How we protect your case content
A plain-English summary of the controls and commitments that protect every intake, every document, and every AI score on KaseScore. Each item below is backed by a corresponding section of our Privacy Policy.
Per-firm isolation
Every intake, document, and AI score is scoped to the subscribing firm at the database layer through row-level access controls. A user authenticated as a member of one firm cannot read, list, or modify any other firm's data — enforced by the database itself, not just by application code.
Encryption everywhere
All traffic uses TLS 1.2+ in transit. Intake records, attached documents, and account data are encrypted at rest by our SOC 2 Type 2-certified storage provider. Stripe handles all payment card data under PCI DSS Level 1; we never store raw card numbers.
The AI reads what you write
The AI scoring pipeline analyzes only the structured intake fields and the free-text case description. Files attached to an intake — PDFs, images, scans — are stored encrypted but are never transmitted to the AI sub-processor. They are accessible only to authorized members of the subscribing firm via the dashboard.
Never trained on. Never sold.
We do not sell, rent, or share intake content with any third party for any purpose. We do not use intake content to train, fine-tune, evaluate, or improve any AI model — ours or third-party. We do not generate cross-firm benchmarks, product analytics, or comparative case statistics from your data.
Staff don't read your case content
Our personnel do not access individual intake content as part of normal operations. Privileged-credential access is restricted to a small number of authorized personnel and used only for legitimate reasons — security incidents, subscriber-requested debugging, or valid legal process. We do not read your case content for analytics, marketing, or customer-success outreach.
Sub-processor diligence
A small set of named sub-processors deliver core functionality. We engage them under data processing terms that prohibit secondary use of your data. The current list — and the data each one handles — is published at /subprocessors.
For most firms, HIPAA doesn't apply directly
KaseScore is not a HIPAA-covered entity. For most law firms — personal injury, employment, immigration, family, criminal — HIPAA does not apply directly to client communications, which are protected by attorney-client privilege and applicable state confidentiality rules.
Firms that represent healthcare providers or otherwise act as a HIPAA business associate can request a Business Associate Agreement before uploading any Protected Health Information. Contact support@kasescore.com.
What we don't claim — yet
We hold ourselves to plain-English honesty about our security posture. The items below are not in place today; we list them so you know what we do and don't offer.
- SOC 2 / ISO 27001 audit reports. Not yet. Our infrastructure providers are certified; we are not independently audited.
- Client-side encryption. Documents are encrypted at rest by the storage provider, not under a key controlled by your firm. We aim to add customer-managed keys for Scale customers in the future.
- HIPAA compliance certification. We are not a HIPAA-compliant platform by default. BAAs are available on request for firms that need to handle PHI.
Report a vulnerability
If you believe you've found a security issue, please email support@kasescore.com with details and a proof-of-concept where possible. We respond within two business days and do not pursue legal action against researchers acting in good faith.
See also: Privacy Policy · Terms · Sub-processors · Legal-tech compliance