Security Overview
Last updated: 2026-07-12
This page describes controls that are actually implemented in the current version. It intentionally avoids claims we cannot substantiate.
Authentication & sessions
Authentication is handled by Supabase (a managed provider) with email verification and password reset. Sessions use HttpOnly, SameSite cookies and are validated server-side on every protected request. We do not build our own password storage or cryptography.
Tenant isolation
Every firm, matter, analysis, and audit record is scoped to a firm. Authorization is re-checked server-side on each request by re-fetching the user's firm membership; identifiers supplied by the browser are never trusted. Changing an id in the URL does not grant access to another firm's data.
Transport & headers
In production, traffic is served over HTTPS with HSTS. The app sends a Content-Security- Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and frame-ancestors protection to reduce common web risks.
AI request handling
All AI requests run server-side; the Gemini API key is never exposed to the browser. Pasted notes are processed transiently and are not persisted by default. Prompts and model responses are never written to logs.
Logging & audit
Application logs redact secrets and confidential content by field name. A separate audit log records actions and identifiers only, with one-way hashed IP addresses — never raw case content.
Rate limiting
Authentication and AI endpoints are rate limited to reduce abuse.
TODO SECURITY: In-memory rate limiting is single-instance only; move to a shared store (e.g. Redis) before horizontal scaling.
TODO SECURITY: Field-level encryption for any stored input, formal key management, penetration testing, and a monitored WAF are not yet in place. Do not process real client data until these are addressed.
What we do not claim
No SOC 2 or ISO 27001 certification, no HIPAA compliance, no guaranteed attorney-client privilege, no "zero data retention" or "military-grade" claims. See Subprocessors and Data Retention.