Contract Tracker

Contract Management System

Sign In

Security & Compliance

Last Updated: November 5, 2025

Our Commitment to Security

At Automate Capture, LLC, security is fundamental to everything we do. Contract Compass is designed with security best practices to protect your sensitive federal contracting data. This page outlines our security measures, compliance posture, and commitment to safeguarding your information.

Infrastructure Security

Cloud Hosting

  • Hosted on enterprise-grade cloud infrastructure (Vercel/Supabase)
  • SOC 2 Type II compliant data centers
  • Multi-region redundancy and automated backups
  • 99.9% uptime SLA from infrastructure providers

Data Encryption

  • In Transit: TLS 1.3 encryption for all data transmission
  • At Rest: AES-256 encryption for stored data
  • Database: Encrypted PostgreSQL with row-level security
  • Backups: Encrypted automated daily backups with point-in-time recovery

Network Security

  • DDoS protection and rate limiting
  • Web Application Firewall (WAF) protection
  • Intrusion detection and prevention systems
  • Regular security patching and updates

Application Security

Authentication & Authorization

  • Secure password hashing using bcrypt with salt
  • Session-based authentication with secure cookies
  • Role-based access control (RBAC) with granular permissions
  • Multi-factor authentication (MFA) support (coming soon)
  • Automatic session expiration and timeout

Data Protection

  • Row-level security (RLS) policies in PostgreSQL
  • Input validation and sanitization to prevent injection attacks
  • CSRF protection on all state-changing operations
  • XSS prevention through content security policies
  • SQL injection prevention via parameterized queries

Code Security

  • Regular dependency scanning for known vulnerabilities
  • Automated security testing in CI/CD pipeline
  • Code review process for all changes
  • Secure development lifecycle practices

Compliance & Certifications

Infrastructure Compliance

Note: Contract Compass is built on certified infrastructure, but Automate Capture, LLC is not independently certified at this time. Our compliance roadmap is outlined below.

  • Vercel (Hosting): SOC 2 Type II certified
  • Supabase (Database & Auth): SOC 2 Type II certified
  • Resend (Email): SOC 2 Type II certified

We leverage these certifications to ensure your data is handled with enterprise-grade security controls, even as we work toward our own independent certifications.

Federal Contracting Awareness

  • ITAR/EAR: We are aware of export control requirements. Users are responsible for ensuring their data handling complies with applicable export control laws.
  • FAR/DFARS: Designed to support federal contracting workflows and record retention requirements
  • Data Residency: All data stored in United States data centers

Our Certification Roadmap

As Contract Compass grows and customer demand increases, we are committed to pursuing independent certifications:

  • SOC 2 Type II: Planned for Q4 2025 (audit preparation underway)
  • ISO 27001: Targeted for 2026
  • FedRAMP: Future consideration for government agency customers
  • CMMC Level 1-2: When applicable for DoD contractor requirements

We will update this page as we achieve these certifications. For specific compliance questions or timeline inquiries, please contact our security team.

Access Controls & Monitoring

Internal Access

  • Principle of least privilege for all system access
  • Background checks for employees with data access
  • Mandatory security training for all team members
  • Audit logging of all administrative actions

Monitoring & Incident Response

  • 24/7 automated security monitoring and alerting
  • Centralized logging and log retention
  • Incident response plan and security team
  • Regular security assessments and penetration testing

Data Handling Practices

Data Retention

We retain data in accordance with federal contracting requirements and best practices:

  • Active account data: Retained as long as account is active
  • Financial records: Minimum 7 years (per IRS and FAR requirements)
  • Audit logs: 90 days rolling retention
  • Backups: 30-day rolling backups with long-term archival

Data Deletion

Upon account termination and after required retention periods, data is securely deleted using industry-standard secure deletion methods that make data unrecoverable.

Data Portability

You can export your data at any time in standard formats (CSV, JSON). Upon request, we provide complete data exports within 30 days.

Business Continuity & Disaster Recovery

  • Automated daily backups with point-in-time recovery
  • Multi-region redundancy for high availability
  • Disaster recovery plan with defined RTOs and RPOs
  • Regular disaster recovery testing and drills
  • Documented incident response procedures

Third-Party Service Providers

We carefully select third-party service providers and ensure they meet our security standards:

  • Vercel: Application hosting and edge network (SOC 2 Type II)
  • Supabase: Database and authentication services (SOC 2 Type II)
  • Resend: Transactional email delivery (SOC 2 Type II)

All third-party providers are contractually bound to maintain appropriate security controls and data protection measures.

Vulnerability Disclosure Program

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue:

  • Email us immediately at security@automatecapture.com
  • Provide detailed information about the vulnerability
  • Allow us reasonable time to address the issue before public disclosure
  • We commit to acknowledging reports within 48 hours

Important: Do not exploit vulnerabilities or access data beyond what is necessary to demonstrate the issue. We appreciate responsible disclosure and will work with you to resolve security concerns.

Your Security Responsibilities

Security is a shared responsibility. To keep your data secure:

  • Use strong, unique passwords and enable MFA when available
  • Keep your account credentials confidential
  • Report suspicious activity immediately
  • Ensure your employees follow security best practices
  • Regularly review user access and permissions
  • Keep your local systems and browsers up to date

Security Contact

For security concerns, questions, or to report vulnerabilities:

Automate Capture, LLC

Security Team

Email: security@automatecapture.com

For general support: support@automatecapture.com

Commitment to Transparency

We believe in being transparent about our security practices. If you have questions about our security measures or would like more detailed information for compliance purposes, please contact our security team. We're happy to provide additional documentation, answer questions, or schedule a security review call.

← Return to Contract Compass
Contract Tracker - Enterprise Management System