What we do with your data, and what we don't.

Scope sits between AI workflows and credentialed vendor work. The data that flows through us includes case captions, claimant identifiers, deposition notices, and pricing data - the kind of data your firm's GC and your carrier's privacy office will both ask hard questions about. This page states what is in place today. Evidence is available on request.

Compliance posture

Where we are today.

SOC 2 Type I
In preparation
Point-in-time controls audit

Security controls are in place today (detailed below). The formal audit engagement is being finalized. Report available under NDA on request once issued.

SOC 2 Type II
Follows Type I
After Type I issuance

Type II adds an operating-evidence period after the Type I report issues. Scoped after Type I lands.

HIPAA
Claims vertical (preview)
BAA framework at GA

HIPAA-ready controls for the claims vertical, which is in preview. A Business Associate Agreement framework is in place for claims engagements at general availability. The legal vertical does not routinely process PHI; encryption and access-logging controls apply across both.

Privacy (GDPR / state laws)
Active
DPA available

Data Processing Agreement available on request. Aligned with CCPA, CPRA, and equivalent state privacy laws. US-only data residency by default.

HITRUST CSF and ISO 27001 are evaluated as buyer demand requires; neither is currently in progress. Payment processing runs on Stripe Connect (PCI DSS Level 1); additional financial-services certifications will be pursued as the product surface requires them.

Insurance

Coverage in place.

Scope carries cyber liability, technology errors and omissions, and general liability coverage. Certificates of Insurance with full limits are available to any prospective buyer or vendor on request via info@scope.bid. We name additional insureds on request for enterprise engagements.

Cyber liability

First- and third-party cyber. Covers data breach, ransomware, business interruption, and regulatory defense.

Tech E&O

Technology errors and omissions, including media liability. Covers professional-services failures and platform-mediated losses.

General liability

Standard commercial general liability for business operations. Additional insureds named on request.

Encryption + data handling

What gets encrypted, where, by whom.

  • ·Encryption in transit: All public traffic is TLS 1.2+ (TLS 1.3 preferred), terminated at the edge. Connections to subprocessors use TLS via their official SDKs.
  • ·Encryption at rest: AES-256 on the database (Supabase managed PostgreSQL, platform default). Sensitive columns, such as stored OAuth refresh tokens, are additionally encrypted at the application layer with AES-256-GCM.
  • ·File storage: Uploads and transcripts are stored in Supabase Storage (AES-256 at rest, platform default) and served through short-lived signed URLs. Tenant isolation on files is enforced by row-level security, not by separate per-tenant keys.
  • ·Authentication: Supabase Auth with JWT-based session tokens. Bearer API tokens for MCP access (OAuth 2.0 access tokens and personal access tokens) are stored as SHA-256 hashes, never plaintext, are revocable, and are bound to a single tenant. Single sign-on via SAML 2.0 and OIDC is available; multi-factor authentication is enforced through your identity provider when SSO is configured.
  • ·Row-level security:Every tenant-scoped table in our PostgreSQL schema has RLS policies enforced at the database layer. A vendor cannot read another vendor's pricing data; firm-side roster, spend, and matter data are scoped per organization. The protection is structural, not application-layer. (Shared catalog tables, such as service categories, are public-read by design.)
  • ·Audit logging: Every state-changing action is written to an append-only audit log with actor, timestamp, IP address, user agent, resource, and before/after state. Per-matter audit records are exportable as CSV and PDF on request.
  • ·Data residency: US-only by default. Hosting runs on Vercel and Supabase in US regions.
  • ·Data minimization: The MCP server passes only the fields required for a dispatch decision (category, jurisdiction, scope, budget). It does not pass case-strategy memos, work-product, or full claimant medical files. Sensitive uploads stay in your CMS or claims system; Scope routes the request, not the underlying file.
Subprocessors

Who else touches your data.

We use a small number of trusted infrastructure providers. Each runs their own SOC 2 / ISO 27001 audited program. We commit to 30 days' notice before adding any new subprocessor with access to customer data.

SubprocessorPurposeData classAudits
VercelApplication hosting, edge runtimeOperational data, no customer data persistedSOC 2 Type II, ISO 27001
SupabasePostgreSQL database, authentication, file storageAll customer data: matters, bids, reviews, vendor profiles, COIsSOC 2 Type II, HIPAA-eligible
ResendTransactional email deliveryEmail addresses, email content (notification subjects/bodies)SOC 2 Type II
Stripe (Connect)Payment rail - direct-charge invoicing on the vendor's connected account. The vendor is merchant of record; the firm pays the vendor directly; Scope receives an application fee. Onboarded vendors only.Payment instruments, billing addresses, application-fee calculations, reconciliation metadataPCI DSS Level 1, SOC 1 + 2
Anthropic / OpenAI / MicrosoftOptional AI workflow clients (controlled by buyer)Whatever the buyer's AI client sends; we receive only the MCP tool callsEach runs their own SOC 2 / ISO 27001 program
GitHub (Microsoft)Source code repository, MCP server distributionNo customer data; only public + private source codeSOC 2 Type II
Per-vertical considerations

Different verticals, different sensitivities.

Legal services
Data we touch

Case captions, witness names, deposition scope, records subject identifiers, sometimes SSN / DOB on subpoenaed records, work-product-privileged matter detail.

Posture

Attorney-client and work-product privilege respected. RLS prevents cross-firm visibility. SOC 2 Type I in progress, plus cyber and tech E&O coverage.

Extras

Sensitive uploads stay in your DMS - Scope routes, doesn't store. Governance is queryable: scope_vendor_health and scope_credential_alerts surface COI / W-9 / insurance expiry across your roster; scope_roster_audit returns the append-only event chain per matter for compliance review.

Insurance claims (preview)
Data we touch

Claimant PHI (medical records, IME reports), PII (SSN, DOB), surveillance subject identifiers, claim file numbers.

Posture

HIPAA-ready controls and encryption at rest and in transit. NAIC Model Cybersecurity Law alignment. Claims vertical is in preview.

Extras

Segregated data namespaces and per-matter audit records available to a carrier's privacy office on request. Governance is queryable: scope_vendor_health and scope_credential_alerts include BAA status per vendor; scope_roster_audit returns the append-only event chain per claim file.

Reporting a vulnerability

See something? Send something.

We take security reports seriously and aim to acknowledge within 48 hours.

Security disclosures
security@scope.bid
PGP key on request. Acknowledgment within 48 hours.
Trust + compliance
info@scope.bid
For BAAs, DPAs, MSAs, COI requests, and security questionnaires. Standard SIG / CAIQ supported.
Founding class

Founding firms get the security commitment in writing.

The MSA states our SOC 2 Type I target and gives you the audit evidence under NDA as it lands. We don't hide behind "coming soon."

What gets logged

Every state change on every matter writes a row.

scope_activity is the append-only event log. Available on request for audit. PII redacted in the sample below.

$ audit-log query: matter SC-2143