// Trust & Security Report

    ContractPod Technologies Limited (trading as Leah, formerly ContractPodAi) logo

    ContractPod Technologies Limited (trading as Leah, formerly ContractPodAi)

    Agentic AI platform for enterprise legal, contract lifecycle management (CLM), procurement, and finance operations. Sub-products: Leah Agentic OS (orchestration), Leah Legal, Leah Agentic CLM, Leah Procurement, Leah Finance.

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 1 Type 2 (SSAE-18)
    HELD

    Leah takes security seriously and conducts annual audits including SSAE-18 SOC 1 Type 2 and SSAE-18 SOC 2 Type 2, with certifications available to customers on request.

    Verify on leahai.com
    SOC 2 Type 2 (SSAE-18)
    HELD

    Leah takes security seriously and conducts annual audits including SSAE-18 SOC 1 Type 2 and SSAE-18 SOC 2 Type 2, with certifications available to customers on request. [Note: Microsoft 365 App Certification self-attestation by ContractPod Technologies Limited (January 2026) confirms 'SOC 2 Type 2: Yes', but lists most recent cert date as 2021-11-30. Vendor legal page claims annual renewal but more recent public evidence is not available. Certs provided to customers on request only.]

    Verify on leahai.com
    GDPR (compliance posture)
    HELD

    Our Data Processing Addendum (the DPA) explains how we process data. We include terms for the European Union's Standard Contractual Clauses, for California personal information, and how we transfer and protect data you trust us with. [DPA v4.0, last updated January 4, 2026, incorporates EU Standard Contractual Clauses.]

    Verify on leahai.com
    > Show 8 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Vendor's own Microsoft 365 App Certification self-attestation (updated January 2026) explicitly states 'Is the app ISO 27001 certified? No'. AI governance page uses weaker language: 'ISO 27001 Aligned'. Marketing blog and CISO guide list ISO 27001 in a compliance table without the 'aligned' qualifier, which appears to be an over-claim not supported by formal attestation.

    source: learn.microsoft.com
    ISO 27018
    NOT CONFIRMED

    Vendor's own Microsoft 365 App Certification self-attestation (January 2026) explicitly states 'Does the app comply with ISO 27018? No'.

    source: learn.microsoft.com
    ISO 27017
    NOT CONFIRMED

    Vendor's own Microsoft 365 App Certification self-attestation (January 2026) explicitly states 'Does the app comply with ISO 27017? No'.

    source: learn.microsoft.com
    ISO 42001 (AI Management Systems)
    NOT CONFIRMED

    No public evidence found. AI governance page at leahai.com/ai-governance does not mention ISO 42001.

    source: leahai.com
    HIPAA
    NOT CONFIRMED

    AI governance page states only 'HIPAA Ready', not HIPAA certified or compliant. Blog post claims 'Business Associate Agreements (BAAs) available to meet healthcare client requirements', but the vendor's own Microsoft 365 App Certification self-attestation (January 2026) marks HIPAA as 'N/A'. No formal HIPAA compliance attestation found on vendor domain.

    source: leahai.com
    CSA STAR
    NOT CONFIRMED

    Vendor's own Microsoft 365 App Certification self-attestation (January 2026) explicitly states 'Has the app been Cloud Security Alliance (CSA Star) certified? No'.

    source: learn.microsoft.com
    FedRAMP
    NOT CONFIRMED

    CISO guide blog post mentions FedRAMP as 'in progress'. Microsoft 365 App Certification self-attestation (January 2026) states 'Is the app FedRAMP compliant? No'.

    source: learn.microsoft.com
    PCI DSS
    NOT CONFIRMED

    Vendor's own Microsoft 365 App Certification self-attestation (January 2026) states 'annual PCI DSS assessments: N/A'.

    source: learn.microsoft.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Azure-hosted. Customer-selectable regions: North Continental Europe (Ireland, replicated to Netherlands), East US (replicated to West US), Australia East (replicated to Australia Central).

    Zero data retention policy confirmed with underlying LLM providers: 'Leah enforces zero data retention policies with OpenAI and Anthropic. Your data is processed but never stored by the underlying LLM providers.' Keys managed via Azure Key Vault. Source: leahai.com/ai-governance.

    // Security controls

    Encryption in transit

    TLS 1.3 for all data transfers

    leahai.com

    Encryption at rest

    AES-256 for databases and file systems; Azure Storage Encryption enabled for all storage accounts and cannot be disabled

    leahai.com

    Key management

    Azure Key Vault with regular key rotation

    leahai.com

    Infrastructure hosting

    Microsoft Azure (multi-tenant SaaS with isolated data partitions per customer)

    leahai.com

    Penetration testing

    Annual third-party penetration testing, plus testing prior to material changes

    learn.microsoft.com

    Vulnerability scanning

    Quarterly vulnerability scanning on the app and supporting infrastructure

    learn.microsoft.com

    Intrusion detection

    IDPS deployed at network perimeter

    learn.microsoft.com

    MFA

    MFA enforced for code repositories, DNS management, and credential systems

    learn.microsoft.com

    Breach notification

    Reports data breaches to supervisory authorities and affected individuals within 72 hours of detection

    learn.microsoft.com

    Uptime commitment

    99.9% (excluding scheduled maintenance)

    leahai.com

    Audit trail

    Tamper-resistant, immutable logs for all agent actions including reasoning, policies applied, data used, and outcomes

    leahai.com

    Anti-malware

    Traditional anti-malware protection and application controls deployed

    learn.microsoft.com

    // Products & data scope

    Leah Agentic OSAgentic AI platform / orchestration

    data: Enterprise commercial data: contracts, supplier records, legal obligations, procurement spend, financial data

    Core orchestration layer routing specialized agents across legal, contracting, and procurement domains. Multi-LLM (OpenAI, Anthropic and others dynamically selected).

    Leah LegalLegal operations AI

    data: Legal matters, regulatory filings, IP records, outside counsel data, contract terms

    Targets in-house legal teams. Connects to CLM and procurement data for cross-domain intelligence.

    Leah Agentic CLMContract lifecycle management

    data: Full contract corpus, clause libraries, negotiation history, obligations, renewals

    Core CLM capability. Word add-in (Leah for Word) is separately Microsoft 365 App Certified.

    Leah ProcurementSource-to-pay / procurement AI

    data: Supplier onboarding data, purchase orders, invoice data, spend data

    Connected to CLM for contract-term-aware procurement decisions.

    Leah FinanceFinancial operations AI

    data: Invoice, collections, treasury, spend control data tied to contract obligations

    Extension product for existing Leah platform customers in finance and shared services.

    // What to watch

    • ISO 27001 OVER-CLAIM: Marketing blog posts and CISO guide list ISO 27001 in a compliance table as a held certification, but the vendor's own Microsoft 365 App Certification self-attestation (ContractPod Technologies Limited, updated January 2026) explicitly states 'Is the app ISO 27001 certified? No'. The AI governance page uses the weaker phrase 'ISO 27001 Aligned'. AIFOXX must not list ISO 27001 as certified.
    • HIPAA AMBIGUITY: Blog post claims 'Business Associate Agreements (BAAs) available to meet healthcare client requirements' but the MS365 self-attestation marks HIPAA as 'N/A'. The AI governance page says only 'HIPAA Ready', not 'HIPAA compliant' or 'HIPAA certified'. No formal HIPAA Business Associate Agreement program is documented on the vendor domain beyond the marketing claim.
    • SOC 2 CERT DATE STALENESS: The most recent SOC 2 Type II cert date recorded in the Microsoft 365 App Certification self-attestation is 2021-11-30. The legal page claims 'annual audits' implying renewal, but no more recent third-party-evidenced cert date is publicly available. Certs are provided to customers on request only.
    • FEDRAMP IN PROGRESS: CISO guide blog lists FedRAMP as 'in progress'; it is not yet achieved. Do not represent as held.
    • REBRAND NOTE: ContractPodAi officially rebranded to Leah in January 2026 (BusinessWire announcement 2026-01-05). Legacy domain contractpodai.com redirects to leahai.com. Legal entity remains ContractPod Technologies Limited. Identity confirmed.
    • NO DEDICATED TRUST CENTER: The vendor does not operate a self-serve trust center portal. The legal page (leahai.com/legal) links to Privacy Statement, DPA, and a Security Data Sheet; the Security Data Sheet is available to customers on request, not publicly downloadable.

    // At a glance

    Pricing model

    Enterprise SaaS, custom pricing. Third-party review sources indicate tiered structure starting around $99/user/month (Essentials), $149/user/month (Professional), with Enterprise tier on custom quote. Pricing not publicly confirmed on vendor domain.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on ContractPod Technologies Limited (trading as Leah, formerly ContractPodAi)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    leahai.com

    > Browse all vendor trust reports