Concord AI handles real contracts and personal information for businesses in insurance, finance, healthcare, and home services. We're built to meet the strictest U.S. and EU rules — ESIGN, HIPAA, SOC 2, GDPR, and more. Here's how we keep your data safe, in plain language.
Concord AI is built to meet — or go beyond — the rules below. Enterprise customers can request audit reports and evidence under NDA from compliance@concordapp.ai.
Our e-signatures are legally binding in all 50 U.S. states. We capture the signer's consent and identity, and lock a tamper-proof audit trail into every signed PDF.
Meets the EU's Advanced Electronic Signature standard. We verify the signer, keep the signature under their control, and can prove if a document is changed after signing.
Built to safely handle protected health information for healthcare contracts. A signed Business Associate Agreement (BAA) is available on Enterprise plans.
Independently audited for security, uptime, and confidentiality. Audit in progress — we can share evidence with enterprise customers under NDA.
Meets the safeguards required for handling personal financial information: written security program, access controls, encryption, monitoring, and incident response.
Aligned with state insurance data-security laws: risk assessments, vendor oversight, board-level governance, and 72-hour breach notification.
The same person can't both create and approve a high-value contract. Every action is recorded in a permanent log, and template changes are tracked by version.
We honor data-privacy rights — view, export, correct, or delete your data — within 30 days. EU customers can choose to keep their data in Europe.
We never see, store, or process credit-card numbers. Any payments are handled by certified payment providers, not Concord AI.
These eight protections aren't just promises in a policy — they're built into the database, the server, and the app itself.
Every customer's data lives behind a database-level wall. Even if a bug got past our app, one customer could never see another customer's records.
All traffic uses modern HTTPS. Your data, files, and backups are encrypted on disk with AES-256, and our keys rotate automatically.
We block known leaked passwords, require email verification, and offer single sign-on (SSO) and two-factor authentication on Enterprise plans.
Sales reps and auditors see a clean, redacted view — no signing links, IP addresses, or signature images. Only admins see the full record.
When someone signs, we record their IP and device server-side (the browser can't fake it) and append it to a log that can't be edited or deleted.
Every signed PDF includes an audit certificate — who signed, when, from where, and a digital fingerprint that proves the contract hasn't been changed.
Each signing link is unique, expires after 14 days, and stops working the moment it's used. For multi-signer contracts, the next link only generates after the previous person signs.
The person who creates a contract can't also approve it when the price is above your approval threshold — only a designated approver or admin can.
We collect only what we need to make the product work, and we honor every data-rights request within 30 days.
Signed contracts are kept for 7 years by default — long enough to satisfy IRS and most state insurance and financial recordkeeping rules (you can adjust this for your workspace). Deleted records are held for 30 days in case you change your mind, then permanently erased. Backups age out on the schedule below.
By default your data is stored in the U.S. (Virginia). EU customers can request European storage (Ireland) instead. We won't move your data between regions without your permission.
You can view, export, correct, delete, or restrict use of your data at any time. Email privacy@concordapp.ai. We'll verify your identity before releasing anything.
We notify customers at least 30 days before adding any sub-processor.
| Vendor | Purpose | Region |
|---|---|---|
| Cloudflare | Edge hosting, DDoS protection, WAF | Global |
| Supabase (managed Postgres) | Primary database, file storage, auth | US-East / EU-West |
| Resend / SES (configurable) | Transactional email delivery | US / EU |
| Google Cloud KMS | Encryption key management | US / EU |
We welcome reports from security researchers and customers. Please act in good faith and we will respond promptly and protect you under our safe-harbor terms.
Email security@concordapp.ai with a clear description, reproduction steps, the impact, and any suggested remediation. PGP key fingerprint available on request.
| Severity | First response | Status updates | Target fix |
|---|---|---|---|
| Critical | 24 hours | every 24h | 7 days |
| High | 48 hours | every 72h | 30 days |
| Medium | 5 business days | weekly | 90 days |
| Low | 10 business days | monthly | best effort |
We will not pursue legal action against researchers who make a good-faith effort to avoid privacy violations, data destruction, and service disruption; access only the minimum data necessary; do not exfiltrate, retain, or share customer data; give us a reasonable remediation window (default 90 days); and do not violate any other applicable law.