Encryption everywhere
AES-256 at rest in S3 + RDS. TLS 1.3 in transit. Document keys are envelope-encrypted with KMS; rotation on a 90-day cadence.
SOC 2 · CC6.1Security & compliance
Built for the YMYL bar.
Civil-firm content is regulated, traceable, and tied to identifiable attorneys. Our security posture matches: SOC 2 Type II, encryption everywhere, US-only data residency, and a sub-processor list we publish in full.
Posture at a glance
- SOC 2 Type II — annual audit
- AES-256 at rest · TLS 1.3 in transit
- US-only primary & backup regions
- Hardware-key MFA on every employee account
- Quarterly third-party pentest
- Sub-processor list public + change-notified
The pillars
Six layers, each one verified.
Every control below is independently audited annually as part of our SOC 2 Type II report. Multi-state customers receive a custom DPA and per-state compliance attestation on contract.
US data residency
Primary in us-east-1, encrypted offsite backup in us-west-2. No data leaves US borders, including support tooling. EU/UK customers receive SCCs; we don't transfer your data outside the US.
Data residencyIdentity & access
SSO via SAML 2.0 / OIDC on Network and Multi-state. Hardware-key MFA mandated on every employee account. Least-privilege IAM with quarterly review.
SOC 2 · CC6.6Audit logs
Every byline edit, attribution touch, and admin action is logged with actor, IP, and timestamp. 13-month retention. Multi-state plans get hourly export to your SIEM.
SOC 2 · CC7.2Backup & recovery
Point-in-time database recovery to any second within 35 days. Object store with versioning + 90-day undelete. RPO ≤ 5 min, RTO ≤ 30 min, tested quarterly.
RPO 5m · RTO 30mPen-tested quarterly
Independent third-party penetration test against the production stack every quarter. Findings remediated under SLA. Latest summary letter available on request under NDA.
Q1 2026 · cleanSOC 2 trust services criteria
Every control, line by line.
- Background checks on all employees with production access
- Annual security & privacy training, completion-tracked
- Acceptable-use policy signed at hire, re-affirmed annually
- Vulnerability scanning weekly · CVE patching SLA: 7 days critical / 30 days high
- Incident response runbook with 1-hour customer-notification SLA on confirmed breach
- Vendor risk assessment for every sub-processor before onboarding
- Disaster recovery drill executed quarterly, results retained for audit
- Code review required on every production change · two-reviewer rule for security-sensitive paths
- Secrets rotated on employee offboarding within 1 business hour
- Data deletion within 30 days of contract end · documented destruction certificate available
Sub-processors
Who we work with — publicly listed.
Every vendor that touches your data appears here. We notify all customers 30 days before adding or replacing any sub-processor.
| Vendor | Purpose | Data | Region |
|---|---|---|---|
| Amazon Web Services | Infrastructure (compute, storage, DB) | All customer content + telemetry | US |
| Stripe | Subscription billing | Billing contact + payment metadata | US |
| SendGrid | Transactional email | Email + content of system emails | US |
| Sentry | Application error monitoring | Error context + truncated stack traces | US |
| Plausible Analytics | Marketing-site analytics (no cookies) | Aggregated page views — no PII | EU |
| OpenAI / Anthropic | Authoring assist (gated content only) | Article drafts only · zero PII (opt-out available) | US |
| Cloudflare | CDN, WAF, DNS | Request metadata · no body retention | Global edge |
Need the SOC 2 report or a custom DPA?
Available under NDA on Practice and above, automatic on Multi-state. Most security reviews close inside 5 business days.