// Trust & Security Report
Draftspotting Technologies Private Limited (with subsidiary Draftspotting Inc.)
AI-native contract lifecycle management (CLM) platform. Core products: SpotDraft AI (primary CLM with AI features), VerifAI (AI contract review), eSignatures (electronic signature execution), Workflows (contract automation), Repository & Analytics (contract storage and reporting), Legal Hub (integrated legal operations).
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on spotdraft.com“An ISO/IEC 27001:2013 Certified Company (from homepage footer); 'ISO 27001 - Information security management certification' (from compliance help page)”
Verify on help.spotdraft.com“SpotDraft's compliance page lists a downloadable report issued to SpotDraft: 'SOC 2 (Type 2) - Download Report'. Note: the /security page sentence 'Google Cloud Platform uses a robust security program with multiple certifications, such as SOC 2 Type II and ISO 27001 certifications' describes the host (Google Cloud), not SpotDraft; the vendor's own SOC 2 Type II is evidenced by the downloadable report on its compliance/trust center pages.”
Verify on spotdraft.com“GDPR compliant, with easy-to-use tools to help customers meet their own GDPR obligations; SpotDraft adheres to GDPR regulations”
Verify on spotdraft.com“HIPAA compliance is asserted in SpotDraft's website feature metadata ('HIPAA compliant') and echoed in third-party summaries. Caveat: HIPAA is NOT listed alongside SOC 2 Type II, ISO 27001, and GDPR on the vendor's downloadable compliance-reports page, and no HIPAA report/attestation is offered there. This reads as a compliance posture / BAA offering rather than a formal downloadable certification; verify a BAA and attestation with the vendor before relying on it.”
> Show 4 unconfirmed / not-held certifications
source: spotdraft.comNo FIPS 140 certification is held by SpotDraft. The /security page states 'FIPS-140-certified encryption safeguards customer data', which describes use of FIPS-140-validated cryptographic modules (provided via the Google Cloud KMS backing described on the same page), not a FIPS 140 certification of SpotDraft itself. FIPS 140 validates crypto modules, not SaaS vendors.
source: spotdraft.comNo public evidence of a PCI DSS certification. The /security page references only 'PCI-compatible encryption secures sensitive contract details (e.g., key points in contracts)', which is an encryption property, not a PCI DSS attestation. SpotDraft is a CLM, not a payment processor, and presents no PCI DSS report.
source: trustcenter.spotdraft.comNo public evidence found in vendor's trust center, security pages, or help documentation
source: spotdraft.comNo public evidence found in vendor's compliance documentation or security pages
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary and backup servers hosted in EU (Netherlands) on Google Cloud Platform; Personal data stored within selected regions (US, EU, India, Middle East) and not transmitted outside those locations
What IS documented on-domain: (1) Privacy Policy: 'Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models'; (2) homepage positions the product as 'Contract AI you control' and announces an $8M Qualcomm raise to bring 'strictly on-device AI' to the legal industry (Jan 2026); (3) data can be deleted on request (60-day deletion, per Privacy Policy). Countervailing nuance: Terms of Use sections 3.3 and 4.3 expressly permit SpotDraft to analyze User Data on a pseudonymised basis and to create and own aggregate/anonymous data to 'develop and improve SpotDraft's products and services.' So product-improvement use of pseudonymised/aggregated data is contractually reserved even though identifiable contract content is not used to train generalized models.
// Security controls
Encryption at Rest
AES-256 encryption for data at rest; each contract receives unique encryption key via HashiCorp Vault with backup from Google Cloud KMS
spotdraft.comPost-Execution Document Security
Digital Signature Certificate (DSC) from Entrust; tampering detection via Adobe Acrobat
help.spotdraft.comAccess Control
Single Sign-On (SSO), SAML authentication, role-based access controls, granular permissions, extensive audit logging
spotdraft.comInfrastructure Provider
Google Cloud Platform with 24/7 dedicated security staff, video surveillance, strictly managed physical access
spotdraft.comOperational Security
Business Continuity and Disaster Recovery program; regular penetration testing; vulnerability scanning; automated patch management
spotdraft.comAudit Logging
Detailed audit trail tracking key actions, events, IP addresses, geolocation, user details at contract level during signing workflow
spotdraft.com// Products & data scope
data: Processes and analyzes user contracts on-platform; AI features built into every part of platform while keeping customer data secure
Primary CLM product with generative AI capabilities for contract drafting, review, negotiation intelligence, and metadata extraction. Designed per California State Bar Practical Guidance for GAI (Nov 2023) and ABA Formal Opinion 512 (Jul 2024)
data: Customer documents uploaded for AI-assisted review; data NOT shared with third-party model vendors
AI contract review tool explicitly stating customer data is not used to train models and is not shared with model vendors
data: Processes signed documents with audit logging and timestamp verification
Built-in e-signature capability; supports Clickwrap agreements; includes detailed audit trail
data: Conditional templates, automated approvals, integration with third-party systems
Enables process automation from draft to signature without manual email chains
data: Centralized contract storage with search, version control, and analytics dashboards
Searchable contract repository with compliance analytics and contract intelligence reporting
data: Integrated legal operations dashboard connecting workflows, approvals, and reporting
Unified dashboard for legal teams across organization
// What to watch
- ISO 27001 version inconsistency: Homepage footer references ISO/IEC 27001:2013 (outdated standard with October 31, 2025 transition deadline already passed as of assessment date 2026-07-06). Unclear if SpotDraft has updated to ISO/IEC 27001:2022. This should be verified for compliance standards accuracy.
- Host-vs-vendor conflation corrected on QA: the /security page attributes SOC 2 Type II and ISO 27001 to Google Cloud Platform ('Google Cloud Platform uses a robust security program with multiple certifications, such as SOC 2 Type II and ISO 27001'). Those two remain held=true because the vendor's own compliance/trust pages offer downloadable SpotDraft-issued SOC 2 Type II and ISO 27001 reports and the homepage footer self-declares ISO 27001, but the /security sentence itself is not vendor-cert evidence.
- FIPS 140 and PCI DSS downgraded to held=false on QA: the /security page states only 'FIPS-140-certified encryption' and 'PCI-compatible encryption', which are encryption-module/property statements (FIPS 140 validates crypto modules; PCI-compatible is not a PCI DSS attestation), not certifications held by SpotDraft. Original draft over-claimed both as held certifications.
- HIPAA is a marketing/compliance claim only: it appears in site feature metadata but is NOT listed among the vendor's downloadable compliance reports (SOC 2, ISO 27001, GDPR are). Removed from headline top_certs; confirm a BAA/attestation with the vendor before relying on HIPAA.
- AI-training claim narrowed on QA: the draft's 'customer data NOT used to train OpenAI models / NOT shared with model vendor' could not be verified on-domain and was removed. Terms of Use sections 3.3 and 4.3 reserve pseudonymised and aggregate/anonymous data use for product improvement; only the Google Workspace API no-training line is directly documented.
- No AI governance certifications found (ISO/IEC 42001, CSA STAR AI). Given SpotDraft's heavy emphasis on AI features and recent Qualcomm partnership for on-device AI, absence of these emerging standards is notable but not disqualifying.
- Trust center (trustcenter.spotdraft.com, Sprinto-powered) returns HTTP 403 to automated fetch, so downloadable reports could not be independently opened; SOC 2 and ISO 27001 report existence is inferred from the vendor's help/compliance page listing. Financials in the draft ($380M valuation, $113M raised) are from press, not vendor security pages, and were not independently verified in this QA pass.
// At a glance
Pricing model
Cloud SaaS; subscription-based with tiered plans; transparent pricing with no hidden fees; 14-day free trial available; customizable plans based on organization needs
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Draftspotting Technologies Private Limited (with subsidiary Draftspotting Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trustcenter.spotdraft.com