// Trust & Security Report

    eBrevia, Inc. logo

    eBrevia, Inc.

    Contract intelligence and AI-powered contract management platform. Products include Contract Analyzer (AI contract review and extraction), DraftPro (AI-assisted contract drafting in Microsoft Word), and integration tools (Prep, Lens, Connect) for enterprise legal and corporate teams.

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II - Enterprise-ready controls and audit alignment; Bank-grade security, Powerful encryption, SOC 2 Type 2 Certification

    Verify on ebrevia.com
    SOC 1
    HELD

    We are certified for SOC 1 and SOC 2, and fully compliant with GDPR and HIPAA requirements

    Verify on ebrevia.com
    GDPR
    HELD

    fully compliant with GDPR requirements; Support for global privacy expectations including GDPR and CCPA; GDPR contact: c/o Ethan O'Reilly, EOReilly@eBrevia.com

    Verify on ebrevia.com
    > Show 4 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Homepage claims 'fully compliant with HIPAA requirements' but Privacy Policy explicitly states: 'health or medical information covered by the Health Insurance Portability and Accountability Act' is excluded from scope. No BAA or HIPAA-covered entity designation found.

    source: ebrevia.com
    ISO 27001
    NOT CONFIRMED

    No public evidence on vendor domain; claimed by third-party aggregators (Nudge Security) but not confirmed on ebrevia.com

    source: ebrevia.com
    PCI DSS
    NOT CONFIRMED

    No public evidence on vendor domain; only mentioned by third-party aggregators

    source: ebrevia.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on vendor domain; only mentioned by third-party aggregators

    source: ebrevia.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    United States by default; distributed across North America, South America, Europe, Asia, and Australia if instructed otherwise. Hosts in US only unless directed otherwise.

    Privacy policy does not disclose whether customer contracts or data are used for AI model training or improvement. This is a gap that should be clarified with the vendor.

    // Security controls

    Encryption

    Bank-grade encryption; specific algorithms and transit/rest encryption not detailed

    ebrevia.com

    Authentication

    SSO, SAML, Okta, Google Login, Microsoft Login supported

    ebrevia.com

    Access Control

    Role-based access control (RBAC) with per-team/matter/workflow restrictions

    ebrevia.com

    Data Retention

    Live service data deleted on request; backup retained 6 months post-termination; legal compliance exceptions apply

    ebrevia.com

    Deployment

    Multi-tenant cloud, single-tenant dedicated cloud, or on-premises private deployment available

    ebrevia.com

    // Products & data scope

    Contract AnalyzerContract intelligence / Review automation

    data: Legal contracts, vendor agreements, procurement documents (non-PHI)

    Scans 50+ documents in 1 minute; extracts key terms and provisions; integrates with VDRs, SharePoint, Box, iManage, Salesforce

    DraftProContract drafting automation

    data: Legal contracts, NDAs, loan agreements, advisory contracts (non-PHI)

    Microsoft Word integration; accesses precedent clause library; playbook-based compliance checking; AI-powered redline suggestions

    PrepContract preparation

    data: M&A diligence documents, transaction contracts

    LensContract analysis

    data: Contract insights and dashboards

    ConnectIntegration platform

    data: VDR and document system integrations

    Venue, SharePoint, Box, iManage, Salesforce integrations

    // What to watch

    • HIPAA over-claim: Homepage claims 'fully compliant with HIPAA requirements' but Privacy Policy explicitly excludes HIPAA-covered health information from scope. If they do not handle PHI, they should not claim HIPAA compliance; if they do, they need a BAA and proper disclosure. This is misleading.
    • SOC 1 documentation gap: SOC 1 is mentioned on homepage but detailed information is only available for SOC 2 Type II on the /security page. No SOC 1 Type I or Type II designation found.
    • Third-party cert claims unverified: Nudge Security aggregator claims ISO 27001, PCI DSS, FedRamp, and CSA Star Level 1 compliance, but these are not mentioned on eBrevia's vendor-domain pages (ebrevia.com). Do not include these in comparison without direct vendor confirmation.
    • AI training data disclosure gap: Privacy policy does not address whether customer contracts or extracted data are used to train or improve AI models. This is critical for legal/contract data and should be clarified.
    • DPA unavailability: No Data Processing Agreement (DPA) mentioned in Terms or Privacy Policy; should be requested during vendor evaluation.
    • No dedicated trust center: eBrevia has no dedicated trust/compliance center page; security/compliance info scattered across homepage, /security, /privacy-policy, and /data-privacy pages.
    • Identity verified: eBrevia, Inc., Delaware corporation, 1800 Le Jeune Road, Coral Gables, FL 33134 USA.

    // At a glance

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on eBrevia, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    ebrevia.com

    > Browse all vendor trust reports