Security

Certified AWS Data Centers

ISO 27001 Certified with SOC 1, 2 & 3 Reports

Amazon Web Services (AWS) data centers are ISO 27001 certified, offer SOC 1, 2 & 3 reports, and are physically secure with protective measures that restrict ingress and egress. These measures include electronic keycards, pin codes, and biometric hand scans. Additionally, onsite security officers guard the data centers 24 hours a day, 365 days a year. Offsite backups are also included as a protection against hardware failure, theft, virus attack, deletion, and natural disaster.

ContractWorks also offers automatic encrypted online hourly backups. We store all information in multiple data centers, which are located in geographically separate locations only in the United States, as a protection against hardware failure, theft, deletion, and natural disaster.

Encryption

256-bit encryption of all data, both in transit and at rest

All connections are protected using TLS with a 256-bit symmetric encryption and 2048-bit authenticated key agreement. Passwords are masked with a separate salt and encrypted with Bcrypt. While at the data centers, all data remains encrypted using 256-bit AES, which is certified for use by the U.S. Government for top-secret documents.

Single-Sign-On (SSO) using the SAML 2.0 Standard

Easy, secure identity management for organizations

With Single-Sign-On (SSO) using the SAML 2.0 standard, you can easily sign into one central program such as Microsoft Active Directory, OneLogin, or Okta to access many of your business applications including ContractWorks. Users can be added and removed easily and company-wide password policies can be enforced and maintained for all business applications, enhancing security. SSO removes the need for users to remember and manage multiple passwords, eliminating wasted time on resetting passwords.

Access Control

Granular permission settings provide complete access control

The ContractWorks client at the “Administrator” level is the only individual with the ability to invite other users, including inviting other administrators. When inviting users, administrators can select specific permission settings for each person invited.

Audit Trail Reporting

Know who’s doing what in your account

Audit trail reporting allows administrators to see every click registered in the system. Reports include user, date, time, and actions taken and can be exported to Excel. Administrators can also select to have an audit report automatically emailed to them on a daily basis.

Multi-Factor Authentication

An additional security layer to protect your account

Multi-Factor authentication offers a simple yet highly effective protection against cyber security attacks by requiring a second piece of information to access your secure contract repository.

SMS Authentication:
A five-digit SMS code is sent to the registered phone number and is needed for access. ContractWorks’ 2FA works worldwide. Users have the option to remember registered computers for thirty days.

Authentication App:
ContractWorks offers an additional authentication option that can be used as an alternative to SMS authentication.

This process involves first installing an authentication app such as Google Authenticator on any smartphone. Upon first set-up, ContractWorks will produce a QR code that is then scanned using the authentication app. The authentication app will produce a one-time six-digit verification code which the user must enter in addition to their username and password to login into ContractWorks. This process works securely as a secret key is passed between ContractWorks and the authentication app. A new one-time secret key is used each time the user logs in. This process makes it more difficult for an outside party to gain access to a ContractWorks account by just having a username and password alone.