Security & Compliance
Your client data stays yours.
We built Atticus AI for attorneys who handle sensitive information every day. Your data is encrypted at rest and in transit, isolated per firm, logged for compliance, and never used to train AI models. BAA and DPA available on request.
Security overview
Specific technical controls protecting your data at every layer of the platform.
Encryption at Rest
Documents are encrypted twice before storage: client-side with Fernet symmetric encryption (PBKDF2-SHA256 key derivation, 100,000 iterations) and server-side with AES-256 on AWS S3. Your database is encrypted at rest via AWS RDS managed encryption. Sensitive document metadata is also encrypted before storage.
Encryption in Transit
All connections use TLS 1.2 or higher with strong cipher suites (ECDHE-RSA-AES256-GCM-SHA512). HSTS is enforced with a one-year max-age and includeSubDomains. Every API call, file upload, AI query, and response is encrypted end-to-end between your browser and our servers.
Access Controls
Role-based access control with firm-level data isolation. Every database query is scoped to your firm -- there is no mechanism for cross-tenant data access. Accounts lock after 5 failed login attempts. Sessions enforce a 30-minute inactivity timeout and 8-hour absolute maximum. Passwords are hashed with bcrypt.
Audit Logging
Every action on the platform is logged: logins, logouts, document access, uploads, downloads, deletions, permission changes, and security events. Logs include the user, action, resource, IP address, user agent, and timestamp. Audit logs are retained for 7 years per HIPAA requirements.
BAA Availability
We offer a Business Associate Agreement to any customer who handles protected health information. We maintain a signed BAA with AWS covering all infrastructure services (EC2, RDS, S3, Bedrock, CloudTrail). A Data Processing Agreement is also available. Contact us to request either document.
CCPA Compliance
California residents can exercise their rights to access, correct, delete, and export personal data. We do not sell or share personal information. Account deletion anonymizes all personally identifiable information and removes documents and conversations. Deletion records are maintained permanently as compliance proof.
Data residency and infrastructure
All data is processed and stored within the United States on Amazon Web Services infrastructure. We maintain a signed Business Associate Agreement with AWS covering every service used in the platform.
- US-East-1 (N. Virginia) data centers exclusively
- No data transfers outside the United States
- AWS RDS PostgreSQL with encryption at rest
- AWS S3 with versioning, access logging, and dual encryption
- Isolated Docker network with no public database access
- Nginx reverse proxy with rate limiting and security headers
Subprocessors
Every third party that processes customer data on our behalf. We notify customers of subprocessor changes at least 30 days in advance.
| Provider | Service | Data processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | All platform data (compute, database, storage, AI inference, logging) | US-East-1 (N. Virginia) |
| AWS Bedrock (Anthropic Claude) | AI model inference | Document content and user queries submitted for AI analysis | US-East-1 (N. Virginia) |
| Stripe | Payment processing | Billing name, email, payment method, subscription status | United States |
| Exa AI | Web search for legal research | Search queries only (general legal research terms) | United States |
| Vercel | Landing page hosting and analytics | Page views and basic interaction metrics on the marketing site only | United States |
Amazon Web Services (AWS)
Cloud infrastructure
AWS Bedrock (Anthropic Claude)
AI model inference
Stripe
Payment processing
Exa AI
Web search for legal research
Vercel
Landing page hosting and analytics
Additional controls
File validation
- File type whitelist: PDF, DOCX, DOC, TXT, RTF
- Maximum upload size: 50 MB
- MIME type verification
- Malware signature detection
- SHA-256 integrity hashing
Network security
- Rate limiting: 10 req/s API, 2 req/s uploads
- SQL injection and XSS detection middleware
- Security headers: X-Frame-Options DENY, HSTS, nosniff
- IP spoofing detection
- No public database or cache access
Authentication
- JWT tokens (HS256) with HttpOnly secure cookies
- Session timeout: 30 min inactivity, 8 hr absolute
- Account lockout after 5 failed attempts
- bcrypt password hashing
- Role-based access control per firm
Documentation available on request
Business Associate Agreement
HIPAA BAA for customers handling protected health information.
Data Processing Agreement
DPA covering all data processing activities, sub-processors, and retention schedules.
Security Architecture
Technical documentation of encryption, access controls, network architecture, and audit systems.
Incident Response Plan
Breach notification procedures, severity classification, and remediation framework.
Questions about security?
We're happy to discuss our security practices in detail, provide compliance documentation, or walk through our architecture with your IT or compliance team.