docs.fusial

Data security & privacy

How Fusial handles your contract data — access, encryption, retention, and audit.

This page summarizes how Fusial handles your contract data — access, encryption, retention, and audit. For specific contractual commitments (DPA, SCCs, sub-processor list, regional hosting), contact your account owner.

Data we store

Fusial stores only what's needed to operate the contract workflow:

CategoryWhat it includes
Contract filesThe original .docx you upload, plus any clean exports Fusial recompiles.
Parsed contract contentParagraphs, runs, tracked changes, and stable paragraph anchors derived from the source .docx.
AI outputsExtracted terms, redline issues, response suggestions — all anchored to source paragraphs.
Workspace metadataOrganization name, members, roles, invitations, comments, assignments, audit events.
Account dataEmail, name, profile picture, authentication identifiers, session records, 2FA enrollment.
Integration credentialsOAuth tokens for any integration you connect. Sensitive integration tokens are encrypted at rest.
Notification preferencesPer-user channel preferences for the delivery channels you've enabled.

Fusial stores the contracts you upload so you can review, collaborate on, and export them. We treat that data as confidential by default. The sections below cover who can access it, how it's protected, and how long we keep it.

Tenant isolation

Every row of organization-scoped data is read and written through a tenant-scoped layer that injects the active organization ID into every query. Cross-organization access through application code paths is structurally prevented — a request authenticated for one organization cannot read or write data belonging to another.

Authentication

  • Email + password sign-in.
  • Google OAuth, optional.
  • Sessions are HTTP-only cookies; logout invalidates the session server-side.

Two-factor authentication

  • Available on every account.
  • Time-based one-time codes (authenticator app).
  • An organization owner can enforce 2FA org-wide. Members without 2FA enrolled are blocked from authenticated routes by a per-request gate until they enroll.

Roles

RolePermissions
ownerAll admin actions plus billing, member removal of admins, organization deletion.
adminManage members, settings, integrations, and all contracts.
memberUpload, review, decide on edits, run AI passes, export contracts.
viewerRead-only across the workspace. Cannot mutate any record.

Viewer is enforced at the data layer, not just the UI — viewers can never write, even if a UI element is reachable.

Encryption

  • In transit: all traffic is TLS.
  • At rest: contract files and structured workspace data are encrypted at rest.
  • Integration secrets: sensitive third-party tokens are encrypted at rest with a key derived from a deployment-specific secret, and decrypted only when needed to deliver a notification.

AI and your data

  • Fusial does not use customer contracts to train any AI model.
  • The AI providers Fusial calls do not, by default, train on data submitted through their APIs.
  • See How Fusial's AI works for what each AI pipeline sends and the controls available.

Audit log

Every action across your workspace is recorded and searchable. Open Settings → Audit log to see who did what, when, and to which contract.

  • Broad coverage — AI responses applied, reopened, or rejected; bulk decisions; edits and comments accepted or reopened; contract uploads, status changes, and exports; AI pipeline runs; member invites, role changes, and removals; integration installs and removals.
  • Filter by date, action, or user — narrow down to a specific person, time window, or action type.
  • Search by user or contract title — jump straight to the events that matter.
  • Expand any row for the raw payload — see the underlying event data, including edit IDs and decision metadata.

Audit events are append-only and scoped to your organization, and are visible to admins and owners.

Data retention and deletion

  • Contracts: owners and admins can delete a contract. Deletion removes the contract record and its underlying files.
  • Versions: older versions are retained as part of a contract's history and are deleted with the contract.
  • Organizations: deleting an organization cascades to its members, contracts, versions, and audit events.
  • Accounts: deleting a user account removes profile data and session history. Audit events that reference the user are retained but anonymized.

Data is retained until you delete it or delete the containing organization.

Sub-processors

For an up-to-date list of sub-processors that may receive customer data — along with the data category each receives and how it's used — contact your account owner. The list is available as part of our DPA.

Reporting a vulnerability

Email security@<your-fusial-domain> with reproduction steps. We acknowledge reports within 48 business hours. Please do not run automated scans against production tenants without prior coordination.

TODO: replace security@<your-fusial-domain> with the actual security contact address before publishing.