Trust & Security
Built for legal-grade trust.
Your case is some of the most sensitive content you'll ever put in a SaaS. Advottic treats it that way. Every section below describes what we do today, in plain language, and what we're working toward.
Last reviewed: 2026-04-25
Encrypted everywhere
TLS 1.2+ in transit, AES-256 at rest. Per-row access enforced server-side, not in the client.
Your story stays yours
Bella and Advottic Review process your case under strict zero-retention commercial terms. Your content is never used to improve outside services.
You control access
Owner, editor, and attorney roles. Revoke any collaborator at any time. Fine-grained sharing is the default, not the exception.
Case content safety
How we keep your case content safe
In transit
At rest
- Database: Postgres on Supabase, AES-256 encrypted at rest. Per-row access is enforced by Row-Level Security (RLS) policies tied to your user ID, not by application code.
- Files: exhibit uploads live in a private storage bucket with path-scoped policies, so users only see files for cases they own or were invited into.
- Secrets: API keys and webhook secrets are stored as encrypted environment variables on Vercel. Service-role credentials never reach the browser.
Backups & recovery
Account protection
How we protect your account
Authentication
- Sign in via Google OAuth, Microsoft OAuth, or email magic link, issued by Supabase Auth. We never see or store your password.
- Session cookies are HTTP-only, Secure, and SameSite=Lax. They are bound to your browser and cannot be read by client-side JavaScript.
- Sign-out invalidates the session immediately and clears auth cookies in the browser.
Multi-factor authentication
Suspicious activity
Controls
Controls that keep you in control
Role-based sharing
Invite collaborators as owner, editor, or attorney. Each role sees only what they need.
Per-case audit trail
See who viewed, uploaded, exported, or shared a case. (In-app surface ships next.)
Self-serve data export
Download every case, exhibit, and review you've created at any time, for any reason.
Delete on demand
Permanent account deletion from your profile. We honor it within 30 days, including backups.
Data handling
Your data. Your eyes only.
What we collect
Assistant features
Where it lives
Retention
Sub-processors
Who we trust with what
We keep this list short on purpose. Every party below has a contractual data-handling agreement and a relevant compliance posture.
| Sub-processor | Purpose | Region | Compliance |
|---|---|---|---|
| Vercel | Application hosting, edge network | USA | SOC 2 Type II, ISO 27001 |
| Supabase | Auth, Postgres database, file storage | USA | SOC 2 Type II, HIPAA-ready |
| Anthropic | Natural-language processing for Bella + Advottic Review | USA | SOC 2 Type II; zero-retention commercial terms |
| Stripe | Subscription billing + customer portal | USA | PCI DSS Level 1, SOC 1/2 |
| Resend | Transactional email (sign-in, invites) | USA | SOC 2 Type II |
We will email account owners at least 30 days before adding a sub-processor that handles case content.
Disclosure
Found a vulnerability?
Please report it directly to security@advottic.com with the subject [security]. We aim to acknowledge within 2 business days. Please give us a reasonable window to investigate and fix before public disclosure. We do not currently run a paid bug bounty, but we recognize meaningful reports publicly with permission.
Common questions
You have questions. We have answers.
Is my case content used to improve any outside service?
Can my attorney see my case without an Advottic account?
What happens to my data if I cancel?
Are you SOC 2 / HIPAA / ISO 27001 certified?
Where is my data stored?
Have a security or compliance question we didn't cover?
Email security@advottic.com and we'll respond within 2 business days.
