Security & Compliance Overview

CaseWorth is committed to protecting user privacy and security. This document provides complete transparency about our data handling practices, third-party vendors, and security measures.

1. What We DO NOT Track or Collect

2. Third-Party Services & Data Sharing

We use a minimal set of third-party services to operate CaseWorth. Below is a complete list of vendors and exactly what data they receive.

2.1 Infrastructure & Hosting

Supabase (Database & Authentication)

• Purpose: User authentication, database storage
• Data Shared: Email, user ID, hashed passwords, case analysis results
• Encryption: TLS 1.3 in transit, AES-256 at rest
• Certifications: SOC 2 Type II, ISO 27001
• Privacy Policy: supabase.com/privacy

Fly.io (Application Hosting)

• Purpose: Backend API hosting
• Data Shared: HTTP request metadata (IP addresses, request paths)
• Retention: Server logs retained for 7 days
• Certifications: SOC 2 Type II
• Privacy Policy: fly.io/legal/privacy-policy

2.2 Payment Processing

Stripe

• Purpose: Payment processing for consumer plans
• Data Shared: Email, payment card information, transaction amounts
• Security: PCI DSS Level 1 certified
• Note: CaseWorth never stores full credit card numbers
• Privacy Policy: stripe.com/privacy

2.3 AI & Language Models

OpenRouter (LLM Gateway)

• Purpose: Access to AI models (GPT-4, Claude, etc.)
• Data Shared: Case facts, legal queries (anonymized where possible)
• Training: OpenRouter does not train on user data
• Privacy Policy: openrouter.ai/privacy

Case details sent to AI models are processed in real-time and not used for model training.

2.4 Error Monitoring

Sentry.io

• Purpose: Error tracking and performance monitoring
• Data Shared: Anonymized technical errors only
• What Sentry Receives:
  • Error stack traces (with PII removed)
  • API endpoint names (e.g., /api/analyze)
  • Error types (e.g., "Database connection timeout")
  • Performance metrics (response times)
• What Sentry DOES NOT Receive:
  • User emails or names
  • Case facts or injury descriptions
  • Medical records or legal analysis
  • Any personally identifiable information
• Retention: 90 days
• Privacy Policy: sentry.io/privacy

2.5 Email Services

Resend

• Purpose: Transactional emails (password resets, receipts)
• Data Shared: Email addresses, transaction details
• Retention: 30 days
• Privacy Policy: resend.com/legal/privacy-policy

2.6 Legal Research Data

Tavily API

• Purpose: Legal case law and statute search
• Data Shared: Search queries (e.g., "Florida negligence statute")
• Retention: Not retained by Tavily
• Privacy Policy: tavily.com/privacy

3. Data Security Measures

3.1 Encryption

• In Transit: TLS 1.3 for all API communications
• At Rest: AES-256 encryption for database storage (Supabase)
• Passwords: Bcrypt hashing with salt

3.2 Access Controls

• Authentication: JWT-based authentication via Supabase
• Authorization: Role-based access control (consumer vs. professional)
• Database: Row-level security policies enforced

3.3 Network Security

• Firewall: Application-level firewall rules
• DDoS Protection: Provided by Fly.io infrastructure
• API Rate Limiting: Prevents abuse and brute-force attacks

4. Access Control

4.1 User Authentication

• Strong Passwords: We enforce strong password policies, including minimum length and complexity requirements.
• Multi-Factor Authentication (MFA): MFA is required for all Caseworth personnel accessing production systems and is strongly recommended for all customer accounts.

4.2 Least Privilege

Access to customer data and production systems is granted strictly on a need-to-know basis and the principle of least privilege. Access rights are reviewed periodically and revoked immediately upon change of role or termination of employment.

5. Network and Infrastructure Security

5.1 Hosting Environment

Caseworth utilizes industry-leading cloud providers with certifications such as ISO 27001, SOC 1, and SOC 2. Our infrastructure is logically separated from other tenants and protected by multiple layers of security controls.

5.2 Vulnerability Management

We employ continuous monitoring and regular vulnerability scanning of our infrastructure and application code. Identified vulnerabilities are prioritized based on risk and remediated according to defined service level objectives (SLOs).

6. Incident Response and Business Continuity

6.1 Security Incident Response

We maintain a formal Security Incident Response Plan (SIRP) to address potential security breaches. The plan includes procedures for detection, containment, eradication, recovery, and post-incident analysis. Customers will be notified of security incidents affecting their data as required by law and contract.

6.2 Backup and Disaster Recovery

Customer data is backed up regularly and stored securely. We maintain a comprehensive Disaster Recovery (DR) plan to ensure the continuity of the Services in the event of a major disruption, with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

7. Security Audits and Testing

Caseworth engages independent third parties to conduct regular security assessments, including:

• Penetration Testing: Annual external penetration tests are performed to identify and address potential weaknesses in our application and infrastructure.
• Security Audits: We undergo regular security audits (e.g., SOC 2 Type II) to validate the effectiveness of our security controls.

8. Customer Responsibilities

While Caseworth is responsible for the security of the platform, customers are responsible for:

• Maintaining the confidentiality of their account credentials.
• Implementing strong, unique passwords and enabling MFA.
• Managing access controls within their Caseworth account.
• Ensuring the security of their own systems and networks used to access the Services.

9. Contact Information

For security-related inquiries, to report a vulnerability, or to request a copy of our latest security report (subject to NDA), please contact:

Email: security@caseworth.io