Security, in specifics
Not slogans. Here is how your firm's data is isolated, controlled, and accounted for.
Every organization gets its own PostgreSQL schema — structural separation, not row filtering. Cross-tenant access is ruled out by design.
Template roles plus granular per-user grants and denies, scoped down to client, project, or legal description. Containment prevents granting more access than you hold.
An append-only activity event store with user attribution — including every AI action — and an admin dashboard with per-user drill.
Encrypted in transit and at rest. Session cookies are encrypted and HTTP-only; file URLs are signed and expiring.
Rate-limited login, registration, and reset flows; OAuth strategies; HMAC-verified webhooks; CSP; forced HTTPS with HSTS in production.
New users start with the minimum. AI agents are actors under the same policy system as humans — no AI-only fast path, ever.
Your brand, your domain. Run the platform under your own logo, theme, and hostname, with branded transactional email — so clients and counsel see your firm, not ours.
We are not yet SOC 2 certified — an audit is on the roadmap, and we'd rather tell you that plainly than imply otherwise. Ask us anything about the architecture in the meantime; we answer in specifics.