Security You Can Trust

Encryption at Rest

All contract files and attachments are encrypted at rest using Fernet symmetric encryption (AES-128-CBC). Documents are never stored in plain text — even if storage were compromised, files remain unreadable without encryption keys.

Encryption in Transit

All data between your browser and our servers is protected with TLS (HTTPS), covering uploads, downloads, and all application data.

Role-Based Access Control

Granular permissions with Admin, Contract Owner, User, and Professional Guest roles. Department-level controls ensure team members see only relevant contracts. Professional Guests receive time-limited, read-only access.

Password Security

We enforce strong password requirements (minimum 8 characters with uppercase, lowercase, and numbers). All passwords are hashed using industry-standard algorithms before storage - we never store plain text passwords.

Account Protection & Login Throttling

Automatic lockout after 5 failed attempts with a 15-minute cooldown. Rate limiting on auth endpoints (20 attempts per 15 minutes, 3 password resets per hour) blocks brute-force attacks.

Two-Factor Authentication (2FA)

Protect your account with two flexible 2FA options:

• Authenticator App (TOTP): Use popular apps like Google Authenticator, Authy, or Microsoft Authenticator with secure QR code setup.
• SMS Verification: Receive 6-digit codes via text message to your verified phone number. Codes expire after 10 minutes with a 60-second cooldown between requests.

Both methods include 8 backup codes for account recovery and verification prompts at each login. Even if your password is compromised, 2FA prevents unauthorized access.

Session Security & Timeout

Sessions protected with HTTPOnly and Secure cookies. Auto-expire after 30 minutes of inactivity with a 5-minute extension warning. Server-side validation and "Log out all sessions" for remote device control.

Login History & Activity Monitoring

Review your last 20 login events with timestamps, device, browser, and OS details. Each session is clearly labeled with its status:

• Current: Your active session (highlighted in blue)
• Active: Other sessions still within the 30-minute window
• Expired: Sessions that have timed out

IP addresses are privacy-masked (e.g., "192.168.*.*"). Admins can view org-wide login activity (last 100 events) and remotely terminate sessions.

Professional Guest Access Controls

Professional Guest Access provides: time-limited windows that auto-expire, department-scoped read-only access, Internal-Only flagging for sensitive documents, and full audit logging of guest activity. Admins can revoke access at any time.

Comprehensive Audit Trail

Every contract action is logged: views, uploads, edits, downloads, deletions, email sends, and opens. Each entry records user, timestamp, and IP address — full accountability with no gaps.

Multi-Tenant Data Isolation

Your data is completely isolated from other organizations:

• Organization-scoped queries: All database queries for contracts, departments, and users are filtered by organization ID.
• Authorization checks: Every API endpoint verifies that requested resources belong to your organization before access is granted.
• Department isolation: Department data is scoped to your organization, preventing cross-tenant data leakage.

You only see your own contracts, users, and audit logs - never data from other organizations.

Security Headers

We use standard security headers including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy to help protect against XSS, clickjacking, and other common web vulnerabilities.

Rate Limiting

API endpoints are protected with rate limiting to prevent abuse and denial-of-service attempts. Login endpoints have stricter limits to protect against credential stuffing attacks.

AI Privacy

AI analysis powered by Google Gemini. Your data is never used to train AI models. Responses are grounded in your uploaded contracts along with the company profile, department descriptions, and contract type context you configure in Accordable — giving the AI the right context without exposing anything beyond what you provide.

Data Retention

You control your data. Archive contracts to the Library or permanently delete them — files, attachments, notes, and all associated data are removed.

Document Watermarking

Every downloaded or printed contract is automatically watermarked with the requesting user's identity and timestamp. Watermarks include the user's name, organization, and a "Confidential" warning to prevent unauthorized redistribution. This creates accountability for document handling and helps trace the source of any leaked documents.

Direct Email & Read Receipts

Our Direct Email feature allows you to send emails to vendors and counterparties directly from Accordable. Emails are sent via SendGrid with proper sender identification ("Your Name via Accordable") and Reply-To headers. Read receipts use a 1x1 tracking pixel to detect when recipients open your emails. All email activity is logged in the contract's audit trail for compliance purposes.