How we protect your data

Infrastructure

Casefold runs on trusted, enterprise-grade infrastructure. Your data is hosted in the United States.

Application hosted on Vercel, database and file storage on Supabase, both built on AWS infrastructure. Infrastructure providers maintain SOC 2 certification.

Authentication & Access Control

No passwords to remember or steal. You sign in with a secure link sent to your email. Parents and attorneys have separate roles with appropriate permissions. When you share a case with your attorney, the invitation can only be accepted once — previous invitations are automatically revoked when a new one is sent.

Supabase Auth with magic link (OTP). httpOnly, Secure, SameSite=Lax cookies (baseline CSRF protection). Role-based access control enforced in middleware.

Data Isolation

Every query is scoped to your case. Attorneys only see cases explicitly shared with them. Casefold does not provide employees with an interface to browse case data.

Row-level security (RLS) policies on every database table, enforced at the Postgres layer. Service role access restricted to server-side background processes.

Encryption

Your data is encrypted when it travels between your device and our servers, and when it’s stored.

TLS 1.2+ for data in transit. AES-256 encryption at rest via cloud infrastructure provider.

File Storage

Your documents are stored in isolated, user-scoped folders. When you or your attorney downloads a file, the link expires after one hour. We validate file type and size on every upload.

Supabase Storage with per-user folder-based access policies. Signed URLs with 1-hour TTL. Allowed types: PDF, JPEG, PNG, HEIC/HEIF. Up to 100 MB per file depending on plan.

AI Processing

When Casefold analyzes your documents to surface claims, the contents are sent to Google’s AI for processing. Your documents are not used to train AI models and are not stored by the AI provider after processing.

Casefold’s AI reads and organizes. It does not act. It never makes decisions, takes autonomous steps, or does anything on your behalf. You upload, you review, you decide what matters. This is by design.

Google Gemini API. Single-pass extraction pipeline with no autonomous agents, no tool use, no looping. Document contents processed per-request, not retained. Subject to Google’s API data usage policy (API inputs are not used for model training).

Third-Party Providers

We work with a small number of trusted providers. Here’s who has access to what:

Backups

Your data is backed up daily. If something goes wrong on our end, we can restore it.

Automated daily database backups via Supabase. File storage with cloud-provider redundancy.

Rate Limiting

We limit how quickly requests can be made to prevent abuse and protect the service for everyone.

Per-route rate limiting via Upstash Redis. Stricter limits on sensitive operations (uploads, exports, sharing). 429 responses with Retry-After header.

Payments

Billing is handled entirely by Stripe. Casefold never sees or stores your credit card number.

Stripe-hosted checkout. Webhook events verified via HMAC-SHA256 signature.

Data Deletion

When you delete your account, your case data, documents, and uploaded files are permanently removed. We retain only your email address and a record that the account existed, to prevent abuse of free-tier document credits. This minimal metadata contains no case content.

Responsible Disclosure

If you discover a security concern, please let us know at support@casefold.app. We appreciate responsible disclosure.

Questions

Have a question about how we protect your data? Contact us at support@casefold.app