Advottic
Sign in

Trust & Security

Built for legal-grade trust.

Your case is some of the most sensitive content you'll ever put in a SaaS. Advottic treats it that way. Every section below describes what we do today, in plain language, and what we're working toward.

Last reviewed: 2026-04-25

Encrypted everywhere

TLS 1.2+ in transit, AES-256 at rest. Per-row access enforced server-side, not in the client.

Your story stays yours

Bella and Advottic Review process your case under strict zero-retention commercial terms. Your content is never used to improve outside services.

You control access

Owner, editor, and attorney roles. Revoke any collaborator at any time. Fine-grained sharing is the default, not the exception.

Case content safety

How we keep your case content safe

In transit

All traffic to Advottic is served over HTTPS with TLS 1.2+. Strict-Transport-Security (HSTS) is enabled on the production domain so browsers refuse to downgrade.

At rest

  • Database: Postgres on Supabase, AES-256 encrypted at rest. Per-row access is enforced by Row-Level Security (RLS) policies tied to your user ID, not by application code.
  • Files: exhibit uploads live in a private storage bucket with path-scoped policies, so users only see files for cases they own or were invited into.
  • Secrets: API keys and webhook secrets are stored as encrypted environment variables on Vercel. Service-role credentials never reach the browser.

Backups & recovery

Supabase performs daily automated backups with point-in-time recovery on the paid plan we run on. We test restore procedures during major upgrades.

Account protection

How we protect your account

Authentication

  • Sign in via Google OAuth, Microsoft OAuth, or email magic link, issued by Supabase Auth. We never see or store your password.
  • Session cookies are HTTP-only, Secure, and SameSite=Lax. They are bound to your browser and cannot be read by client-side JavaScript.
  • Sign-out invalidates the session immediately and clears auth cookies in the browser.

Multi-factor authentication

TOTP-based two-factor authentication via the standard authenticator apps (1Password, Authy, Google Authenticator) is available now — turn it on from your profile settings. We do not, and will not, offer SMS-based 2FA: SIM-swap attacks make it materially weaker than TOTP.

Suspicious activity

Unusual sign-in attempts trigger an email notification. You can sign out of every device from your profile page.

Controls

Controls that keep you in control

  • Role-based sharing

    Invite collaborators as owner, editor, or attorney. Each role sees only what they need.

  • Per-case audit trail

    See who viewed, uploaded, exported, or shared a case. (In-app surface ships next.)

  • Self-serve data export

    Download every case, exhibit, and review you've created at any time, for any reason.

  • Delete on demand

    Permanent account deletion from your profile. We honor it within 30 days, including backups.

Data handling

Your data. Your eyes only.

What we collect

The minimum required to run the product: email + auth provider profile, the case content you choose to upload, billing identifiers from Stripe, and basic operational telemetry (request counts, error rates, no content). See the Privacy Policy for the full list.

Assistant features

Bella (your conversational assistant) and Advottic Review (case review) call a natural-language processing partner under commercial terms that prohibit using your inputs to improve their or any other service. Your case content is never used to improve a product outside your account.

Where it lives

Application: Vercel (United States, primary region: Washington, D.C.). Database and storage: Supabase (United States). Natural-language processing: Anthropic (United States). Billing: Stripe (United States).

Retention

Active cases are retained for the life of your account. On account deletion, we delete case content within 30 days from primary storage and from rolling backups within 35 days. Stripe transaction records are retained as required by tax and financial regulation.

Sub-processors

Who we trust with what

We keep this list short on purpose. Every party below has a contractual data-handling agreement and a relevant compliance posture.

Sub-processorPurposeRegionCompliance
VercelApplication hosting, edge networkUSASOC 2 Type II, ISO 27001
SupabaseAuth, Postgres database, file storageUSASOC 2 Type II, HIPAA-ready
AnthropicNatural-language processing for Bella + Advottic ReviewUSASOC 2 Type II; zero-retention commercial terms
StripeSubscription billing + customer portalUSAPCI DSS Level 1, SOC 1/2
ResendTransactional email (sign-in, invites)USASOC 2 Type II

We will email account owners at least 30 days before adding a sub-processor that handles case content.

Disclosure

Found a vulnerability?

Please report it directly to security@advottic.com with the subject [security]. We aim to acknowledge within 2 business days. Please give us a reasonable window to investigate and fix before public disclosure. We do not currently run a paid bug bounty, but we recognize meaningful reports publicly with permission.

Common questions

You have questions. We have answers.

Is my case content used to improve any outside service?
No. Our processing partner's commercial terms forbid using your inputs to improve their service or any other product. Your content reaches Bella or Advottic Review, returns an answer, and is not retained beyond delivering that answer.
Can my attorney see my case without an Advottic account?
Yes - invite them as a collaborator. They'll receive a magic-link invite, see only the case you shared, and can be removed any time from the Sharing tab. We do not require the attorney to subscribe.
What happens to my data if I cancel?
Your subscription downgrades at the end of the current billing period. Cases stay in your account read-only. If you delete the account, all case content is purged from primary storage within 30 days and from backups within 35 days.
Are you SOC 2 / HIPAA / ISO 27001 certified?
We're not yet directly certified - we run on infrastructure (Vercel, Supabase, Anthropic, Stripe) that is. Direct certification of Advottic is on the roadmap as we move beyond early-stage operation.
Where is my data stored?
United States. Application on Vercel, database + files on Supabase. We can offer a Data Processing Agreement (DPA) on request.

Have a security or compliance question we didn't cover?

Email security@advottic.com and we'll respond within 2 business days.