Security
Built like the firm
we'd want to use.
We treat your client information the way it should be treated — encrypted, isolated, audited. No anonymous access. No client-side database calls. Every endpoint authenticated, every charge signed, every action logged.
Encrypted in transit and at rest
TLS 1.2+ on every request. AES-256 at rest in Supabase. The same standards used by major financial institutions.
Firm-level data isolation
Row-level security enforces tenant isolation at the database. No firm can see another firm's data — not even in error.
Least-privilege role model
Every API endpoint verifies JWT and resource ownership before any DB operation. Service role keys live server-side only.
Append-only audit log
Every mutation endpoint records IP, user-agent, and timestamp. 90-day retention minimum. Per-invite audit trail for litigation continuity.
Card data never touches our servers
Stripe Elements + Checkout. We never store, see, or have access to your card number. PCI scope is reduced to a JavaScript inclusion.
No generative AI on client surfaces
No chatbot. No "ask a question" interface. Fixed, pre-authored content. Training scenarios are fictional. Nothing client-facing trains on your data.
Webhook signature verification
Every Stripe webhook is signature-verified server-side. Idempotency keys on every charge. No client can spoof a payment event.
Compliance posture
Independent compliance certifications are an active workstream. We are operating to SOC 2-aligned controls today; formal Type II audit is on track for 2026. For privilege and confidentiality, see the Privacy Policy.
Have questions?
We'll walk you through it.
If your firm has specific security or privilege requirements, we want to hear them before you sign anything.