Security & Trust
Attorneys doing due diligence before putting client data in any cloud tool need clear, factual answers about security controls. This page provides the technical details — not marketing language — about how SettleIQ protects your data.
1. Encryption
Data in transit:
- All connections use TLS 1.2 or higher — there is no unencrypted HTTP access path
- TLS certificates are managed via Cloudflare (automatic renewal, OCSP stapling)
- HSTS headers enforce HTTPS on all subsequent connections after first visit
- Database connections between the application and PostgreSQL use SSL encryption
Data at rest:
- Case documents are stored in Cloudflare R2 object storage with AES-256 encryption at rest
- The PostgreSQL database is hosted on Railway with encrypted storage volumes
- Document embeddings (search vectors) are stored in the same encrypted PostgreSQL instance
2. Organization Isolation
SettleIQ uses a strict multi-tenant architecture. Every law firm's data is isolated at the database level, not just the application level.
- Every database query includes an
organization_idfilter — there are no cross-organization queries in the codebase - Requests that attempt to access another organization's data receive HTTP 403 Forbidden
- Document vector search is scoped to your organization's documents only
- Case membership is verified per-request, not just at login time
- Organization isolation is enforced in automated tests that run on every code change
There is no administrative query or interface that shows one law firm's case content to another. Cross-org access is rejected at the application layer before any database query runs.
3. Authentication & Access Control
- JWT-based authentication — Session tokens use HS256 signed JWTs with a 24-hour expiry
- httpOnly cookies — Tokens are stored in httpOnly cookies, not in localStorage. This means JavaScript running in the page cannot read the token, eliminating the most common XSS token-theft vector.
- Brute-force protection — Accounts are locked after 5 consecutive failed login attempts. Lockout requires admin unlock or password reset.
- Rate limiting — Login endpoint is rate-limited to 5 attempts per minute per IP address, in addition to per-account lockout
- Secure cookie flags — Session cookies are set with
Secure,HttpOnly, andSameSite=Laxflags - Case-level access controls — Each case has owners and members with distinct permission levels. Users can only access cases they have been explicitly added to.
4. AI Provider
SettleIQ uses Google Gemini for all AI processing:
- Chat and analysis — Google Gemini 2.5 Flash (model:
gemini-2.5-flash) - Document search vectors — Google Gemini embedding-001 (3072-dimensional embeddings)
Per Google's API Terms of Service, data submitted via API calls is not used to train or improve Google's AI models. Google processes SettleIQ data as a data processor under their Data Processing Agreement.
SettleIQ does not use OpenAI, Anthropic, or any other AI provider. All AI processing goes through Google Gemini exclusively.
5. HIPAA & Compliance Posture
Law firms are not HIPAA covered entities. Personal injury practices handle medical records under attorney work product privilege and state bar rules, not HIPAA. SettleIQ is a tool for attorneys, not a covered entity or business associate under 45 CFR Part 164.
Medical bills, treatment records, and other health information you upload to SettleIQ are handled securely under attorney work product privilege. We apply strong technical and administrative safeguards aligned with ABA Rule 1.6 ethical requirements.
We maintain security controls consistent with industry best practices for legal software: encryption at rest and in transit, org-level data isolation, access logging, and a 90-day auto-archive policy for closed cases.
6. Data Retention & Deletion
- Active cases — Accessible during your active subscription
- Closed cases — Automatically archived 90 days after you mark a case closed
- Archived cases — Locked from broad access and placed into our manual deletion queue until our Phase 2 automated S3 cloud shredder process is deployed
- On-demand deletion — You can request deletion of any data at any time by contacting privacy@settle-iq.com. We will complete manual hard deletion within 30 days.
- Post-termination — Data remains available for export for 30 days after account termination, then is permanently deleted
7. Incident Response
In the event of a security incident affecting your organization's data:
- We will notify affected organizations within 72 hours of discovering a confirmed breach
- Notification will include: what data was affected, when the incident occurred, what we are doing to address it, and recommended actions for you
- We maintain incident response procedures and test them periodically
- To report a suspected security issue: security@settle-iq.com
8. Audit Logging
SettleIQ maintains logs of significant user actions for security and compliance purposes:
- Login events (successful and failed), with timestamp and IP address
- Document uploads and downloads
- Case creation, state changes (open, active, closed, archived)
- Case member changes (invitations, role updates, removals)
- Admin actions (organization creation, user provisioning)
Audit logs are retained for compliance review and are not deleted by the 90-day case shredder. Logs contain user identity (user ID, email), action type, affected resource, and timestamp. Log contents are not accessible to end users through the UI but are available to your organization upon request for compliance purposes.
9. Infrastructure
- Hosting — Railway (US-based infrastructure)
- Document storage — Cloudflare R2 (S3-compatible, data stored in US)
- Database — PostgreSQL + pgvector on Railway
- Container — Docker, running as non-root user (
settleiq) - Dependency scanning — Automated weekly CVE scanning via GitHub Actions (pip-audit, npm audit, Trivy)
- Security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options on all responses
Questions about security controls or to request a security review: security@settle-iq.com