CaseAlly
Get Started

Security

How we protect your case documents.

CaseAlly is purpose-built for North Carolina family law. Your clients' records sit at the center of the product, so security is not a feature, it is the foundation.

Data encryption

Every CaseAlly database and storage bucket sits behind AES-256 encryption at rest. All traffic uses TLS 1.3, HSTS preload is enabled, and we never accept plaintext connections.

Access controls

Postgres Row-Level Security locks every table to the matter's organization. Service-role keys are used only on the server; they never reach the browser. Client portal tokens are rate-limited to 100 requests per hour.

AI data handling

Your documents are processed by Anthropic's Claude API, which does not use customer data for model training. Documents are sent only for analysis and are not stored by the AI provider. Embeddings use OpenAI under the same training-prohibition contract.

Audit logging

Every write action, analysis run, document upload, export, and client share is written to an append-only audit log, exportable to CSV. Owners can review activity per user, per matter, or firm-wide.

Data retention

Each organization chooses a retention window, 90 days through 5 years or indefinite. Auto-delete is off by default; when enabled, soft deletion enters a 30-day grace period during which you can restore a case.

Data portability

Export everything you've uploaded or generated as a single ZIP: original documents, all analyses, chat history, communications, findings, contradictions, appeal issues, and your audit log.

Compliance roadmap

We publish the milestones so attorneys and firm administrators can evaluate CaseAlly against their procurement requirements.

  1. Q3 2026: Vulnerability disclosure program and penetration test (external).
  2. Q4 2026: SOC 2 Type 1 assessment initiated.
  3. 2027: SOC 2 Type 2 report; HIPAA-readiness review for accounts handling protected health information.

Incident response

If we confirm unauthorized access to customer data, here is our playbook.

  1. 01Containment within 4 hours of confirmed incident.
  2. 02Root cause review within 72 hours.
  3. 03Notification to affected organizations within 72 hours of confirmed customer impact, per GDPR Article 33 and applicable state breach-notification laws.
  4. 04Post-incident writeup published on this page's changelog.

Report a potential vulnerability or security concern to hello@caseally.law.

Ready to evaluate CaseAlly for your firm?

Our privacy policy details every subprocessor and data flow.

Read privacy policyStart free trial