// Trust & Security Report

    Draftspotting Technologies Private Limited (with subsidiary Draftspotting Inc.) logo

    Draftspotting Technologies Private Limited (with subsidiary Draftspotting Inc.)

    AI-native contract lifecycle management (CLM) platform. Core products: SpotDraft AI (primary CLM with AI features), VerifAI (AI contract review), eSignatures (electronic signature execution), Workflows (contract automation), Repository & Analytics (contract storage and reporting), Legal Hub (integrated legal operations).

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001 (Information Security Management)
    HELD

    An ISO/IEC 27001:2013 Certified Company (from homepage footer); 'ISO 27001 - Information security management certification' (from compliance help page)

    Verify on spotdraft.com
    SOC 2 Type II
    HELD

    SpotDraft's compliance page lists a downloadable report issued to SpotDraft: 'SOC 2 (Type 2) - Download Report'. Note: the /security page sentence 'Google Cloud Platform uses a robust security program with multiple certifications, such as SOC 2 Type II and ISO 27001 certifications' describes the host (Google Cloud), not SpotDraft; the vendor's own SOC 2 Type II is evidenced by the downloadable report on its compliance/trust center pages.

    Verify on help.spotdraft.com
    GDPR Compliance
    HELD

    GDPR compliant, with easy-to-use tools to help customers meet their own GDPR obligations; SpotDraft adheres to GDPR regulations

    Verify on spotdraft.com
    HIPAA
    HELD

    HIPAA compliance is asserted in SpotDraft's website feature metadata ('HIPAA compliant') and echoed in third-party summaries. Caveat: HIPAA is NOT listed alongside SOC 2 Type II, ISO 27001, and GDPR on the vendor's downloadable compliance-reports page, and no HIPAA report/attestation is offered there. This reads as a compliance posture / BAA offering rather than a formal downloadable certification; verify a BAA and attestation with the vendor before relying on it.

    Verify on spotdraft.com
    > Show 4 unconfirmed / not-held certifications
    FIPS 140 (Encryption Standards)
    NOT CONFIRMED

    No FIPS 140 certification is held by SpotDraft. The /security page states 'FIPS-140-certified encryption safeguards customer data', which describes use of FIPS-140-validated cryptographic modules (provided via the Google Cloud KMS backing described on the same page), not a FIPS 140 certification of SpotDraft itself. FIPS 140 validates crypto modules, not SaaS vendors.

    source: spotdraft.com
    PCI DSS (Payment Card Industry)
    NOT CONFIRMED

    No public evidence of a PCI DSS certification. The /security page references only 'PCI-compatible encryption secures sensitive contract details (e.g., key points in contracts)', which is an encryption property, not a PCI DSS attestation. SpotDraft is a CLM, not a payment processor, and presents no PCI DSS report.

    source: spotdraft.com
    ISO/IEC 42001 (AI Management Systems)
    NOT CONFIRMED

    No public evidence found in vendor's trust center, security pages, or help documentation

    source: trustcenter.spotdraft.com
    CSA STAR (Cloud Security Alliance)
    NOT CONFIRMED

    No public evidence found in vendor's compliance documentation or security pages

    source: spotdraft.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary and backup servers hosted in EU (Netherlands) on Google Cloud Platform; Personal data stored within selected regions (US, EU, India, Middle East) and not transmitted outside those locations

    What IS documented on-domain: (1) Privacy Policy: 'Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models'; (2) homepage positions the product as 'Contract AI you control' and announces an $8M Qualcomm raise to bring 'strictly on-device AI' to the legal industry (Jan 2026); (3) data can be deleted on request (60-day deletion, per Privacy Policy). Countervailing nuance: Terms of Use sections 3.3 and 4.3 expressly permit SpotDraft to analyze User Data on a pseudonymised basis and to create and own aggregate/anonymous data to 'develop and improve SpotDraft's products and services.' So product-improvement use of pseudonymised/aggregated data is contractually reserved even though identifiable contract content is not used to train generalized models.

    // Security controls

    Encryption in Transit

    TLS (Transport Layer Security) for data in transit

    spotdraft.com

    Encryption at Rest

    AES-256 encryption for data at rest; each contract receives unique encryption key via HashiCorp Vault with backup from Google Cloud KMS

    spotdraft.com

    Post-Execution Document Security

    Digital Signature Certificate (DSC) from Entrust; tampering detection via Adobe Acrobat

    help.spotdraft.com

    Access Control

    Single Sign-On (SSO), SAML authentication, role-based access controls, granular permissions, extensive audit logging

    spotdraft.com

    Infrastructure Provider

    Google Cloud Platform with 24/7 dedicated security staff, video surveillance, strictly managed physical access

    spotdraft.com

    Operational Security

    Business Continuity and Disaster Recovery program; regular penetration testing; vulnerability scanning; automated patch management

    spotdraft.com

    Audit Logging

    Detailed audit trail tracking key actions, events, IP addresses, geolocation, user details at contract level during signing workflow

    spotdraft.com

    Data Protection Officer

    Aniruddha Majumdar (Lead Counsel) - legal@spotdraft.com

    legal.spotdraft.com

    // Products & data scope

    SpotDraft AIAI-native Contract Lifecycle Management

    data: Processes and analyzes user contracts on-platform; AI features built into every part of platform while keeping customer data secure

    Primary CLM product with generative AI capabilities for contract drafting, review, negotiation intelligence, and metadata extraction. Designed per California State Bar Practical Guidance for GAI (Nov 2023) and ABA Formal Opinion 512 (Jul 2024)

    VerifAIAI Contract Review

    data: Customer documents uploaded for AI-assisted review; data NOT shared with third-party model vendors

    AI contract review tool explicitly stating customer data is not used to train models and is not shared with model vendors

    eSignaturesElectronic Signature & Execution

    data: Processes signed documents with audit logging and timestamp verification

    Built-in e-signature capability; supports Clickwrap agreements; includes detailed audit trail

    WorkflowsContract Automation

    data: Conditional templates, automated approvals, integration with third-party systems

    Enables process automation from draft to signature without manual email chains

    Repository & AnalyticsContract Storage and Reporting

    data: Centralized contract storage with search, version control, and analytics dashboards

    Searchable contract repository with compliance analytics and contract intelligence reporting

    Legal HubLegal Operations

    data: Integrated legal operations dashboard connecting workflows, approvals, and reporting

    Unified dashboard for legal teams across organization

    // What to watch

    • ISO 27001 version inconsistency: Homepage footer references ISO/IEC 27001:2013 (outdated standard with October 31, 2025 transition deadline already passed as of assessment date 2026-07-06). Unclear if SpotDraft has updated to ISO/IEC 27001:2022. This should be verified for compliance standards accuracy.
    • Host-vs-vendor conflation corrected on QA: the /security page attributes SOC 2 Type II and ISO 27001 to Google Cloud Platform ('Google Cloud Platform uses a robust security program with multiple certifications, such as SOC 2 Type II and ISO 27001'). Those two remain held=true because the vendor's own compliance/trust pages offer downloadable SpotDraft-issued SOC 2 Type II and ISO 27001 reports and the homepage footer self-declares ISO 27001, but the /security sentence itself is not vendor-cert evidence.
    • FIPS 140 and PCI DSS downgraded to held=false on QA: the /security page states only 'FIPS-140-certified encryption' and 'PCI-compatible encryption', which are encryption-module/property statements (FIPS 140 validates crypto modules; PCI-compatible is not a PCI DSS attestation), not certifications held by SpotDraft. Original draft over-claimed both as held certifications.
    • HIPAA is a marketing/compliance claim only: it appears in site feature metadata but is NOT listed among the vendor's downloadable compliance reports (SOC 2, ISO 27001, GDPR are). Removed from headline top_certs; confirm a BAA/attestation with the vendor before relying on HIPAA.
    • AI-training claim narrowed on QA: the draft's 'customer data NOT used to train OpenAI models / NOT shared with model vendor' could not be verified on-domain and was removed. Terms of Use sections 3.3 and 4.3 reserve pseudonymised and aggregate/anonymous data use for product improvement; only the Google Workspace API no-training line is directly documented.
    • No AI governance certifications found (ISO/IEC 42001, CSA STAR AI). Given SpotDraft's heavy emphasis on AI features and recent Qualcomm partnership for on-device AI, absence of these emerging standards is notable but not disqualifying.
    • Trust center (trustcenter.spotdraft.com, Sprinto-powered) returns HTTP 403 to automated fetch, so downloadable reports could not be independently opened; SOC 2 and ISO 27001 report existence is inferred from the vendor's help/compliance page listing. Financials in the draft ($380M valuation, $113M raised) are from press, not vendor security pages, and were not independently verified in this QA pass.

    // At a glance

    Pricing model

    Cloud SaaS; subscription-based with tiered plans; transparent pricing with no hidden fees; 14-day free trial available; customizable plans based on organization needs

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Draftspotting Technologies Private Limited (with subsidiary Draftspotting Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trustcenter.spotdraft.com

    > Browse all vendor trust reports