Question 1

Is our data used for model training?

Accepted Answer

Customer documents are not used to train public foundation models. Documents may be processed using AWS-hosted AI infrastructure configured for encrypted processing and restricted access controls, subject to provider data-privacy settings. We do not resell your data.

Question 2

Do you sign NDAs?

Accepted Answer

Yes. Engagements are NDA-first — we execute a mutual NDA before you share invoices or contracts. A data processing addendum is available on request.

Question 3

What vendors do you support?

Accepted Answer

Any vendor where you have invoices plus executed agreements — MSAs, order forms, renewal letters, or amendments. We see the strongest signal in SaaS, cloud, and multi-year enterprise stacks.

Question 4

How long does an audit take?

Accepted Answer

We target delivery of your initial audit report within 48 hours of receiving a complete document set (invoices and the matching contracts or amendments). Larger portfolios may be phased.

Question 5

How are findings verified?

Accepted Answer

Confirmed items come from documented invoice audit work — rates, dates, quantities, duplicates, and arithmetic checked against contract text. Those findings are reviewed in an analyst-validated workflow before delivery. Review-required items are explicitly labeled with source language so your finance and legal teams can decide.

Question 6

What counts as a confirmed discrepancy?

Accepted Answer

A confirmed discrepancy is one where the outcome does not depend on interpretation: for example a billed rate above the contracted rate, an expired price still invoiced, a duplicated line, or a tier discount that was not applied per black-and-white terms.

Question 7

What happens after findings are delivered?

Accepted Answer

You receive a recovery-focused report with evidence (clause + invoice line references). You decide how to pursue vendors or internal true-ups. Under our standard offer there is no fee if nothing material is found.

Question 8

Do you contact vendors directly?

Accepted Answer

No, unless we agree otherwise in writing. We equip your team with documentation; your procurement or AP function owns vendor conversations.

Question 9

How do confirmed findings differ from review-required ones?

Accepted Answer

Confirmed findings use clause-cited matching and explicit contract violations, then human review before delivery. Review-required findings flag ambiguous language or situations needing legal interpretation — they are advisory only and never presented as guaranteed recoveries.

Question 10

Do you need access to our ERP or accounting software?

Accepted Answer

No. We work from invoice PDFs and contract documents. No API or system access is required.

Question 11

What if you find nothing?

Accepted Answer

You owe nothing — no invoice and no obligation beyond normal confidentiality.

Question 12

How do we know the report is accurate?

Accepted Answer

Every item cites the contract clause and invoice evidence side by side. We design the report so your team can independently verify without trusting a black box.

Question 13

What's the difference between Phase 1 and Phase 2?

Accepted Answer

Phase 1 (now): Historical audit. We find past vendor overcharges on your invoices. You pay 15% of what we help recover. Phase 2 (Q3): Ongoing monitoring. Real-time Q&A, policy optimization, and payment alerts. $1,500/month.

Question 14

Can I use both Phase 1 and Phase 2?

Accepted Answer

Yes. Start with Phase 1 to find past overcharges. Then sign up for Phase 2 for continuous protection going forward.

Question 15

When is Q3 available?

Accepted Answer

We're targeting Q3 2026 (July-September). Join the waitlist for early access and special early-adopter pricing.

Question 16

What vendors work with the Q3 features?

Accepted Answer

All vendors. AWS, GCP, Salesforce, DataDog, Stripe, etc. Any contract with billing complexity. The chatbot, policy generator, and alerts work across any vendor type.

Question 17

Can I cancel Phase 2 anytime?

Accepted Answer

Yes. Month-to-month billing. No lock-in. Cancel anytime.

Question 18

How should we read your security disclosures?

Accepted Answer

Security and operational practices described on this site reflect current practices and may evolve as infrastructure and engagement processes mature.

Question 19

How is our data encrypted?

Accepted Answer

Data uses TLS 1.2+ in transit and AES-256 at rest on AWS. AI-assisted processing may use AWS-hosted infrastructure configured for encrypted processing and restricted access; we minimize storage of document contents in application and infrastructure logs where practicable.

Question 20

Where is data processed and stored (data residency)?

Accepted Answer

Engagement data is processed and stored in U.S. AWS regions only. We do not move your audit documents to non-U.S. regions for processing.

Question 21

Do you use subcontractors for our engagement?

Accepted Answer

For infrastructure and AI inference we rely on Amazon Web Services (AWS) under the AWS Customer Agreement and (where required) AWS data-processing terms. We do not route your documents through additional subprocessors, offshore labelers, or external training vendors for audit work. Additional infrastructure providers may be introduced as the platform evolves; material subprocessors will be disclosed in our privacy policy.

Question 22

Who has access to our documents?

Accepted Answer

Access to customer documents is restricted to authorized personnel with a business need, under least-privilege AWS IAM policies. We do not use offshore contractors for document review.

Question 23

What audit logging and access controls do you use?

Accepted Answer

AWS account and API activity is logged via AWS CloudTrail (and other standard AWS logging). Human access to production data follows role-based, least-privilege controls. We can summarize what we retain and for how long during security diligence.

Question 24

Do you have SOC 2 Type II?

Accepted Answer

Clawback Labs does not currently maintain SOC 2 Type II certification. We are implementing foundational operational and security controls commonly expected in preparation for future compliance programs as the platform scales.

Question 25

Do you carry cyber liability insurance?

Accepted Answer

Clawback Labs does not currently maintain standalone cyber liability coverage. Coverage evaluation is planned as engagement volume and operational scope expand.

Question 26

How long do you keep our files?

Accepted Answer

Source documents are retained only for engagement processing purposes and are targeted for deletion no later than 48 hours after report delivery unless otherwise requested in writing. Operational security logs and infrastructure metadata may persist for limited periods as part of standard cloud security operations. We retain only the delivered audit report as your work product unless you ask us to remove that as well.

Question 27

What evidence do we get that files were deleted (retention evidence)?

Accepted Answer

An automated confirmation email is sent with a deletion timestamp and a list of files removed. Customer source documents are targeted for deletion after engagement completion, subject to limited operational logging and legal obligations. We do not use a third-party attestation service—the confirmation email is your operational record of deletion.

Question 28

Can I request early deletion?

Accepted Answer

Yes. On written notice we delete immediately and send the same automated confirmation email with timestamp and file list.

Question 29

What about backups and server logs?

Accepted Answer

Deletion includes active copies, retained backups of your source materials, and engagement-scoped processing logs. Only the final audit report remains. Broad AWS account telemetry (for example CloudTrail) is governed by AWS retention; we can walk through exactly what applies during diligence.

Question 30

Do you have a secure file upload portal?

Accepted Answer

We typically use password-protected cloud links or your preferred encrypted transfer method.

Privacy Policy

1. Introduction

2. Information We Collect

Documents You Submit

Contact Information

Website Information

3. How We Use Your Information

Primary Use

Secondary Use

What We Do NOT Do

Professional Scope

4. Data Processing Infrastructure

AI Infrastructure

Encryption

5. Data Retention & Deletion

Retention Timeline

Deletion Confirmation

Report retention

6. Legal Basis for Processing

Contract

Consent

Legal Obligation

7. GDPR Compliance

Your Rights

Data Processing Agreement

International Data Transfers

8. Subprocessors

Amazon Web Services (AWS)

No Subcontracting

9. Security Measures

Security Principles

Technical Safeguards

Organizational Safeguards

Limitation

10. Third-Party Services

Google Workspace

Porkbun

File Transfer (if applicable)

11. Children's Privacy

12. Data Breach Notification

Commitment

Legal Obligation

13. Your Rights & Choices

Access

Correction

Deletion

Opt-Out

14. International Privacy Laws

GDPR (EU/EEA)

CCPA (California)

Other Jurisdictions

15. Contact & Complaints

Security Contact

Data Protection Officer

Privacy Inquiries

Supervisory Authority

16. Changes to This Policy

17. Contact Information