// Trust & Security Report
ContractPod Technologies Limited (trading as Leah, formerly ContractPodAi)
Agentic AI platform for enterprise legal, contract lifecycle management (CLM), procurement, and finance operations. Sub-products: Leah Agentic OS (orchestration), Leah Legal, Leah Agentic CLM, Leah Procurement, Leah Finance.
Certifications held
3
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on leahai.com“Leah takes security seriously and conducts annual audits including SSAE-18 SOC 1 Type 2 and SSAE-18 SOC 2 Type 2, with certifications available to customers on request.”
Verify on leahai.com“Leah takes security seriously and conducts annual audits including SSAE-18 SOC 1 Type 2 and SSAE-18 SOC 2 Type 2, with certifications available to customers on request. [Note: Microsoft 365 App Certification self-attestation by ContractPod Technologies Limited (January 2026) confirms 'SOC 2 Type 2: Yes', but lists most recent cert date as 2021-11-30. Vendor legal page claims annual renewal but more recent public evidence is not available. Certs provided to customers on request only.]”
Verify on leahai.com“Our Data Processing Addendum (the DPA) explains how we process data. We include terms for the European Union's Standard Contractual Clauses, for California personal information, and how we transfer and protect data you trust us with. [DPA v4.0, last updated January 4, 2026, incorporates EU Standard Contractual Clauses.]”
> Show 8 unconfirmed / not-held certifications
source: learn.microsoft.comVendor's own Microsoft 365 App Certification self-attestation (updated January 2026) explicitly states 'Is the app ISO 27001 certified? No'. AI governance page uses weaker language: 'ISO 27001 Aligned'. Marketing blog and CISO guide list ISO 27001 in a compliance table without the 'aligned' qualifier, which appears to be an over-claim not supported by formal attestation.
source: learn.microsoft.comVendor's own Microsoft 365 App Certification self-attestation (January 2026) explicitly states 'Does the app comply with ISO 27018? No'.
source: learn.microsoft.comVendor's own Microsoft 365 App Certification self-attestation (January 2026) explicitly states 'Does the app comply with ISO 27017? No'.
source: leahai.comNo public evidence found. AI governance page at leahai.com/ai-governance does not mention ISO 42001.
source: leahai.comAI governance page states only 'HIPAA Ready', not HIPAA certified or compliant. Blog post claims 'Business Associate Agreements (BAAs) available to meet healthcare client requirements', but the vendor's own Microsoft 365 App Certification self-attestation (January 2026) marks HIPAA as 'N/A'. No formal HIPAA compliance attestation found on vendor domain.
source: learn.microsoft.comVendor's own Microsoft 365 App Certification self-attestation (January 2026) explicitly states 'Has the app been Cloud Security Alliance (CSA Star) certified? No'.
source: learn.microsoft.comCISO guide blog post mentions FedRAMP as 'in progress'. Microsoft 365 App Certification self-attestation (January 2026) states 'Is the app FedRAMP compliant? No'.
source: learn.microsoft.comVendor's own Microsoft 365 App Certification self-attestation (January 2026) states 'annual PCI DSS assessments: N/A'.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Azure-hosted. Customer-selectable regions: North Continental Europe (Ireland, replicated to Netherlands), East US (replicated to West US), Australia East (replicated to Australia Central).
Zero data retention policy confirmed with underlying LLM providers: 'Leah enforces zero data retention policies with OpenAI and Anthropic. Your data is processed but never stored by the underlying LLM providers.' Keys managed via Azure Key Vault. Source: leahai.com/ai-governance.
// Security controls
Encryption at rest
AES-256 for databases and file systems; Azure Storage Encryption enabled for all storage accounts and cannot be disabled
leahai.comInfrastructure hosting
Microsoft Azure (multi-tenant SaaS with isolated data partitions per customer)
leahai.comPenetration testing
Annual third-party penetration testing, plus testing prior to material changes
learn.microsoft.comVulnerability scanning
Quarterly vulnerability scanning on the app and supporting infrastructure
learn.microsoft.comBreach notification
Reports data breaches to supervisory authorities and affected individuals within 72 hours of detection
learn.microsoft.comAudit trail
Tamper-resistant, immutable logs for all agent actions including reasoning, policies applied, data used, and outcomes
leahai.comAnti-malware
Traditional anti-malware protection and application controls deployed
learn.microsoft.com// Products & data scope
data: Enterprise commercial data: contracts, supplier records, legal obligations, procurement spend, financial data
Core orchestration layer routing specialized agents across legal, contracting, and procurement domains. Multi-LLM (OpenAI, Anthropic and others dynamically selected).
data: Legal matters, regulatory filings, IP records, outside counsel data, contract terms
Targets in-house legal teams. Connects to CLM and procurement data for cross-domain intelligence.
data: Full contract corpus, clause libraries, negotiation history, obligations, renewals
Core CLM capability. Word add-in (Leah for Word) is separately Microsoft 365 App Certified.
data: Supplier onboarding data, purchase orders, invoice data, spend data
Connected to CLM for contract-term-aware procurement decisions.
data: Invoice, collections, treasury, spend control data tied to contract obligations
Extension product for existing Leah platform customers in finance and shared services.
// What to watch
- ISO 27001 OVER-CLAIM: Marketing blog posts and CISO guide list ISO 27001 in a compliance table as a held certification, but the vendor's own Microsoft 365 App Certification self-attestation (ContractPod Technologies Limited, updated January 2026) explicitly states 'Is the app ISO 27001 certified? No'. The AI governance page uses the weaker phrase 'ISO 27001 Aligned'. AIFOXX must not list ISO 27001 as certified.
- HIPAA AMBIGUITY: Blog post claims 'Business Associate Agreements (BAAs) available to meet healthcare client requirements' but the MS365 self-attestation marks HIPAA as 'N/A'. The AI governance page says only 'HIPAA Ready', not 'HIPAA compliant' or 'HIPAA certified'. No formal HIPAA Business Associate Agreement program is documented on the vendor domain beyond the marketing claim.
- SOC 2 CERT DATE STALENESS: The most recent SOC 2 Type II cert date recorded in the Microsoft 365 App Certification self-attestation is 2021-11-30. The legal page claims 'annual audits' implying renewal, but no more recent third-party-evidenced cert date is publicly available. Certs are provided to customers on request only.
- FEDRAMP IN PROGRESS: CISO guide blog lists FedRAMP as 'in progress'; it is not yet achieved. Do not represent as held.
- REBRAND NOTE: ContractPodAi officially rebranded to Leah in January 2026 (BusinessWire announcement 2026-01-05). Legacy domain contractpodai.com redirects to leahai.com. Legal entity remains ContractPod Technologies Limited. Identity confirmed.
- NO DEDICATED TRUST CENTER: The vendor does not operate a self-serve trust center portal. The legal page (leahai.com/legal) links to Privacy Statement, DPA, and a Security Data Sheet; the Security Data Sheet is available to customers on request, not publicly downloadable.
// At a glance
Pricing model
Enterprise SaaS, custom pricing. Third-party review sources indicate tiered structure starting around $99/user/month (Essentials), $149/user/month (Professional), with Enterprise tier on custom quote. Pricing not publicly confirmed on vendor domain.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ContractPod Technologies Limited (trading as Leah, formerly ContractPodAi)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
leahai.com