Your data. Your rules. Our obsession.
Handling privileged billing data requires controls that put you in charge. From encryption to data deletion, every feature is designed for security teams.
Document Retention Controls
Your Choice, Your Timeline
Wipe documents after review or retain them. Set retention policies per invoice, per matter, or organization-wide. You decide when data disappears.
Keep Intelligence, Delete Originals
Preserve structured data (amounts, flags, metadata) for analytics while permanently deleting original PDF invoices.
Bulk Purge Operations
Delete all documents older than any date you specify. Maintain clean compliance with your document retention policies.
Transparent Status & Audit Trail
Visual indicators show retention status. Every deletion event is logged. Full visibility into what data has been removed.
Retention Policy
Automatic Deletion
90 days after review
Manual Retention
Keep for dispute resolution
Scheduled Purge
Delete all pre-2024 documents
Recent Actions
Deleted 847 PDFs on Mar 15, 2026
Deleted 612 PDFs on Feb 28, 2026
Infrastructure Security
Encryption
AES-256 encryption at rest. TLS 1.3 for all data in transit. Industry-standard protocols with no exceptions.
Access Control
Role-based permissions. SSO/SAML for Enterprise accounts. Fine-grained controls over who sees what.
Audit Logging
Every action logged. Uploads, reviews, exports, deletions. Full activity history for compliance and investigation.
Data Isolation
Multi-tenant architecture with PostgreSQL row-level security. Your data is siloed from other customers.
Sub-Processor Certifications
Every vendor we rely on has been vetted for enterprise-grade security. Full sub-processor details are in our DPA.
| Sub-Processor | Certifications | Purpose |
|---|---|---|
| Supabase (AWS) | SOC 2 Type 2, HIPAA eligible | Database, file storage |
| Vercel | SOC 2 Type 2, ISO 27001, PCI DSS | Application hosting, CDN |
| Clerk | SOC 2 Type 2, CCPA, GDPR | Authentication, user management |
| Anthropic | SOC 2 Type 2, ISO 27001 | AI invoice parsing |
| Stripe | SOC 2 Type 2, PCI DSS Level 1, ISO 27001 | Payment processing |
| Resend (AWS SES) | SOC 2 Type 2 | Transactional email |
Compliance Commitments
GDPR
Standard Contractual Clauses for EEA/UK transfers. Data subject rights support. 72-hour breach notification.
PIPEDA
Canadian privacy law compliance. Processing consent. Data subject access requests honored.
Attorney-Client Privilege
All legal billing content treated as privileged. Access restricted to the client organization. No secondary use.
ABA Model Rule 1.6
Controls designed to support law firms and in-house teams meeting their confidentiality obligations.
State Bar Cloud Ethics Compliance
Leading state bar associations (ABA Opinion 477R, NY Opinion 842, CA Opinion 2010-179) permit cloud-hosted legal data when the vendor demonstrates reasonable security controls. Our encryption, multi-tenant isolation, audit logging, and SOC 2-certified sub-processors are designed to satisfy these requirements.
CAN-SPAM
Unsubscribe honored within 10 days. Physical address on all commercial email. Accurate sender identification.
AI & Data Commitment
Your data is never used to train AI models.
We use Anthropic's Claude API for invoice parsing and analysis. Anthropic does not use API inputs or outputs to train its models. All data is encrypted in transit via TLS 1.3.
Limited Retention, Zero on Request
Anthropic may retain API data for up to 30 days for abuse monitoring, after which it is deleted. Enterprise customers can request Zero Data Retention (ZDR) for immediate deletion — contact privacy@counselaudit.ai.
Transparency & Control
Audit logs show which data was processed by AI and when. AI usage is rate-limited (50 calls/org/hour). Full visibility, no surprises.
Terms and DPA — published upfront
Our Terms of Service and Data Processing Agreement are published on our website. No NDA required to read them. No sales process to access them. We made them client-friendly because we know our buyers are lawyers.
Compliance Roadmap
DPA & Published Terms
Download our DPA and Terms. No NDA required. Client-friendly because our buyers are lawyers.
Penetration Test
Third-party penetration test planned for Q4 2026. Summary letter available to customers under NDA.
SOC 2 Type 1
Audit preparation underway. Type 2 audit window opens H2 2026. Security and availability trust service criteria.
Data Residency
US, EU, and Canada region options for Enterprise customers. Keep your data where your compliance requires.
Ready to see our security in detail?
Download our DPA or get in touch. We're ready to answer every question about how we protect your data.