JusticeX handles some of the most sensitive information people have. Here is how it's protected, who processes it, what we retain, where we are on compliance, and how neutrality is verified — labeled honestly, including what isn't finished yet.
AES-256 at rest, TLS 1.3 in transit, per-tenant isolation, and role-based access controls. No system can guarantee absolute security, and we don't claim it does.
Each party's private content is walled from the other unless it's meant to be shared, enforced by access controls in the product — not by policy alone. Operational contact details are stored separately and never entered into the comparison.
Personal identifiers are removed before any cross-party sharing, with a reviewable diff and a counsel-signed redaction certificate at the checkpoint.
Customer content is not used to train public or third-party foundation models; we will operate under a zero-data-retention posture with our model provider for that content once that integration is live.
| Item | Status | Note |
|---|---|---|
| SOC 2 Type II | Planned · targeted 2026 | SOC 2 program planned; no audit engaged yet. |
| ISO 27001 | Planned | ISMS scoping planned; not yet started. |
| GDPR / CCPA-CPRA | Planned | DPA in development; data-subject rights will be honored per applicable law once live. |
| NY SHIELD Act | Planned | Reasonable-safeguards program and breach-response process in development. |
| HIPAA | Future · not a Business Associate | Do not submit PHI unless and until a BAA is in place. Sensitive health information is handled under applicable state law. |
Each subprocessor operates under contractual confidentiality and security obligations. Items marked planned are engaged as the corresponding feature launches — not before.
| Subprocessor | Purpose | Status |
|---|---|---|
| Netlify | Website hosting and form submissions | Current |
| Cal.com | Scheduling / call booking | Current |
| Google Workspace | Business email & calendar | Current |
| Amazon Web Services (incl. Bedrock) | Cloud hosting & AI inference | Planned · at launch |
| Anthropic (Claude) | AI model provider · zero data retention for customer content | Planned · at launch |
| DocuSign | E-signature execution | Planned |
| Plaid | Bank / identity verification (financial intake) | Planned |
Information is retained only as long as needed to provide the Service, maintain the audit trail, and meet legal obligations; you may request deletion, subject to records the law requires us to keep. JusticeX operates in the United States. A Data Processing Agreement is available on request.
Both parties receive the same prompts, the same models, and the same depth; a symmetry check runs on each output before it surfaces. A per-matter neutrality summary documents that the process ran evenly — the artifact a skeptical party or professional can review.
This Trust Center describes current and planned controls; the final subprocessor disclosure, DPA, and jurisdiction-specific commitments are pending review and ratification by JusticeX outside counsel before final adoption. See the Privacy Policy, Terms of Service, and Disclaimer.
Request the DPA, subprocessor list, and security documentation for your vendor-risk review.