data type | Retention |
|---|---|
| Uploaded CSV files | 90 days, then auto-deleted |
| Hashed employee records | Until validation job is deleted |
| Validation findings | Until deleted by your organisation |
| Audit logs | 7 years |
You can delete uploaded data at any time from Settings → Data Management.
Third-party processors
| Processor | Purpose | Data accessed |
|---|---|---|
| OpenAI | Rule extraction from agreement text | Agreement clause text only |
| Google Cloud Platform | Infrastructure, storage, compute | All data (encrypted at rest) |
| Neon (PostgreSQL) | Database | Application data (encrypted at rest) |
| Firebase (Google) | Authentication | User email and auth tokens only |
| Stripe | Billing | Billing email, payment method (no agreement or payroll data) |
| Sentry | Error monitoring | Error reports (configured to exclude PII) |
DPA coverage
All third-party processors operate under Data Processing Agreements. For enterprise customers, we provide a list of subprocessors and DPA copies upon request.
Your rights
Depending on your jurisdiction, you have the right to:
- Access your data
- Correct inaccurate data
- Delete your data (right to erasure)
- Export your data in a portable format
- Restrict processing
- Object to specific processing activities
To exercise any of these rights, contact privacy@contract-as-code.com. We respond within 30 days.