◆ SELF-ATTESTATION
What the platform attests to as of 2026-05-11. This is operator self-attestation, not a third-party audit. SOC 2 status is tracked separately at the top of this page. For a procurement-grade evidence pack (architecture diagrams, sub-processor list, DPA template), email rollingsentiment@gmail.com.
| CONTROL | STATE | EVIDENCE |
|---|---|---|
| TLS 1.3 in transit | ✓ LIVE | Fly.io edge terminates TLS 1.3; HSTS enabled. |
| AES-256-GCM at rest (Postgres + R2) | ✓ LIVE | Neon default storage encryption; Cloudflare R2 server-side encryption. |
| Per-firm tenancy filter (application-layer) | ✓ LIVE | Every Prisma query in the multi-tenant code path filters by firmId. Lint + code-review blocker on every PR. |
| Row-level security policies (Postgres-layer) | ✓ LIVE | Firm-isolation policies installed on every multi-tenant table (Firm, Membership, Document, Chunk, ChatSession, Message, AuditLog, county records). Runtime app role cannot bypass the row-level policy. |
| Audit logging on every state change | ✓ LIVE | createAuditEvent() called from every mutation route. AuditLog rows carry firmId, userId, IP, user-agent, target, action, createdAt. |
| Authenticated sessions via Clerk | ✓ LIVE | Every gated route protected by Clerk middleware + requireFirm() chain (no session → /sign-in, no org → /onboarding/firm, no firm → /no-org). |
| Webhook signature verification (Stripe + Clerk) | ◐ IN PROGRESS | Billing + identity webhooks verify signatures on every inbound event before any state change. Signing keys rotate per environment. |
| GDPR-compliant deletion on request | ✓ LIVE | rollingsentiment@gmail.com accepts deletion requests. Cascade-delete propagates across every firm-owned record (memberships, documents, audit log). |
| Model provider never disclosed in user-facing output | ✓ LIVE | Brand rule enforced via an automated leak-guard test on the prompt pipeline. Any draft, response, or error string referencing an underlying model provider name fails CI before merge. |
| SOC 2 Type I report | ◐ IN PROGRESS | Auditor engaged; gap assessment complete. Targeted Q3 2026. |
| SOC 2 Type II report | ○ ROADMAP | Follows Type I by ~6 months minimum operating-effectiveness window. |
| Single-tenant VPC / BAA tier | ✓ LIVE | Available on the Dedicated tier ($10K setup + per-seat). BAA executed before any PHI lands; vendor-DPA on request. |
Each control's state is updated on the same cadence as the platform itself ships. Discrepancies between this page and observed behavior — report to rollingsentiment@gmail.com; we treat unaligned posture as a P0.
◆ TENANT ISOLATION
Every record in the data layer carries a firmId column. Every query filters by that column at the application layer. Postgres row-level-security policies enforce the same boundary at the DB layer. The two checks are independent: one would have to fail at the same time as the other for a leak to occur, and a single missed filter at either layer is a code-review blocker on every PR.
- Per-firm pgvector index — even similarity search is
WHERE firmId = $1. Your firm's embeddings never enter another tenant's nearest-neighbor query. - Document blob storage — Cloudflare R2 with per-firm key prefix and IAM-style scoping. A path-traversal bug cannot reach another firm's prefix.
- Sessions stamped to org — every authenticated request is bound to a Clerk organization. Cross-org reads at the session level are rejected before the route handler even runs.
◆ ENCRYPTION
- In transit: TLS 1.3 only. HSTS + preload eligible.
- At rest: AES-256-GCM via Postgres & Cloudflare R2 server-side encryption.
- Key management: rotated on industry cadence; per-tenant DEK on the dedicated VPC tier.
- Backups: encrypted with separate keys, retained 30 days (closed beta) → 90 days (GA).
◆ AUDIT LOG
Every mutation writes an immutable AuditLog row, scoped to the firm: who did it, when, from what IP and user-agent, and what resource it targeted. Admins see a chronological feed at /app/audit; export to CSV / JSON for malpractice insurer or bar-grievance discovery.
Actions audited:
auth.signin·auth.signoutfirm.created·firm.member.invited·firm.member.joined·firm.member.role.changed·firm.member.removedfirm.subscription.activated·firm.subscription.lapseddoc.upload·chat.send·export.pdf·filing.sendparalegal.draft.submit·attorney.approval.sign
◆ COMPLIANCE POSTURE
- Tex. Disciplinary Rule 1.05 — confidentiality of client information. The tenant boundary, audit log, and private-inference posture together meet 1.05 (b)(3) prohibition on revealing privileged information.
- Tex. Disciplinary Rule 5.01 / 5.03 — supervision of subordinate lawyers and non-lawyer assistants. The Managing Partner Console + Paralegal Approval Queue are the supervisory record.
- SOC 2 Type II — in progress. Targeting Type I report Q3, Type II Q1 next year.
- HIPAA / BAA — available on the Dedicated Private Cloud tier. The multi-tenant tier is not HIPAA-eligible.
- Private inference. Your data is not used to train any third-party foundation model. The firm's corpus is sealed inside the firm's tenant; retrieval scores it, the inference layer reads it as context, and the result is logged. Nothing leaves.
◆ INCIDENT RESPONSE
Suspected breach or unusual activity → rollingsentiment@gmail.com. We commit to a 24-hour acknowledgment SLA in closed beta and a 4-hour SLA at GA. Bug bounty for security researchers acting in good faith; no legal action against researchers who follow responsible disclosure.