Skip to main content
Loading...

Help Center

Everything you need to know about using Renewly

Back to Help Center

SOC 2 Compliance

Renewly implements SOC 2 Type II engineering controls to protect your contract data. This page explains the security measures in place.

Field-Level Encryption

Sensitive contract fields are encrypted at rest using AES-256-GCM. This includes contact emails, phone numbers, payment details, and tax identifiers extracted from your contracts.

Encrypted fields include:
  • Vendor contact email and phone
  • Internal contact email
  • Payment details and bank accounts
  • Tax IDs and government identifiers

Data Retention Policies

Organisation admins can set retention periods for different types of data. When data exceeds its retention period, it can be automatically deleted or flagged for review.

Contracts
Min: 30 days - Default: 1 year
Audit Logs
Min: 90 days (SOC 2) - Default: 1 year
Extraction Data
Min: 30 days - Default: 1 year
Notifications
Min: 30 days - Default: 90 days

Audit logs have a minimum 90-day retention period to meet SOC 2 requirements. This cannot be reduced.

Security Event Monitoring

All security-relevant actions are logged with severity levels. Events include login attempts, password changes, API key operations, data access, and permission changes.

Severity levels:
Info - Normal operations (logins, data access)
Warning - Failed logins, permission changes, key revocations
Critical - Suspicious activity, data deletion

Compliance Controls

Encryption at rest
All data encrypted via Supabase (AES-256). Sensitive fields have additional application-level encryption.
Encryption in transit
TLS 1.3 enforced on all connections. HSTS headers with 1-year max-age.
Access controls
Role-based access control (RBAC) with row-level security. Organisation-scoped data isolation.
Audit trail
Comprehensive activity logging with actor, action, timestamp, and IP address.
Authentication
Multi-factor authentication (TOTP), SSO/SAML, and OAuth 2.0 support.
Data minimisation
Configurable retention policies. Automatic deletion of expired data.

Managing Compliance Settings

Organisation admins can configure all compliance settings from the Settings page: