Security Overview

Documents uploaded for audit are stored in a session-scoped vector index (ChromaDB). Once the audit completes or the session terminates, the index is programmatically shredded. We maintain a zero-retention policy for raw document content.

All data transmitted between your browser and our backend infrastructure is protected by industry-standard TLS 1.3 encryption. Data is never sent over unencrypted channels. HSTS headers enforce HTTPS for all connections.

Every API response includes hardened security headers: X-Content-Type-Options, X-Frame-Options: DENY, X-XSS-Protection, Content-Security-Policy, and Referrer-Policy.

Our FastAPI backend uses SlowAPI for granular, per-IP rate limiting. Suspicious request patterns (e.g., probing for .env, .git, wp-admin) are detected, logged, and flagged automatically.

We leverage Google Gemini 2.0 Flash and Groq Llama 3 70B for inference. Data is processed in-memory and is not saved to disk or retained by inference providers. Your legal data never leaks into model weights or training pipelines.

User authentication is managed via Supabase with JWT-based session validation. Sensitive operations use the service role key server-side. License keys are stored as SHA-256 hashes — raw keys are never persisted after validation.