SOC 2 hosting and security controls
Renewly is hosted on SOC 2 Type II infrastructure (Supabase + Vercel). Renewly itself is not in audit scope - the certifications belong to our infrastructure vendors. On top of that infrastructure we apply the engineering controls described below.
For the full residency posture and sub-processor map, see /trust.
Field-Level Encryption
Sensitive contract fields are encrypted at rest using AES-256-GCM. This includes contact emails, phone numbers, payment details, and tax identifiers extracted from your contracts.
- Vendor contact email and phone
- Internal contact email
- Payment details and bank accounts
- Tax IDs and government identifiers
Data Retention Policies
The platform-wide audit log is retained by Renewly for 3 years for security and compliance. On top of that, organisation admins can set retention periods for the application-level records below. When data exceeds its retention period, it can be automatically deleted or flagged for review.
The platform audit log is retained for 3 years and is not shortened by org-level retention settings.
Security Event Monitoring
All security-relevant actions are logged with severity levels. Events include sign-in attempts, 2FA changes, passkey enrollment and revocation, API key operations, data access, and permission changes.
Compliance Controls
Managing Compliance Settings
Organisation admins can configure all compliance settings from the Settings page:
- Settings > Data Retention - Configure retention periods
- Settings > Security Events - View security event log
- Settings > SSO - Configure single sign-on
- Settings > Activity - Full audit trail