Law firms deal with the most sensitive data on Earth — privileged communications, trade secrets, sealed matter information. Our security posture is designed for that reality, not retrofitted from a generic SaaS template.
From intake through destruction, your documents are handled according to strict protocols designed to protect privilege and confidentiality at every stage.
US-region storage by default. EU, Canadian, or APAC residency available on request for matters with specific data residency requirements.
At engagement close, your data is retained per the retention schedule specified in your engagement letter (default: 90 days for production data, 30 days for working data). After retention expires, data is cryptographically purged with destruction certification provided on request.
Your data is never used to train any AI model. The frontier models we use for coding operate on a zero-retention basis — documents are processed in context and not retained by the model provider for training or improvement purposes. Our agreements with model providers explicitly prohibit this.
Current Posture: SOC 2 Type II audit in progress. Type I attestation expected Q3 2026, Type II at the conclusion of the observation window.
GDPR-aware processing with EU data residency available. HIPAA-aligned controls for matters involving protected health information. Business Associate Agreement (BAA) available on request. Our handling of client data is designed to support attorney obligations under Model Rule 1.6 and state-specific equivalents.
Roadmap: SOC 2 Type II final attestation — target Q1 2027. ISO 27001 certification — target Q3 2027. FedRAMP Moderate — under evaluation for government matters.
Protection of information assets through access controls, encryption, and vulnerability management.
Commitment to system uptime with redundant infrastructure and incident response procedures.
Strict access controls and encryption ensure client data remains confidential throughout processing.
Quality assurance controls ensure accurate and complete processing of your discovery corpus.
Your documents are encrypted from the moment they leave your systems until they're safely returned — and at all points in between.
All stored data is encrypted using AES-256, the same standard used by governments and financial institutions for classified information.
256-bit AES-GCM
All data transmitted to and from our systems uses TLS 1.3 — the latest transport security standard with perfect forward secrecy.
TLS 1.3
Encryption keys are managed via cloud-native key management services with automatic rotation and audit trails.
Cloud-Native KMS
Upload files through our encrypted workspace portal using SFTP or our web-based uploader with automatic TLS encryption.
All metadata, coding decisions, and system data are stored in encrypted databases with column-level encryption for sensitive fields.
All company devices used for work are encrypted, monitored, and managed with mobile device management (MDM) solutions.
Access is granted on a need-to-know basis. Team members only see data necessary for their specific role and assigned matters.
All system access requires MFA. We support TOTP authenticator apps and hardware security keys (FIDO2/WebAuthn).
Enterprise SSO integration available via SAML 2.0 for law firms with existing identity providers.
Automatic session timeout, concurrent session limits, and secure session termination after inactivity.
Your team's access to matter data is controlled through multiple layers of authentication and authorization. We enforce the principle of least privilege across all systems.
Each matter operates in its own logically isolated workspace with dedicated encryption keys, namespace separation, and access controls. Your documents never commingle with other clients' data.
Each matter workspace operates within its own logical network segment with policy-enforced firewall rules. Cross-matter network traffic is denied by default.
Document storage uses matter-scoped namespaces with separate encryption keys per matter. Access policies prevent cross-matter reads.
AI processing jobs run in matter-scoped contexts with separated processing queues and per-matter resource quotas.
Metadata and coding decisions are stored with matter-scoped row-level access controls and per-matter encryption keys.
Your documents are never used to train models for other clients. Complete data separation guaranteed.
Completed matters can be archived and isolated from active operations while maintaining audit access.
Your team accesses only your matter workspace. No visibility into other matters or clients.
Every action in our systems is logged, monitored, and retained. You'll have full visibility into who accessed your data and when.
Every login, logout, and session activity tracked with IP and device information
Every document viewed, downloaded, or modified is logged with user attribution
All AI coding decisions and human overrides recorded with full provenance
Infrastructure changes, deployments, and configuration modifications tracked
Audit logs are retained for a minimum of one year, with security incident logs retained for seven years. All logs are stored in a separate, immutable audit system.
Continuous automated monitoring with real-time alerting to our on-call response team. Threat intelligence feeds and anomaly detection run around the clock.
Your data is retained only as long as necessary and securely destroyed when no longer needed — according to your preferences and legal requirements.
Matter + 30 days (default)
Standard retention for most matters
Matter + 1 year
Extended retention option
Matter + 7 years
Standard legal hold period
Indefinite
Permanent archival (rare cases)
Upon retention period expiration or client request, data is securely destroyed using NIST 800-88 compliant media sanitization. Destruction certificates are provided upon request.
Our incident response program ensures rapid detection, containment, and notification in the event of a security incident.
Automated alerting and 24/7 monitoring detect incidents within minutes of occurrence.
Immediate isolation of affected systems to prevent spread. Matter workspaces remain protected.
Affected clients notified within 24 hours of detection. Detailed incident reports provided. Regulatory notification within 72 hours where applicable under GDPR or other frameworks.
System restoration, root cause analysis, and preventive measures implemented.
In the event of a data breach affecting your matter data, we will notify you promptly with details of the incident, data affected, and remediation steps taken.
Technology alone doesn't secure your data. Our team undergoes rigorous security training, and our vendor program ensures third-party relationships don't create vulnerabilities.
All team members complete annual security training covering phishing, social engineering, and data handling.
All personnel sign NDAs covering client matter confidentiality before accessing any client data.
Employment background checks conducted for all team members with access to client data.
For matters requiring attorney privilege determinations, we coordinate with licensed counsel — either our retained partners or attorneys designated by the engaging firm.
We vet all vendors and service providers to ensure they meet our security standards before integrating with our systems.
SOC 2 Type II
In Progress
ISO 27001
Framework Aligned
GDPR
Compliant
CCPA
Compliant
We're happy to discuss our security practices, provide documentation, or arrange a call with our security team. Your peace of mind is part of the service.
Mark your request "Urgent" and we'll prioritize your response within four business hours.