The case file is
the evidence.

Built for evidence that has to stand up later.

The product treats the case file as evidence, not as a draft document. Once an action is recorded, it stays recorded — and you can prove it.

• Hash-verified evidence — every file is fingerprinted with SHA-256 on upload and re-checked on download; mismatches fail closed and alert the team
• Append-only chain-of-custody log on every read, write, export, and access change — enforced in the database itself: UPDATE and DELETE on the log tables are privilege-revoked and trigger-blocked, not just absent from application code
• Tamper-evident activity log — every entry is cryptographically hash-chained to the one before it, and a daily verification job re-checks the full chain against write-once off-site anchors, so any edit, deletion, or wholesale rewrite surfaces within 24 hours
• Viewing or exporting the audit log is itself an audited event — the trail records its own readers
• Same chain-of-custody guarantees on intake and lead attachments — not just promoted evidence
• Legal hold issued in-product freezes attached evidence; release requires explicit action by a privileged user
• Background hash-sampling re-verifies stored evidence on a rolling basis and flags drift on the next run
• Audit log export to PDF or CSV — court-ready, with the action type registry of 100+ tracked operations

Tight access by default. Loose access by exception.

Investigation work runs on need-to-know. CaseAgent applies access primitives at the case level, not just the workspace.

• Role-based access at the workspace level (admin, investigator, executive, legal) plus Enterprise-only custom roles drawn from a 50+ permission registry
• Per-case access policies — case access is a separate gate from workspace membership; non-admins only see cases they own, created, or are assigned to
• Multi-factor authentication via TOTP authenticator app or passkey; required for every user at public launch
• New-device sign-in alerts — unknown user-agent fingerprints generate an email notice before access is granted
• Break-glass access for emergencies — scoped, time-limited, gated on executive approval and written to the audit log on every use
• Single-use, time-limited invitation tokens for new accounts, issued through Clerk and scoped to a fixed trial window

Encrypted in transit. Encrypted at rest. Auditable everywhere.

Customer data moves and rests under standard encryption. Tenant separation is enforced at the application layer with explicit organization scoping on every database query.

• TLS 1.2+ for all data in transit; HSTS sent with a two-year max-age, includeSubDomains, and preload
• Encryption at rest provided by managed Postgres and managed object storage; customer-managed keys (BYOK) available on Enterprise via AWS KMS or GCP KMS, every decrypt logged
• Per-organization data isolation enforced through scoped queries on every read and write
• Strict Content-Security-Policy with frame-ancestors 'none', X-Frame-Options DENY, and X-Content-Type-Options nosniff on every endpoint
• Anti-malware controls on uploads — extension blocklist plus server-side magic-byte verification rejects executables even if renamed; filenames sanitized for path-traversal and control characters
• CSV exports escape leading =, +, -, @ so spreadsheet formula injection cannot execute on the receiving end

An honest read of where we are.

Compliance work is on a clear path. Until the audits are signed, here's what we have today, what's available on request, and what's on the roadmap — without pretending to hold a badge we don't.

• Today, live in product: SHA-256 chain of custody on evidence, intake, and lead attachments; tamper-evident hash-chained audit log (database-enforced append-only, daily integrity verification) with PDF/CSV export; per-case access policies; encryption in transit and at rest; SCIM 2.0 user and group provisioning with Okta and Microsoft Entra ID (Enterprise); custom roles mapped to IdP groups (Enterprise); customer-managed encryption keys via AWS or GCP KMS (Enterprise); outbound signed webhooks with HMAC-SHA-256 (Enterprise); per-case retention overrides (Enterprise); PII redaction at intake; full-org data export to ZIP for subject-access requests
• Available on request: data processing agreement (DPA); sub-processor list; vendor security questionnaires answered inside one business day
• On the roadmap: SOC 2 Type II, data residency options, additional webhook event types beyond the current intake and retention coverage
• Pre-production code-level security audit completed in April 2026; findings remediated and tracked internally

Boring, modern, well-segmented.

We run on managed infrastructure rather than rolling our own — we'd rather spend our time on investigation features than reinvent the operations stack.

• Production runs on managed compute and storage; we don't operate our own data centers
• Production secrets stored in a managed secret store, never in code or version control
• Application changes deploy through a peer-reviewed pull-request process with required CI checks
• Off-site encrypted backups to Backblaze B2 with Object Lock (WORM) — production data is replicated nightly to immutable storage that even we cannot overwrite
• Quarterly restore drills against the off-site backups so the recovery path is exercised, not theoretical
• Rate limiting on sensitive endpoints — evidence downloads capped at 100 files per 60 minutes per user, plus per-route limits on search, export, upload, and AI

If something goes wrong, you'll hear from us.

We're a small team and we're honest about it. We don't claim a 24×7 SOC. We do have a working incident process and a clear notification commitment.

• Documented incident response process; on-call coverage during business hours and best-effort outside them
• Customer notification of confirmed data incidents affecting your workspace, with what we know, what we are doing, and what changed
• Audit log captures suspicious access patterns; integrity-mismatch events on evidence files and audit-log chain-verification failures alert the team automatically
• Continuous improvement of internal review process — pre-production audit completed April 2026; future audits planned alongside SOC 2 work