// Trust & Security Report
eBrevia, Inc.
Contract intelligence and AI-powered contract management platform. Products include Contract Analyzer (AI contract review and extraction), DraftPro (AI-assisted contract drafting in Microsoft Word), and integration tools (Prep, Lens, Connect) for enterprise legal and corporate teams.
Certifications held
3
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on ebrevia.com“SOC 2 Type II - Enterprise-ready controls and audit alignment; Bank-grade security, Powerful encryption, SOC 2 Type 2 Certification”
Verify on ebrevia.com“We are certified for SOC 1 and SOC 2, and fully compliant with GDPR and HIPAA requirements”
Verify on ebrevia.com“fully compliant with GDPR requirements; Support for global privacy expectations including GDPR and CCPA; GDPR contact: c/o Ethan O'Reilly, EOReilly@eBrevia.com”
> Show 4 unconfirmed / not-held certifications
source: ebrevia.comHomepage claims 'fully compliant with HIPAA requirements' but Privacy Policy explicitly states: 'health or medical information covered by the Health Insurance Portability and Accountability Act' is excluded from scope. No BAA or HIPAA-covered entity designation found.
source: ebrevia.comNo public evidence on vendor domain; claimed by third-party aggregators (Nudge Security) but not confirmed on ebrevia.com
source: ebrevia.comNo public evidence on vendor domain; only mentioned by third-party aggregators
source: ebrevia.comNo public evidence on vendor domain; only mentioned by third-party aggregators
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States by default; distributed across North America, South America, Europe, Asia, and Australia if instructed otherwise. Hosts in US only unless directed otherwise.
Privacy policy does not disclose whether customer contracts or data are used for AI model training or improvement. This is a gap that should be clarified with the vendor.
// Security controls
Encryption
Bank-grade encryption; specific algorithms and transit/rest encryption not detailed
ebrevia.comAccess Control
Role-based access control (RBAC) with per-team/matter/workflow restrictions
ebrevia.comData Retention
Live service data deleted on request; backup retained 6 months post-termination; legal compliance exceptions apply
ebrevia.comDeployment
Multi-tenant cloud, single-tenant dedicated cloud, or on-premises private deployment available
ebrevia.com// Products & data scope
data: Legal contracts, vendor agreements, procurement documents (non-PHI)
Scans 50+ documents in 1 minute; extracts key terms and provisions; integrates with VDRs, SharePoint, Box, iManage, Salesforce
data: Legal contracts, NDAs, loan agreements, advisory contracts (non-PHI)
Microsoft Word integration; accesses precedent clause library; playbook-based compliance checking; AI-powered redline suggestions
data: M&A diligence documents, transaction contracts
data: Contract insights and dashboards
data: VDR and document system integrations
Venue, SharePoint, Box, iManage, Salesforce integrations
// What to watch
- HIPAA over-claim: Homepage claims 'fully compliant with HIPAA requirements' but Privacy Policy explicitly excludes HIPAA-covered health information from scope. If they do not handle PHI, they should not claim HIPAA compliance; if they do, they need a BAA and proper disclosure. This is misleading.
- SOC 1 documentation gap: SOC 1 is mentioned on homepage but detailed information is only available for SOC 2 Type II on the /security page. No SOC 1 Type I or Type II designation found.
- Third-party cert claims unverified: Nudge Security aggregator claims ISO 27001, PCI DSS, FedRamp, and CSA Star Level 1 compliance, but these are not mentioned on eBrevia's vendor-domain pages (ebrevia.com). Do not include these in comparison without direct vendor confirmation.
- AI training data disclosure gap: Privacy policy does not address whether customer contracts or extracted data are used to train or improve AI models. This is critical for legal/contract data and should be clarified.
- DPA unavailability: No Data Processing Agreement (DPA) mentioned in Terms or Privacy Policy; should be requested during vendor evaluation.
- No dedicated trust center: eBrevia has no dedicated trust/compliance center page; security/compliance info scattered across homepage, /security, /privacy-policy, and /data-privacy pages.
- Identity verified: eBrevia, Inc., Delaware corporation, 1800 Le Jeune Road, Coral Gables, FL 33134 USA.
// At a glance
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on eBrevia, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
ebrevia.com