Security
A plain-English summary of how ShieldSign handles the contracts you upload, what we store, what we do not, and the safeguards around the service.
Contract handling
- Contracts uploaded for the free fairness check are analysed in memory and are not written to persistent storage on our servers.
- The £7 full report stores the structured analysis output (the fairness score, red-flag list, and rewrite language) so you can revisit it from your account. The original contract file itself is not retained.
- Contracts are never used to train any AI model. Analysis is performed via Anthropic's Claude API, which has a zero-retention setting for our requests.
Infrastructure
- Hosted on Vercel. Traffic is encrypted in transit (TLS 1.2+) with HSTS enforced for the production domain.
- User accounts and analysis history use Supabase, which encrypts data at rest. Authentication is via passwordless magic-link email.
- Payments are handled end-to-end by Stripe. ShieldSign never sees or stores card numbers.
Security headers
- Strict-Transport-Security with a 2-year max-age and includeSubDomains.
- X-Frame-Options: DENY (cannot be embedded in iframes).
- X-Content-Type-Options: nosniff.
- Referrer-Policy: strict-origin-when-cross-origin.
- A Content-Security-Policy that restricts script, style, and connect sources to a small allowlist.
- A Permissions-Policy that disables camera, microphone, and geolocation, and restricts payment to the site itself.
Tracking and cookies
Advertising and analytics cookies (Google Ads conversion tracking, Vercel Analytics) only fire after you accept on the cookie banner. Until consent is given the relevant scripts run in a denied-by-default mode under Google Consent Mode v2. Essential cookies (session authentication, free-tier counter) are used regardless and do not require consent.
Disclosure and contact
Found a security issue? Please email the address below with details and steps to reproduce. We will acknowledge within 72 hours and aim to resolve confirmed issues quickly.