Case Watch
Security & confidentiality

Confidentiality is the product.

Case Watch sits inside a firm's most sensitive document pipeline. The security posture is designed for that — not retrofitted onto it.

Encryption
AES-256 at rest · TLS 1.3 in transit
Tenancy
Hard-isolated per firm · no shared stores
Model training
Your data is never used to train any model
Hosting
US regions only · single-cloud, US-owned provider
Access controls
SSO via Microsoft Entra ID · role-based access · full audit log
Data retention
Set by firm · default 7 years · full export on termination
Incident response
Named contact notification within 24 hours of confirmed incident
01

Encryption, end to end.

All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Keys are managed in a hardware-backed KMS, rotated on a defined schedule, and segmented per tenant — the key used to encrypt one firm’s data cannot be used to read another’s.

Backups inherit the same controls as primary storage. Snapshots are encrypted and access-logged.

02

Tenancy is a wall, not a flag.

Every firm is a distinct tenant with isolated storage, isolated document indices, and isolated retrieval contexts. No query issued by one firm can reach another firm’s data. There is no shared vector store. There is no cross-tenant retrieval.

We do not train models on firm data. Not base models. Not fine-tuned ones. Not "anonymized" ones. The contents of your matters stay inside your tenant and inside the inference context of your own requests.

03

The attorney decides. Always.

Case Watch recommends. It never acts. Every calendared date is presented before it’s set. Every draft is held in a queue, unsent, until the attorney reviews it. Nothing leaves the firm’s environment through Case Watch — no auto-filed motion, no auto-sent email, no auto-signed anything.

This isn't just a policy. It's enforced in the architecture. There is no code path that sends a document to a court without a signed attorney confirmation.

04

Access controls that match a firm.

Single sign-on via Microsoft Entra ID is the default. Roles follow the firm: partner, associate, paralegal, legal assistant, external co-counsel. Access is scoped by matter, not just by user. A paralegal who doesn't work on a matter does not see its documents.

Every read, every edit, every draft generation, every model call is written to an immutable audit log available to the firm's admin in real time and exportable on demand.

05

An honest note on AI.

We use large language models to read documents, extract structured fields, and draft routine language. We chose vendors whose enterprise contracts prohibit training on input and guarantee no human review of customer data without explicit consent. We inspect those contracts carefully. We can share the list on request.

Models make mistakes. That is why the attorney reviews everything, that is why low-confidence extractions are flagged rather than filed, and that is why drafts sit in a review queue. The system is designed around the assumption that the model will be wrong sometimes — not around the wish that it won't.

Compliance posture

Audited, documented, and available on request.

SOC 2 Type II

Annual audit. Report available under NDA.

HIPAA

BAA available for firms handling PHI (personal injury, med-mal).

ABA Model Rule 1.6

Architecture designed to support the duty of confidentiality.

Pen testing

Quarterly external pen tests · findings tracked to remediation.

Have a specific question about our security posture? Email security@casewatch.app and we'll respond the same week.

Request access →