Built to protectyour case data
Caseworth handles sensitive legal information. Here is exactly how we encrypt it, who we share it with, and how our architecture keeps consumer guidance compliant with unauthorized practice of law rules in every state.
- ›No sharing with insurance companies or opposing counsel
- ›PII scrubbing on all error monitoring
- ›TLS 1.3 in transit, AES-256 at rest
- ›Minimal third-party data sharing
- ›Transparent vendor disclosure
Six commitmentswe engineer intoevery release
These are not aspirations. Each pillar maps to controls in our codebase, our infrastructure, and our vendor contracts.
All API traffic moves over TLS 1.3. Database storage at Supabase is encrypted at rest with AES-256. Passwords are bcrypt hashed with salt.
JWT auth via Supabase, role-based access between consumer and professional, row-level security in the database, MFA required for all production access.
Emails, phone numbers, SSNs, ZIP codes, injury descriptions, plaintiff and defendant names, and settlement amounts are stripped before any error event leaves our backend.
Application-level firewall rules, DDoS protection at the Fly.io edge, and per-route rate limiting prevent abuse and brute force.
Our consumer flow is isolated from professional analysis. A guardrail layer enforces information-only output and refuses jurisdiction-specific legal opinions.
Independent third parties run external penetration tests yearly. We undergo regular SOC 2 Type II audits to validate the controls above.
How we keepconsumer guidanceon the right side
Caseworth provides legal information to consumers and analytical tools to licensed attorneys. The two product surfaces run on separate prompts, separate models, and separate guardrails. Federal courts are increasingly recognizing AI-assisted legal preparation as legitimate and protected, and our architecture is built to meet that bar in every state.
Read the Full UPL Framework- ›No jurisdiction-specific legal opinions to consumers
- ›No predicting case outcomes as advice
- ›Consumer reports labeled as information, not representation
- ›Clear hand-off path to a licensed attorney
- ›Audited refusal patterns for prohibited prompts
A short, transparentlist of whotouches your data
We keep our vendor surface deliberately small. Every party below has a defined purpose, a documented data scope, and a published privacy policy.
Auth and database. Stores email, user ID, hashed passwords, and case analysis results. SOC 2 Type II, ISO 27001.
Backend API hosting. Receives request metadata only. Logs retained for seven days. SOC 2 Type II.
Consumer plan billing. PCI DSS Level 1. Caseworth never stores full credit card numbers.
LLM gateway for GPT-4, Claude, and others. Does not train on user data. Case facts processed in real time, not stored for training.
PII scrubbing enabled. Receives stack traces, endpoint names, and timing only. Never receives emails, case facts, or medical records.
Transactional email for password resets and receipts. Thirty day retention.
No tracking pixels.No data sales.No exceptions.
- ›No behavioral tracking pixels (no Facebook Pixel, no Google Analytics)
- ›No cross-site tracking cookies
- ›No sale of user data to any third party
- ›No sharing of case details with insurance companies or opposing counsel
- ›No retention of case data beyond necessary processing
Found something?Tell us directly.
For security inquiries, vulnerability disclosure, or to request a copy of our latest security report under NDA, email security@caseworth.io. We respond to verified reports within one business day.
General ContactReady to knowwhat your caseis actually worth?
Get your Lexstimate report instantly. Know your rights, understand your deadline, and see the real benchmark range for cases like yours — all for $9.99.