Procurement and compliance
Documents, contracts, and the typical timeline for closing an enterprise contract with AACsearch.
Procurement and compliance
This page is for the person on your side who buys software — security, legal, finance, procurement. It lists every document you can request from us, the conditions on each, and the rough timeline.
Who to contact
| Topic | |
|---|---|
| Sales, contracts, pricing | sales@aacsearch.com |
| Security questionnaire, DPA, sub-processors | security@aacsearch.com |
| Vulnerability reports | security@aacsearch.com (PGP key on request) |
| Privacy, data subject requests | privacy@aacsearch.com |
| Status page / incident communications | status@aacsearch.com |
For procurement-related questions, default to sales@aacsearch.com and we'll loop in the right team internally.
The document set
No NDA required
| Document | What it covers |
|---|---|
| Public security overview | This documentation, especially Security. |
| Standard DPA | GDPR Article 28 / 152-FZ Article 6 obligations. Pre-signed PDF on request. |
| Sub-processor list | Hosting (DigitalOcean, AWS), email (SES/SendGrid), payments (Stripe), etc. |
| Cookie / privacy policy | Public, linked from the marketing site. |
| Pricing | Standard plan pricing is public; Enterprise pricing is custom. |
Under mutual NDA
| Document | What it covers |
|---|---|
| SOC 2 Type II report | Latest 12-month audit. See SOC 2 checklist for scope. |
| Penetration test summary | Most recent third-party pentest, executive summary + remediation status. |
| Data flow diagram | Per region: ingress, processing, storage, sub-processors. |
| Disaster recovery plan | RTO, RPO, runbook. See also DR runbook. |
| Incident response policy | Detection, triage, communication, post-mortem process. |
To request the NDA set: email security@aacsearch.com with your company name and the specific documents you need. We typically reply within one business day.
Customer-specific
| Document | When you'd want it |
|---|---|
| Custom DPA | When your DPO requires changes to ours. We accept reasonable redlines. |
| MSA | When click-through ToS is not acceptable to your legal team. |
| BAA | HIPAA workloads. Available on Enterprise. |
| Custom SLA appendix | Uptime, response time, restore time. See Dedicated cluster. |
| Security questionnaire (CAIQ, SIG Lite, custom) | We fill it in. Typical turnaround 5 business days. |
Sub-processors
We process customer data through a small number of sub-processors. The current list is available on request and is updated whenever it changes. We commit to 30 days prior notice of a new sub-processor; you have a right to object. If you object, we'll work out an alternative or, if there isn't one, an off-ramp.
Data residency and personal data
All Enterprise contracts pick a data residency region at signing. Day-to-day operations stay inside that region — search nodes, database, object storage, backups. See Data residency.
For personal data subject to GDPR / 152-FZ:
- Article 28 / Article 6 obligations are covered by our DPA.
- Standard Contractual Clauses (SCCs) are part of the DPA when data leaves the EU.
- Data subject requests (access, erasure, rectification) — see Data privacy. Enterprise customers can route DSRs through their TAM.
Typical timeline
| Phase | Typical duration |
|---|---|
| Initial email → scoping call | 2–5 business days |
| Scoping call → security questionnaire response | 5 business days after NDA signed |
| Security questionnaire → contract draft | 5 business days |
| Contract draft → signature | 2–6 weeks (gated by your legal) |
| Signature → provisioning | 1–10 business days, depends on tier |
If your timeline is tighter than this, tell us at the start of the scoping call and we'll tell you honestly whether we can hit it.
What slows things down
In rough order of frequency, here is what stretches a procurement cycle out:
- Legal redlines on indemnification / liability. We accept reasonable changes; we will push back on unbounded liability or right-to-audit-on-demand.
- Adding new sub-processor controls mid-contract. If your contract requires per-sub-processor approval, we'll walk you through the current list at signing — make sure the right people review it then, not after.
- Custom SLA without a sizing call. We can't promise 99.99 % without knowing the workload. Insist on the sizing conversation.
- Security questionnaire ambiguity. If a question is open-ended ("How do you ensure security?") we'll answer at the level of detail your reviewer wants, but it speeds things up when the reviewer can scope the question.
We'd rather take an extra week to get the contract right than discover six months in that an SLA isn't achievable. Most of the timeline above is in service of that.
Renewal and exit
- Renewal. Enterprise contracts auto-renew on the term length unless either party gives 30 days' notice. Pricing is held flat for the term; renewal pricing is set 60 days before renewal.
- Exit. On termination, we provide a full export of your indexes (per-document JSON, or NDJSON) and a deletion certificate within 30 days of the last day of service. Backups carry a 30-day retention after deletion, after which we issue a final deletion certificate.