← Back

Security & Trust

Last updated: April 5, 2026

We take the security of your legal billing data seriously. CounselAudit.ai processes attorney-client privileged information, so we've built our platform with multi-tenant isolation, encryption at rest and in transit, role-based access control, and comprehensive audit logging from day one. This page summarizes our security approach, sub-processor certifications, compliance commitments, and how to request documentation for your vendor review.

1. Our Security Approach

Encryption at Rest

AES-256 encryption for all data stored in Supabase (Postgres) and Supabase Storage (invoice PDFs, deliverables).

Encryption in Transit

TLS 1.3 for all client-to-server and server-to-service connections, including calls to Anthropic, Stripe, Clerk, and Resend.

Multi-Tenant Isolation

Every table enforces organization_id with Postgres Row-Level Security (RLS) policies. Cross-tenant data access is structurally impossible.

Audit Logging

All data access, modifications, invoice flags, approvals, and admin actions are recorded in an immutable audit log scoped per organization.

MFA Support

Multi-factor authentication is supported for all user roles (CLO, Legal Ops, Finance, Paralegal) via Clerk's authentication platform.

Configurable Retention

Three configurable retention modes per organization: retain indefinitely, wipe source documents after review, or wipe-and-keep-structured-data-only.

2. Document Retention Controls

Your Choice, Your Timeline

Wipe documents after review or retain them indefinitely. Set retention policies per invoice, per matter, or organization-wide. You decide when data disappears.

Keep Intelligence, Delete Originals

Preserve structured data (amounts, flags, metadata) for analytics while permanently deleting original PDF invoices.

Bulk Purge Operations

Delete all documents older than any date you specify. Maintain clean compliance with your document retention policies.

Transparent Audit Trail

Visual indicators show retention status on every invoice. Every deletion event is logged. Full visibility into what data has been removed and when.

3. Sub-Processor Certifications

We rely on the following sub-processors to deliver the Service. Each has been selected for its security certifications and data processing commitments. Full details are in our DPA.

Sub-ProcessorCertificationsTrust Page
SupabaseSOC 2 Type 2, HIPAA eligibleView
VercelSOC 2 Type 2, ISO 27001, PCI DSSView
ClerkSOC 2 Type 2, CCPA, GDPRView
AnthropicSOC 2 Type 2, ISO 27001View
ResendSOC 2 Type 2View
StripeSOC 2 Type 2, PCI DSS Level 1, ISO 27001View

4. Compliance Commitments

CounselAudit.ai is designed to support the compliance obligations of in-house legal teams and the law firms they work with:

  • GDPR — Standard Contractual Clauses for EEA/UK transfers; data subject rights support; 72-hour breach notification
  • PIPEDA — Canadian privacy law compliance; processing consent; data subject access requests
  • CAN-SPAM — Unsubscribe honored within 10 days; physical address on all commercial email; accurate subject lines and sender identification
  • Attorney-Client Privilege — We treat all legal billing content as privileged; access restricted to the client organization; no secondary use
  • ABA Model Rule 1.6 Alignment — Our controls are designed to support law firms and in-house teams meeting their confidentiality obligations
  • State Bar Cloud Ethics Compliance — Leading state bar associations (ABA Opinion 477R, NY Opinion 842, CA Opinion 2010-179) permit cloud-hosted legal data when the vendor demonstrates reasonable security controls. Our encryption, multi-tenant isolation, audit logging, and SOC 2-certified sub-processors are designed to satisfy these requirements.

5. AI Data Handling

  • Encrypted in transit. Invoice content sent to Anthropic is transmitted over TLS 1.3.
  • Not used for training. Anthropic does not use customer API inputs or outputs to train its models.
  • 30-day maximum retention. Anthropic may retain API inputs/outputs for up to 30 days for Trust & Safety and abuse monitoring, after which they are deleted.
  • Zero Data Retention available. Enterprise customers with heightened confidentiality requirements can request ZDR through privacy@counselaudit.ai.

6. Compliance Roadmap

Available

DPA & Published Terms

Our Terms of Service and Data Processing Agreement are published upfront — no NDA required to read them, no sales process to access them. We made them client-friendly because we know our buyers are lawyers.

In Progress

SOC 2 Type 1

Audit preparation underway. Type 2 audit window opens H2 2026. Security and availability trust service criteria.

Enterprise

Data Residency Options

US, EU, and Canada region options for Enterprise customers. Keep your data where your compliance obligations require it.

7. Request Documentation

We provide the following documentation to prospective and existing customers under NDA as part of their vendor review process:

  • Security questionnaire responses (SIG Lite, CAIQ, custom)
  • Penetration test summary letter (available Q4 2026)
  • SOC 2 Type 1 roadmap (in progress; Type 2 audit window opens H2 2026)
  • Signed Data Processing Agreement
  • Custom policy documents (Information Security, Incident Response, Access Control, Data Retention, Vendor Management, Business Continuity)

To request any of the above, email security@counselaudit.ai with your company name, role, and the documents needed. We respond within two business days.

Data Processing AgreementPrivacy PolicyTerms of Service