Security
Security reports need a clear path.
Use the security contact for vulnerabilities, exposed secrets, access-control concerns, or infrastructure issues related to ContractIQ.
Report
Send enough detail to reproduce.
Please include the affected URL, steps to reproduce, expected and actual behavior, and whether any tenant data may have been exposed.
security@contractiq.fyiPublic posture
The marketing service is designed to be static-template Go, embedded assets, no database, no OpenAI dependency, and no tenant corpus on the request path.
Do not include secrets
Do not send live credentials, access tokens, or sensitive crew records by email. Describe the exposure and wait for a secure path if sensitive material is required.
Operational separation
The public marketing site should run separately from tenant answer sites. The marketing deployment should not require product secrets such as OpenAI keys, DuckDB files, or publication bundles.