Security is non-negotiable
Your contracts are some of your most sensitive documents. Here's exactly how we protect them - no vague promises, just facts.
Our data commitment
Contract data is never used for AI model training. Uploaded contracts and review outputs are processed solely for fulfilling your review request. Both OpenAI and Anthropic operate under API Data Processing Addendums that contractually prohibit use of customer data for model training.
How we protect your data
Multiple layers of security, from transport to storage to access control.
Encryption everywhere
All data encrypted at rest with AES-256 and in transit with TLS 1.2 or higher. Your contracts are unreadable to anyone without authorisation.
Least-privilege access
Administrative access is strictly limited by the principle of least privilege. Multi-factor authentication enforced on all admin accounts, with logging and monitoring of all activity.
UK & EU data residency
All Vern data is processed and stored in data centres located in the United Kingdom and European Union. No Vern data is transferred outside the UK and EU.
Regular security audits
Regular security assessments and audits, including penetration testing. Infrastructure runs on SOC 2 Type II certified platforms. ISO 27001 information security management implemented.
Data Processing Agreement
A formal DPA is available on request for any organisation that requires one. We comply with UK GDPR and the Data Protection Act 2018.
Data deletion
Delete individual contracts and review results at any time. On account closure, all data permanently deleted within 30 days. You always get minimum 14 days to export first.
How AI handles your contracts
Transparency about exactly what happens when you upload a document.
No training on your data - ever
Your contracts are processed solely to fulfil your review request. Both OpenAI and Anthropic operate under API Data Processing Addendums that contractually prohibit the use of customer data for model training. Your data goes in, your report comes out, nothing is retained for training.
EU-based processing
AI providers process data via EU-based endpoints. All sub-processor agreements include Standard Contractual Clauses where applicable.
Human review optional
AI outputs are informational review indicators to assist human decision-making. They do not constitute automated decisions with legal effects. You can request human review at any time.
Sub-processors
Every third party that touches your data, listed here. We provide 30 days' notice before any change.
| Provider | Purpose | Location |
|---|---|---|
| OpenAI | Contract analysis (AI processing) | EU |
| Anthropic | Contract analysis (AI processing) | EU |
| LlamaIndex | Document parsing | EU |
| Railway | Application hosting | EU |
| Clerk | Authentication | EU |
| Stripe | Payment processing | UK/EU |
| Resend | Email delivery | EU |
Your data rights
Access
Request a copy of all personal data we hold about you.
Rectification
Correct any inaccurate or incomplete data.
Erasure
Request deletion of your data, subject to legal obligations.
Portability
Export your data in a machine-readable format.
Restrict processing
Limit how we use your data in specific circumstances.
Object
Oppose processing based on legitimate interests.
If something goes wrong
Containment
Incident detected and contained. Internal response team activated.
Customer notification
Affected customers notified of the incident with initial details and scope.
Regular updates
Continuous updates provided as investigation progresses and remediation is applied.
Full post-incident report
Comprehensive report including root cause analysis, impact assessment and preventive measures. ICO notified where required.
Privacy enquiries
Data Protection Officer
General enquiries
Security built in, not bolted on
Try Vern with confidence. Your data is protected by the same standards we'd want for our own contracts.