Security at ADDIN

At ADDIN, we understand that legal contracts contain some of the most sensitive information in any business. Our platform is built from the ground up with security, privacy, and compliance as core principles — not afterthoughts.

We do not store your original contracts. When you submit a document for analysis through our Microsoft Word add-in, it is processed in real-time and the original content is not retained on our servers after the analysis is complete. Generated outputs (summaries, risk flags, suggestions) are associated with your account only for the duration needed to deliver the service. All data transmissions between your Microsoft Word client and our servers are encrypted using TLS 1.2 or higher. Data at rest is encrypted using industry-standard AES-256 encryption.

We offer European-only server processing as a configurable option. Users can enable 'EU-only' mode from their account settings, ensuring that all document processing and data storage occurs exclusively within European Union data centers. Our infrastructure is hosted on enterprise-grade cloud providers with SOC 2 Type II and ISO 27001 certified data centers, providing physical security, redundancy, and high availability.

ADDIN is fully compliant with the General Data Protection Regulation (GDPR) and applicable European data protection laws. Our compliance framework includes: - Data Processing Agreements (DPAs) available for enterprise customers - Data Protection Impact Assessments (DPIAs) conducted for high-risk processing - Privacy by design and by default principles embedded in our development process - Right to access, rectification, erasure, and data portability fully supported - Lawful basis for processing clearly documented for all data categories

We follow strict data retention policies: - Original contract documents are not stored after processing - Account data is retained for the duration of your subscription - Upon account deletion, all associated data is permanently removed within 30 days - Billing records are retained as required by applicable tax and accounting laws - You can request a full data export or deletion at any time by contacting us

We maintain a documented incident response plan that includes: - 24-hour initial assessment for all reported security incidents - Notification to affected users within 72 hours as required by GDPR - Root cause analysis and remediation for all confirmed incidents - Regular incident response drills and plan reviews - Dedicated security contact at security@addin.ro

Our development and operational security practices include: - Role-based access controls and least-privilege principles - Regular security assessments and vulnerability scanning - Secure software development lifecycle (SSDLC) - Employee security awareness training - Multi-factor authentication for all internal systems - Continuous monitoring and logging of system access - Third-party security audits conducted annually

If you have security questions, concerns, or wish to report a vulnerability, please contact our security team at security@addin.ro. We take all security reports seriously and will respond within one business day.