Security & Privacy

Enterprise Security Whitepaper

SOC 2 & GDPR Compliance Verified

Welcome to the JurisClear AI Security Portal. Data security, privacy, and regulatory compliance are the foundational pillars of our platform. We implement a multi-layered security architecture designed to protect sensitive contract documents and corporate records under the highest standards of modern LegalTech software.

1. Encryption & Infrastructure Security

JurisClear utilizes a secure cloud infrastructure designed to enforce strict access controls and robust encryption mechanisms:

  • Encryption in Transit: All data transmitted between user browsers and the JurisClear API endpoints is encrypted using TLS 1.3 with advanced cryptographic suites, guaranteeing Perfect Forward Secrecy (PFS).
  • Encryption at Rest: All client data, session records, and analysis metadata are persistently stored in an isolated Supabase Cloud environment powered by enterprise PostgreSQL. Data is encrypted at rest using AES-256 standards.
  • Row-Level Security (RLS): We strictly enforce Row-Level Security at the database layer. No user can ever read, update, or delete data belonging to another corporate entity.
  • Billing Security: All financial subscriptions and payments are handled exclusively by Lemon Squeezy (PCI DSS Compliance Level 1). We never store or process credit card numbers on our physical servers.

2. AI Privacy Policy (Zero-Data Retention)

JurisClear harnesses the power of advanced large language models via the official OpenAI enterprise API (`gpt-4o`). We enforce a strict Zero-Retention and Non-Training AI Policy to safeguard your commercial secrets:

100% Confidentiality Guarantee:
  • No Training: Your uploaded documents, extracted texts, and audit reports are NEVER used by OpenAI or any third-party providers to train, retrain, or improve AI models.
  • In-Memory Analysis: Documents are parsed and audited within an ephemeral, isolated memory session. No permanent footprint is left on third-party servers.
  • Temporary Storage: Active files are temporarily retained in secure Supabase Storage buckets to support interactive sessions and are deleted immediately upon account removal or 30 days of inactivity.

3. Automated GDPR Compliance (Art. 17 & 20)

Our backend integrates an automated compliance engine (`app/services/gdpr_service.py`) designed to give users complete control over their Personal Identifiable Information (PII):

3.1. Right to be Forgotten (Art. 17 GDPR)

Users can permanently delete their account and all associated records with a single click in the Settings panel. The system executes an atomic, secure deletion sequence:

  1. Billing Protection: Automatically cancels active subscription plans via the Lemon Squeezy API to protect the customer from unintentional renewals (Ghost Charges Protection).
  2. PII Metadata Erasure: Deletes associated `guest_sessions` containing IP addresses and device fingerprints.
  3. Database Purge: Triggers PostgreSQL CASCADE statement via Supabase `auth.admin.delete_user()`, permanently destroying the user profile, all previous audits, payment histories, and custom rules.

3.2. Data Portability (Art. 20 GDPR)

You can instantly export all account data in a structured, machine-readable JSON format directly from the Settings page. This export includes your profile details, transactional logs, active subscriptions, and custom "red line" playbooks.

4. Threat Prevention & Application Shielding

To protect corporate clients against advanced threat vectors, JurisClear deploys extensive application-level defense mechanisms:

  • Byte-Level File Validation (`python-magic`): Prevents extension-spoofing attacks. The server inspects file headers, blocking executed scripts from running under PDF or DOCX file masks.
  • PDF-Bomb Layer 2 Protection: Highly compressed or recursively built documents are automatically terminated via a strict asynchronous 30-second parsing timeout to mitigate Denial of Service (DoS) attempts.
  • Distributed Rate Limiting (`slowapi` + Redis): Shields API endpoints from automated scraping, brute-forcing, and overwhelming requests, guaranteeing high availability (99.9% SLA).

5. Contact & Security Team

If you have any questions, wish to report a vulnerability, or require additional compliance questionnaires (such as SOC 2 summaries or security assessments), please reach out to us at support@jurisclear.com.

Privacy PolicyTerms of Use