Security overview
Odingard Studio is a multi-tenant SaaS platform delivered on a globally distributed edge platform. Security is enforced at every layer — network, application, and data.
Tenant isolation
Every request is authorized against the caller's organization; data access is scoped per-organization and entitlements are checked on each protected action (fail-closed).
Edge protection
TLS 1.2+, HSTS, a strict Content-Security-Policy, and a Web Application Firewall front all traffic, with DDoS mitigation at the network edge.
Rate limiting
Authentication and sensitive endpoints are rate-limited to resist brute-force and abuse.
Audit logging
Security-relevant actions are written to an append-only audit log for traceability.
Least privilege
Role- and permission-based access control governs administrative and billing actions within an organization.
Secure SDLC
Changes go through code review, automated type checks, linting, and unit tests in CI before deployment, with staging and rollback paths.
Encryption
- In transit: all traffic is served over HTTPS (TLS 1.2 or higher); HTTP is redirected and HSTS is enabled.
- At rest: customer data is stored in managed databases and object storage that are encrypted at rest.
- Credentials: user passwords are never stored in plaintext; session and API tokens are stored as hashes, not raw values.
- Payment data: card details are entered on our PCI-compliant payment processor's hosted checkout and are never transmitted to or stored by Odingard.
Data handling
- What we process: account and organization details, the documents you upload for analysis, and the metadata our Contract AI extracts from them.
- Purpose: data is processed solely to provide the Studio services you use (e.g., contract extraction, clause and obligation analysis).
- AI processing: uploaded document text is sent to our AI model provider strictly to perform extraction for your organization. It is not used to train third-party models by our configuration.
- Tenancy: your data is logically isolated per organization and is not shared across tenants.
- Retention & deletion: you may delete contracts and data from your workspace; deletion requests for an organization can be made via the contact below.
Privacy
We collect only the data needed to operate the service and do not sell personal data. Sub-processors are limited to the infrastructure, payment, email, and AI-model providers required to deliver the product. For privacy inquiries, data-subject requests, or a Data Processing Addendum, contact privacy@odingard.com.
Availability & status
Studio runs on a globally distributed, redundant edge platform. We monitor service health with observability and alerting, and maintain tested backup/restore and rollback procedures for both the application and its database.
| Component | Endpoint | State |
|---|---|---|
| Studio app | studio.odingard.com | Operational |
| API | api.odingard.com | Operational |
| API health check | api.odingard.com/health/live | Operational |
Status reflects current known state; this page is updated as our monitoring evolves.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability in an Odingard product:
- Email security@odingard.com with steps to reproduce and any relevant details.
- Please give us reasonable time to investigate and remediate before public disclosure.
- Do not access, modify, or exfiltrate data that is not yours, and avoid actions that degrade the service (e.g., denial of service) or violate privacy.
We will acknowledge valid reports and keep you informed of remediation progress. We do not pursue legal action against researchers acting in good faith under these guidelines.
Security practices
The controls below are in place today.
| Control | Status |
|---|---|
| Encryption in transit & at rest | In place |
| Audit logging | In place |
| Backup & restore, rollback procedures | In place (tested) |
| Tenant isolation & least-privilege access control | In place |
| Rate limiting on sensitive endpoints | In place |