Built for attorney-client privilege from day one.
Database-level isolation for every firm. AES-256 encryption at rest and in transit. Your data never trains our models. Security isn't a feature we added — it's the foundation we built on.
AES-256 Encryption
Database Isolation
SOC 2 Type II
In Progress
Multi-Factor Auth
Zero-Training Policy
Data Architecture
Every firm gets its own private database.
Not filtered rows in a shared table. Your own isolated database section — structurally inaccessible to every other firm on the platform.
Your Private Database
Separate Database
Separate Database
legal_public
Statutes, case law, federal rules — read-only, accessible to all firms
Encryption
Protected at every layer.
Encryption at Rest
All data encrypted with AES-256-GCM at the database level. Every byte stored is ciphertext — unreadable without the proper keys.
Encryption in Transit
TLS 1.3 for all connections. HTTPS enforced across every endpoint. No plaintext data ever crosses the wire.
Key Management
Encryption keys managed by our cloud infrastructure with automatic rotation. No plaintext secrets in application code.
Access Controls
The right people see the right things.
Role-Based Access Control
Admin, Member, and Viewer roles with granular permissions per matter and per document. Every API route is role-gated.
Multi-Factor Authentication
Multi-factor authentication with time-based one-time passwords (TOTP). Adds a critical layer against credential theft.
Single Sign-On
Enterprise SSO support via SAML 2.0 for centralized identity management across large firms.
AI & Your Data
Your data never trains our models.
AI is accessed via Anthropic (Claude) and OpenAI's commercial APIs, whose terms do not use your inputs or outputs to train their models. Your queries and documents are never used to train or fine-tune any model.
Your documents are never used to train or fine-tune any AI model
AI queries are processed by Claude (Anthropic) through its commercial API, whose terms do not use your inputs or outputs for model training
Embeddings are generated via OpenAI's API under the same no-training commercial terms
All AI processing happens in the request path — no background data sharing
You can delete all your data at any time — vectors, metadata, everything
Compliance & Infrastructure
Enterprise standards. Enterprise infrastructure.
Hosted on AWS cloud infrastructure, whose data centers hold their own SOC 2, ISO 27001, and FedRAMP attestations. These are AWS's certifications, not CaseRead's — see our own compliance status below.
SOC 2 Type II
Currently pursuing SOC 2 Type II certification. Our core infrastructure providers publish their own independent SOC 2 reports.
HIPAA-Ready
Database isolation, encryption at rest and in transit, role-based access controls, and audit logging — designed to support HIPAA compliance requirements.
ABA Ethics Compliance
Built around ABA Model Rule 1.6 (Confidentiality of Information). Our database isolation is designed to support the ABA's 'reasonable measures' standard.
Data Residency
All data stored in US-based AWS data centers. No cross-border data transfers without explicit consent.
Sub-Processors
The providers that help us run CaseRead.
The sub-processors below help deliver the Services, each under its own terms. What a provider receives depends on the features your firm uses. AI providers are accessed through their commercial APIs, whose terms do not use your data for model training. The full list, including data shared and region, is in our Privacy Policy.
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Database, authentication & file storage | All application and Customer Data at rest |
| Vercel | Application hosting & content delivery | Request traffic; no Customer Data stored at rest |
| Anthropic (Claude) | AI inference for research, drafting & summarization | Query text + included document/matter text (not used for training) |
| OpenAI | Vector embeddings for semantic search | Document and query text to embed (not used for training) |
| Stripe | Subscription billing & payment processing | Billing name, email & payment details |
| Resend | Transactional email delivery | Recipient email address & message contents |
| Drive & Calendar integration (only if you connect Google) | Google file & calendar content you select | |
| Microsoft | OneDrive & Outlook integration (only if you connect Microsoft) | OneDrive file & calendar content you select |
| Legal-research sources (CourtListener, OpenLaws, Brave Search) | Public-law lookups & citation verification | Search text derived from your query |
| Sentry | Application error monitoring | Diagnostic error data; tokens and personal data scrubbed before send |
Provider
Supabase
Purpose
Database, authentication & file storage
Data Processed
All application and Customer Data at rest
Provider
Vercel
Purpose
Application hosting & content delivery
Data Processed
Request traffic; no Customer Data stored at rest
Provider
Anthropic (Claude)
Purpose
AI inference for research, drafting & summarization
Data Processed
Query text + included document/matter text (not used for training)
Provider
OpenAI
Purpose
Vector embeddings for semantic search
Data Processed
Document and query text to embed (not used for training)
Provider
Stripe
Purpose
Subscription billing & payment processing
Data Processed
Billing name, email & payment details
Provider
Resend
Purpose
Transactional email delivery
Data Processed
Recipient email address & message contents
Provider
Purpose
Drive & Calendar integration (only if you connect Google)
Data Processed
Google file & calendar content you select
Provider
Microsoft
Purpose
OneDrive & Outlook integration (only if you connect Microsoft)
Data Processed
OneDrive file & calendar content you select
Provider
Legal-research sources (CourtListener, OpenLaws, Brave Search)
Purpose
Public-law lookups & citation verification
Data Processed
Search text derived from your query
Provider
Sentry
Purpose
Application error monitoring
Data Processed
Diagnostic error data; tokens and personal data scrubbed before send
Security FAQ
Common security questions
Security questions? Let's talk.
Our team is happy to walk through our security architecture in detail.