Security & Privacy

Your contracts are confidential. We built Winpathio like they are.

Legal teams upload privileged documents, counterparty positions, and pre-execution deal terms to Winpathio. We designed the system so that data stays yours — not as a policy, as an architectural constraint.

Encryption at rest and in transit

All documents encrypted with AES-256 at rest. TLS 1.3 in transit. Your contract data is never stored unencrypted at any point in the pipeline.

No training on your data

Your contracts are never used to train our models. Ever. Your counterparty's positions stay yours. This is an architectural constraint, not a policy that changes with pricing tier.

Document retention controls

Choose auto-deletion after processing, or retain with access logging. You control the lifecycle. Firm tier includes custom retention and deletion policies with audit trails.

Access controls

Role-based access, audit logs for every review action, SSO-ready for enterprise rollouts. Admins control who sees which matters — and every access event is logged.

Built with security controls from day one.

We designed Winpathio with the understanding that legal teams handle confidential, often privileged, documents. The security architecture wasn't added after the fact — it shaped the product from the first line of code.

We use cloud infrastructure with industry-standard controls for access management, network segmentation, and logging. Our team has a standing security review process and conducts periodic assessments against industry frameworks.

We are working toward SOC 2 Type II certification. Our current controls are designed to meet SOC 2 criteria.

Encryption at rest AES-256
Encryption in transit TLS 1.3
Data location US-based cloud infrastructure
Access logging All review actions logged with timestamp and user
Training use Never — architectural constraint
Default retention Until user deletion; auto-delete available
SSO support SAML 2.0 (Firm tier)

Security questions

Your contract data is stored on US-based cloud infrastructure. Documents are encrypted at rest with AES-256. We do not use international data centers for document storage. You can request a data residency confirmation in writing for compliance documentation.
Access to customer contract data is restricted to a minimal set of engineering personnel for infrastructure maintenance purposes, under strict access controls and audit logging. We do not read, review, or use customer contracts for any purpose other than operating the service. Access events are logged and reviewed.
We are working toward SOC 2 Type II certification. Our current controls are designed to meet SOC 2 criteria. We can provide a security questionnaire and a summary of our current controls for your security review team. Contact us at [email protected] to request this documentation.
You can delete individual contracts and reports directly from your account at any time. To request deletion of all account data, email [email protected] with the subject "Data Deletion Request." We will confirm deletion within 30 days. Firm tier customers can configure automated deletion policies.
On-premises deployment is not currently available. If on-premises deployment is a hard requirement for your organization, contact us at [email protected] to discuss your needs. We're evaluating private cloud and VPC deployment options for organizations with strict data residency or network isolation requirements.
Security questions or concerns?