Security at a glance
How firms' client data is protected. TrusteeClear is software infrastructure — not a law firm — and your attorneys control all legal work and approvals.
How your clients' data is protected
- Tenant isolation. Every firm's data is separated at the database level by Row-Level Security — one firm can never see another's matters. Enforced in the database, not just the app, and covered by an automated test suite.
- Encryption. Data is encrypted in transit (HTTPS/TLS) and at rest.
- Document security. Trusts, death certificates, and financial documents live in private storage with signed, matter-scoped access — never public URLs, never emailed as attachments.
- Access control. Magic-link sign-in (no passwords to steal), least-privilege keys, per-firm staff roles, and separated, logged platform administration.
- Audit trail. An append-only audit log records who accessed or changed what, and when.
- AI handling. AI organizes documents and answers general questions; it never gives legal advice, and our AI vendor terms prohibit training on your client data. Every client-facing output is gated by your attorney's review.
- Backups & recovery. Automated backups with periodic restore testing.
- Incident response. A documented runbook with defined severities, containment steps, and notification.
Compliance posture
- SOC 2 Type II: in progress; readiness controls in place today, report available on completion.
- Data Processing Addendum: available — TrusteeClear acts as your data processor; your firm remains the controller.
- UPL / Fla. Bar Op. 24-1: built around attorney-controlled outputs; the AI discloses it is not a lawyer and never delivers a final legal document without your attorney's approval.
Subprocessors
Supabase (database/auth/storage), Vercel (hosting), Anthropic (AI), Stripe (payments), and email/SMS providers — all US-based, under data-protection terms.
Questions?
For a security questionnaire or our DPA, contact security@trusteeclear.com.