Skip to main content

Enterprise-Grade Security for Intellectual Property

Your patent data never leaves our secure infrastructure. Zero external AI training. End-to-end encryption. Controls aligned with SOC 2 Trust Services Criteria.

AES-256 Encryption
AWS US Infrastructure
SOC 2 Aligned
Zero AI Training

Frameworks We Align With

Built to Meet the Highest Standards

Our controls are designed and operated to meet the substantive requirements of these frameworks. Formal third-party certifications are on our roadmap as we scale.

SOC 2

Controls aligned

GDPR

Data protection practices

HIPAA

BAA-ready architecture

ISO 27001

Controls mapped

NIST CSF

Framework aligned

CCPA

Privacy rights honored

PCI DSS

Payments via Stripe (PCI-DSS Level 1)

FedRAMP

GovCloud-compatible

How We Protect Your Data

Security Architecture

SOC 2 Trust Services Alignment

Our infrastructure and operations are designed and operated against the AICPA SOC 2 Trust Services Criteria (Security, Availability, Confidentiality). A formal Type II attestation is on our roadmap as we scale. In the meantime, every access, change, and data flow is logged and verifiable, and we're happy to walk enterprise customers through our control environment under NDA.

  • Controls mapped to SOC 2 Trust Services Criteria
  • Role-based access control enforced at the application layer
  • Full audit trail in CloudWatch Logs for every data access and change
  • Incident response plan documented and tested regularly

End-to-End Encryption

Data is encrypted at every stage: TLS 1.3 in transit, AES-256 at rest, and AWS KMS field-level encryption at the application layer for sensitive patent data.

  • TLS 1.3 for all data in transit, no exceptions
  • AES-256 encryption at rest across all storage layers
  • AWS KMS-managed keys with automatic rotation
  • Application-layer encryption for sensitive fields (client names, patent details)

Zero AI Training Guarantee

Your patent data is never used to train AI models. Not ours, and not anyone else's. We run our own AI infrastructure on AWS Bedrock with strict data isolation.

  • No data shared with external AI providers for training
  • Private AWS Bedrock deployment; models run inside our VPC
  • Data processed in-memory only, never persisted in AI systems
  • Contractual guarantee: your data stays yours

Data Residency & Sovereignty

All data is stored and processed exclusively in the United States on AWS infrastructure. We do not replicate data outside US boundaries.

  • US-East-1 (Virginia) primary region
  • No cross-border data transfers
  • AWS GovCloud compatible architecture
  • Data deletion within 30 days of account closure

Infrastructure & Redundancy

Built on AWS with multi-AZ deployment, automated backups, and zero-downtime deployments. Designed for 99.9% uptime with disaster recovery.

  • Multi-AZ deployment across AWS availability zones
  • Automated daily backups with point-in-time recovery
  • DDoS protection via AWS Shield and CloudFront
  • Real-time monitoring with automated alerting

What Sets Us Apart

Two architectural commitments

Most legal-tech AI is built on shared third-party LLM APIs with policies you opt into. Ours is built so your data has nowhere to go in the first place.

Your data isn't training anyone's model

Most legal-tech AI runs on shared LLM APIs where "don't train on my data" is a setting you opt into. Ours is a contractual guarantee that defines the architecture: your patent applications, client data, and prosecution history are processed in-memory and never persisted into any training pipeline. Not ours, and not anyone else's.

  • Contractual, not a policy toggle
  • Enforced by the architecture: no data path to training pipelines
  • Independent of any third-party model vendor's terms

Our AI runs inside our VPC. Not someone else's API.

Most "AI for legal" wraps third-party LLM APIs; your data flows through someone else's infrastructure to give you an answer. Ours runs on AWS Bedrock inside our own private VPC. Your data stays inside our security boundary the entire round-trip, with no third-party AI provider in the data path.

  • Private AWS Bedrock deployment in our VPC
  • US-East-1 only. No cross-region or cross-VPC egress
  • Domain-specific models trained on patent data, not general LLMs

Everything else (TLS 1.3 in transit, AES-256 at rest, AWS KMS field-level encryption, multi-AZ redundancy, RBAC, full audit logging, US-only data residency, and SOC 2 Trust Services Criteria alignment) is table stakes we meet. These two are where we made architectural decisions most of the market didn't.

Common Questions

Security FAQ

We implement defense-in-depth security: TLS 1.3 for all data in transit, AES-256 encryption at rest, AWS KMS field-level encryption for sensitive patent data, role-based access control, and comprehensive audit logging via CloudWatch. Our infrastructure runs on AWS with multi-AZ deployment and DDoS protection.

No. We run private AI infrastructure on AWS Bedrock inside our own VPC. Your data is processed in-memory for analysis and is never stored in or shared with any AI training pipeline, ours or a third party's. That's a contractual guarantee, not just a policy.

Upon account closure, all your data is permanently deleted from our systems within 30 days. This includes documents, analysis results, and all associated metadata. We provide a data export option before deletion and can issue a certificate of destruction upon request.

All data is stored and processed exclusively in AWS US-East-1 (Northern Virginia). We do not replicate customer data outside the United States. Our architecture is AWS GovCloud compatible for organizations with stricter requirements.

Yes. All accounts support MFA through our identity provider (Clerk). We support TOTP authenticator apps and SMS verification. Enterprise plans can enforce MFA for all organization members through admin policies.

We implement project-level role-based access control (RBAC). Team members are assigned to projects with specific permissions. All access decisions are logged and auditable. Client portal users have restricted views limited to shared content only.

Not yet. Our controls are designed and operated to meet the SOC 2 Trust Services Criteria, but we haven't completed a formal Type II attestation. That engagement is on our roadmap as we scale. In the meantime, we're happy to share our security documentation, control inventory, and architecture details with enterprise customers under NDA so your security team can run its own review.

We maintain a documented incident response plan that is tested quarterly. In the event of a security incident, affected customers are notified within 72 hours per our contractual obligations. We conduct root cause analysis and publish post-incident reports.

Need a more detailed security review? We're happy to walk your team through our architecture.

Schedule a call with our security team
GetinTouch

Interested in our product or investing? We're here to help.

Send us a message

Get Started

The platform is available now. Pick a plan and start working.

Sign up now

Schedule a Demo

See our platform in action with a personalized walkthrough.

Book a demo

Security & Compliance

See how we secure and protect your data.

View security

Email Us

Prefer traditional email? Reach out directly to our team.

Message our team