Is our data used for model training?

Customer documents are not used to train public foundation models. Documents may be processed using AWS-hosted AI infrastructure configured for encrypted processing and restricted access controls, subject to provider data-privacy settings. We do not resell your data.

Yes. Engagements are NDA-first — we execute a mutual NDA before you share invoices or contracts. A data processing addendum is available on request.

What vendors do you support?

Any vendor where you have invoices plus executed agreements — MSAs, order forms, renewal letters, or amendments. We see the strongest signal in SaaS, cloud, and multi-year enterprise stacks.

How long does an audit take?

We target delivery of your initial audit report within 48 hours of receiving a complete document set (invoices and the matching contracts or amendments). Larger portfolios may be phased.

How are findings verified?

Confirmed items come from documented invoice audit work — rates, dates, quantities, duplicates, and arithmetic checked against contract text. Those findings are reviewed in an analyst-validated workflow before delivery. Review-required items are explicitly labeled with source language so your finance and legal teams can decide.

What counts as a confirmed discrepancy?

A confirmed discrepancy is one where the outcome does not depend on interpretation: for example a billed rate above the contracted rate, an expired price still invoiced, a duplicated line, or a tier discount that was not applied per black-and-white terms.

What happens after findings are delivered?

You receive a recovery-focused report with evidence (clause + invoice line references). You decide how to pursue vendors or internal true-ups. Under our standard offer there is no fee if nothing material is found.

Do you contact vendors directly?

No, unless we agree otherwise in writing. We equip your team with documentation; your procurement or AP function owns vendor conversations.

How do confirmed findings differ from review-required ones?

Confirmed findings use clause-cited matching and explicit contract violations, then human review before delivery. Review-required findings flag ambiguous language or situations needing legal interpretation — they are advisory only and never presented as guaranteed recoveries.

Do you need access to our ERP or accounting software?

No. We work from invoice PDFs and contract documents. No API or system access is required.

What if you find nothing?

You owe nothing — no invoice and no obligation beyond normal confidentiality.

How do we know the report is accurate?

Every item cites the contract clause and invoice evidence side by side. We design the report so your team can independently verify without trusting a black box.

What's the difference between Phase 1 and Phase 2?

Phase 1 (now): Historical audit. We find past vendor overcharges on your invoices. You pay 15% of what we help recover. Phase 2 (Q3): Ongoing monitoring. Real-time Q&A, policy optimization, and payment alerts. $1,500/month.

Can I use both Phase 1 and Phase 2?

Yes. Start with Phase 1 to find past overcharges. Then sign up for Phase 2 for continuous protection going forward.

When is Q3 available?

We're targeting Q3 2026 (July-September). Join the waitlist for early access and special early-adopter pricing.

What vendors work with the Q3 features?

All vendors. AWS, GCP, Salesforce, DataDog, Stripe, etc. Any contract with billing complexity. The chatbot, policy generator, and alerts work across any vendor type.

Can I cancel Phase 2 anytime?

Yes. Month-to-month billing. No lock-in. Cancel anytime.

How should we read your security disclosures?

Security and operational practices described on this site reflect current practices and may evolve as infrastructure and engagement processes mature.

How is our data encrypted?

Data uses TLS 1.2+ in transit and AES-256 at rest on AWS. AI-assisted processing may use AWS-hosted infrastructure configured for encrypted processing and restricted access; we minimize storage of document contents in application and infrastructure logs where practicable.

Where is data processed and stored (data residency)?

Engagement data is processed and stored in U.S. AWS regions only. We do not move your audit documents to non-U.S. regions for processing.

Do you use subcontractors for our engagement?

For infrastructure and AI inference we rely on Amazon Web Services (AWS) under the AWS Customer Agreement and (where required) AWS data-processing terms. We do not route your documents through additional subprocessors, offshore labelers, or external training vendors for audit work. Additional infrastructure providers may be introduced as the platform evolves; material subprocessors will be disclosed in our privacy policy.

Who has access to our documents?

Access to customer documents is restricted to authorized personnel with a business need, under least-privilege AWS IAM policies. We do not use offshore contractors for document review.

What audit logging and access controls do you use?

AWS account and API activity is logged via AWS CloudTrail (and other standard AWS logging). Human access to production data follows role-based, least-privilege controls. We can summarize what we retain and for how long during security diligence.

Do you have SOC 2 Type II?

Clawback Labs does not currently maintain SOC 2 Type II certification. We are implementing foundational operational and security controls commonly expected in preparation for future compliance programs as the platform scales.

Do you carry cyber liability insurance?

Clawback Labs does not currently maintain standalone cyber liability coverage. Coverage evaluation is planned as engagement volume and operational scope expand.

How long do you keep our files?

Source documents are retained only for engagement processing purposes and are targeted for deletion no later than 48 hours after report delivery unless otherwise requested in writing. Operational security logs and infrastructure metadata may persist for limited periods as part of standard cloud security operations. We retain only the delivered audit report as your work product unless you ask us to remove that as well.

What evidence do we get that files were deleted (retention evidence)?

An automated confirmation email is sent with a deletion timestamp and a list of files removed. Customer source documents are targeted for deletion after engagement completion, subject to limited operational logging and legal obligations. We do not use a third-party attestation service—the confirmation email is your operational record of deletion.

Can I request early deletion?

Yes. On written notice we delete immediately and send the same automated confirmation email with timestamp and file list.

What about backups and server logs?

Deletion includes active copies, retained backups of your source materials, and engagement-scoped processing logs. Only the final audit report remains. Broad AWS account telemetry (for example CloudTrail) is governed by AWS retention; we can walk through exactly what applies during diligence.

Do you have a secure file upload portal?

We typically use password-protected cloud links or your preferred encrypted transfer method.

For US finance teams with material SaaS, cloud & vendor spend

We find vendor overcharges. You keep 85%.

We compare SaaS, cloud, and enterprise invoices to the contracts you actually signed — pricing drift, missed discounts, renewals, duplicates. Free to start. You pay 15% only on money we help you recover.

Clause excerpt

“Annual cap for Enterprise seats shall not exceed…”

[ redacted list schedule ]

Invoice lines

SKU-ACU-02$12,400

SKU-ACU-02 (dup)$12,400

Support tier$2,100

Reconciliation

Invoiced$14,750

Contract cap$13,275

Variance+$1,475

Free initial audit48h turnaroundNDA before documentsNo ERP access15% on recoveries only

Typical audit inputs: MSAs · Order Forms · SaaS Invoices · Cloud Billing Statements · Renewal Amendments

Audit against your actual contracts

Line-by-line comparison to signed language — not benchmarks or generic invoice scanning.

Synthetic illustration

Invoice$1,449

Contract$1,200

Variance+$249

ConfirmedDocumented match

Results in 48 hours

Initial audit memo targeted within two business days of a complete document package — phased when portfolios are large.

Turnaround ref

TAT-STD-48H

You pay nothing upfront

Contingency on recovered overcharges — no engagement fee when findings do not support action.

Fee basis15% recovered

If zero findings$0

Typical findings range from 1–5% of annual vendor spend when billing inconsistencies exist — exact outcomes depend on portfolio complexity and documentation quality.

Most discrepancies involve pricing drift, missed discounts, or duplicate billing once matched to signed terms.

Audit scope

What we review

We compare invoices to your contracts — structured review, not generic parsing.

Contract pricing & rates
Executed MSAs, order forms, price lists
Renewal pricing drift
Caps vs list-price movements
Volume & tier discounts
Spend thresholds and commitment tiers
Duplicate charges
Repeated SKUs, seats, or usage blocks
Overage calculations
True-up math vs contractual formulas
Bundled SKU compliance
Package pricing vs à la carte splits
Amendment enforcement
Side letters applied to billing profiles
Vendor billing discrepancies
Invoice vs baseline entitlement

Deliverable

What your report contains

Structured like an internal audit memo — so stakeholders know exactly what they are receiving.

Report components

[01]

Executive summary

Portfolio-level exposure and priority vendors

[02]

Confirmed discrepancies

Clause-cited matches with contract language and invoice lines

[03]

Review-required items

Ambiguity flagged for legal / procurement

[04]

Contract evidence excerpts

Quoted sections supporting each confirmed item

[05]

Recovery recommendations

Suggested credit memo or true-up language

[06]

Vendor escalation guidance

Fact pattern packaged for AP or vendor management

Classification

How findings are classified

Every discrepancy is labeled so finance knows what can go to a vendor as fact versus what needs legal or procurement judgment first.

Confirmed findings

Clause-cited

Reconciled against contract and invoice fields
Explicit contract violations (rates, quantities, dates, duplicates)
Human-reviewed before delivery
Suitable for vendor escalation with cited evidence

Review-required

Advisory

Ambiguous contract language or unstructured terms
Legal interpretation needed — advisory only
Clearly labeled in your report for finance & legal review

Pricing

No risk. Pay only for results.

Contingency audit (available now)

Line-by-line invoice audit against your contracts with cited evidence.

Free

15% of recovered overcharges only — no find, no fee

Free initial audit pass
48-hour turnaround (when document set is complete)
Invoice tax calculation consistency checks where vendors bill tax — aligned with contract pricing and invoice math only (not tax advice)

Continuous monitoring (contract Q&A, alerts) is on the Q3 2026 roadmap.

How it works

From files to recovery

Three steps — NDA-first intake, cited audit memo, contingency recovery.

INTAKE
Send us your files
Upload 3–6 months of vendor invoices and contracts via encrypted email or cloud link. NDA signed first.
No ERP or API access required
AUDIT
We audit within 48 hours
Our team compares every invoice line to your contract and cites the evidence.
TAT-STD-48H when document set is complete
RECOVER
You recover
Use our report with vendors directly. We provide the documentation. You pay 15% on what's recovered.
No find, no fee

Security & compliance

Procurement checklist

Dense status view for security reviews. Full Q&A in Security & data.

SOC 2 Type IISOC 2 roadmap

Cyber insuranceCoverage evaluation planned

Data residencyU.S. AWS regions

SubprocessorsAWS only

Audit loggingCloudTrail

Access controlsLeast privilege

Engagement data retention≤48h post-report

Deletion confirmationAutomated email

Insurance and audit cost ranges appear in the FAQ; figures are indicative, not quotes. Engagement logs are removed with source files; platform-level AWS logging is described in diligence.

FAQ

Frequently asked questions

Our commitments

We don't integrate with your ERP or internal systems
Customer source documents are targeted for deletion after engagement completion
Customer documents are not used to train public foundation models
We don't share findings with any third party
We don't require API access to anything
We don't charge anything if we find nothing

Every engagement starts with a signed NDA and ends with an automated deletion confirmation email.

General

Security & data

Covers residency (U.S. AWS), subprocessors, access controls, CloudTrail logging, automated deletion confirmation, and our current posture on SOC 2 Type II and cyber insurance — stated plainly for vendor security reviews.

Send three months of invoices. We'll show what you're overpaying.

Free audit pass, human-reviewed findings, ~48 hours when your document set is complete. You owe nothing if we don't find something actionable.