// Security & trust
You're trusting us with privileged data.
Here is exactly how we protect it — the controls we run today, and an honest account of what we're still building. No overclaiming.
Last updated: 2026-06-10
How your data flows
Your case content lives in a single-tenant-isolated Postgres database (Supabase on AWS us-east-1), encrypted at rest. When you chat or draft, only the context needed for that request is sent to the Google Gemini API over TLS and returned — nothing is stored on Google's side, and nothing trains a model. Citation checks call the public CourtListener API read-only. Optional Outlook integration reaches Microsoft Graph in your own tenant region.
Stored in Supabase on AWS us-east-1.
Only the needed context is sent; nothing is stored or trains a model.
Read-only citation lookups.
Read-only, only if you connect it.
All data is stored in AWS us-east-1 via Supabase (single region). EU data residency is on our roadmap but not yet available.
Encryption & isolation
ENCRYPTION_KEY before ever hitting Postgres. If our DB ever leaks, your Outlook account is still safe.ABA Model Rules alignment
Audit & accountability
audit_log with user, IP, user-agent, and timestamp. Retention: indefinite for the life of the firm account.Your data, your control
Data retention
How long each class of data lives. The windows below cover backups and logs.
| Data | Retention |
|---|---|
| Cases, documents, drafts, clients | Life of the account; deleted or anonymized after a verified deletion request (legal-hold + billing checks first), typically ≤30 days |
| Chat history & AI exchanges | Life of the account; deletable per-conversation any time |
| Audit log (create/update/delete/share/export) | Indefinite for the life of the firm account |
| Database backups (point-in-time recovery) | Encrypted; age out on their normal rolling cycle |
| Error/observability logs (Sentry) | 90 days, PII-redacted |
| Outlook OAuth tokens | Until you disconnect; deleted on disconnect |
| Stripe billing records | Retained by Stripe per their legal/tax obligations |
Subprocessors
The vendors that process data on our behalf. The full subprocessor list is the authoritative, maintained source of truth and matches our DPA.
- Supabase (PostgreSQL, Storage, Auth)Database + file storage + authentication · AWS us-east-1
- VercelApplication hosting + CDN · Edge network
- Google (Gemini API)AI inference (chat, drafting, summaries) · us-central1
- Microsoft (Graph API)Optional Outlook calendar + email integration · Per user's tenant region
- StripePayment processing — we never see card details · us-east-1
- SentryError tracking with PII redaction · us-east-1
- CourtListener (Free Law Project)Citation validation — read-only API calls · Public legal database
Standards & compliance timeline
- AES-256 encryption + Row-Level SecurityLive
Live today. Data encrypted at rest and in transit; firm-scoped isolation enforced at the database layer.
- No AI training on your dataLive
Live today. Gemini runs on Google’s paid tier under terms that prohibit training on your inputs or outputs; calls are stateless.
- ABA Op. 512 + Rule 1.7 controlsLive
Live today. AI exchanges auto-log AI-assisted time entries; conflict checks run as you type, with an acknowledgment trail.
- SOC 2 Type IIIn progress
In progress. Draftiro is not SOC 2 Type II certified today; an independent audit is underway. We will not represent it as complete until a report issues.
- EU data residencyIn progress
On the roadmap as we bring up an eu-central-1 region — not yet available. Today all data is stored in AWS us-east-1.
- SAML SSOIn progress
Rolling out on the Practice and Enterprise tiers. Most solo and small firms don’t need it — if you do, tell us.
Request a DPA or BAA
Need a signed Data Processing Addendum for procurement, or a BAA for PHI workflows? We'll send the current documents and walk your team through them.
Request documentsReport a vulnerability
Found a security issue? Email security@draftiro.com. We credit reporters who'd like public acknowledgement.
Email security@draftiro.com