What we do with your data, and what we don't.
Scope sits between AI workflows and credentialed vendor work. The data that flows through us includes case captions, claimant identifiers, deposition notices, and pricing data - the kind of data your firm's GC and your carrier's privacy office will both ask hard questions about. This page states what is in place today. Evidence is available on request.
Where we are today.
Security controls are in place today (detailed below). The formal audit engagement is being finalized. Report available under NDA on request once issued.
Type II adds an operating-evidence period after the Type I report issues. Scoped after Type I lands.
HIPAA-ready controls for the claims vertical, which is in preview. A Business Associate Agreement framework is in place for claims engagements at general availability. The legal vertical does not routinely process PHI; encryption and access-logging controls apply across both.
Data Processing Agreement available on request. Aligned with CCPA, CPRA, and equivalent state privacy laws. US-only data residency by default.
HITRUST CSF and ISO 27001 are evaluated as buyer demand requires; neither is currently in progress. Payment processing runs on Stripe Connect (PCI DSS Level 1); additional financial-services certifications will be pursued as the product surface requires them.
Coverage in place.
Scope carries cyber liability, technology errors and omissions, and general liability coverage. Certificates of Insurance with full limits are available to any prospective buyer or vendor on request via info@scope.bid. We name additional insureds on request for enterprise engagements.
First- and third-party cyber. Covers data breach, ransomware, business interruption, and regulatory defense.
Technology errors and omissions, including media liability. Covers professional-services failures and platform-mediated losses.
Standard commercial general liability for business operations. Additional insureds named on request.
What gets encrypted, where, by whom.
- ·Encryption in transit: All public traffic is TLS 1.2+ (TLS 1.3 preferred), terminated at the edge. Connections to subprocessors use TLS via their official SDKs.
- ·Encryption at rest: AES-256 on the database (Supabase managed PostgreSQL, platform default). Sensitive columns, such as stored OAuth refresh tokens, are additionally encrypted at the application layer with AES-256-GCM.
- ·File storage: Uploads and transcripts are stored in Supabase Storage (AES-256 at rest, platform default) and served through short-lived signed URLs. Tenant isolation on files is enforced by row-level security, not by separate per-tenant keys.
- ·Authentication: Supabase Auth with JWT-based session tokens. Bearer API tokens for MCP access (OAuth 2.0 access tokens and personal access tokens) are stored as SHA-256 hashes, never plaintext, are revocable, and are bound to a single tenant. Single sign-on via SAML 2.0 and OIDC is available; multi-factor authentication is enforced through your identity provider when SSO is configured.
- ·Row-level security:Every tenant-scoped table in our PostgreSQL schema has RLS policies enforced at the database layer. A vendor cannot read another vendor's pricing data; firm-side roster, spend, and matter data are scoped per organization. The protection is structural, not application-layer. (Shared catalog tables, such as service categories, are public-read by design.)
- ·Audit logging: Every state-changing action is written to an append-only audit log with actor, timestamp, IP address, user agent, resource, and before/after state. Per-matter audit records are exportable as CSV and PDF on request.
- ·Data residency: US-only by default. Hosting runs on Vercel and Supabase in US regions.
- ·Data minimization: The MCP server passes only the fields required for a dispatch decision (category, jurisdiction, scope, budget). It does not pass case-strategy memos, work-product, or full claimant medical files. Sensitive uploads stay in your CMS or claims system; Scope routes the request, not the underlying file.
Who else touches your data.
We use a small number of trusted infrastructure providers. Each runs their own SOC 2 / ISO 27001 audited program. We commit to 30 days' notice before adding any new subprocessor with access to customer data.
| Subprocessor | Purpose | Data class | Audits |
|---|---|---|---|
| Vercel | Application hosting, edge runtime | Operational data, no customer data persisted | SOC 2 Type II, ISO 27001 |
| Supabase | PostgreSQL database, authentication, file storage | All customer data: matters, bids, reviews, vendor profiles, COIs | SOC 2 Type II, HIPAA-eligible |
| Resend | Transactional email delivery | Email addresses, email content (notification subjects/bodies) | SOC 2 Type II |
| Stripe (Connect) | Payment rail - direct-charge invoicing on the vendor's connected account. The vendor is merchant of record; the firm pays the vendor directly; Scope receives an application fee. Onboarded vendors only. | Payment instruments, billing addresses, application-fee calculations, reconciliation metadata | PCI DSS Level 1, SOC 1 + 2 |
| Anthropic / OpenAI / Microsoft | Optional AI workflow clients (controlled by buyer) | Whatever the buyer's AI client sends; we receive only the MCP tool calls | Each runs their own SOC 2 / ISO 27001 program |
| GitHub (Microsoft) | Source code repository, MCP server distribution | No customer data; only public + private source code | SOC 2 Type II |
Different verticals, different sensitivities.
Case captions, witness names, deposition scope, records subject identifiers, sometimes SSN / DOB on subpoenaed records, work-product-privileged matter detail.
Attorney-client and work-product privilege respected. RLS prevents cross-firm visibility. SOC 2 Type I in progress, plus cyber and tech E&O coverage.
Sensitive uploads stay in your DMS - Scope routes, doesn't store. Governance is queryable: scope_vendor_health and scope_credential_alerts surface COI / W-9 / insurance expiry across your roster; scope_roster_audit returns the append-only event chain per matter for compliance review.
Claimant PHI (medical records, IME reports), PII (SSN, DOB), surveillance subject identifiers, claim file numbers.
HIPAA-ready controls and encryption at rest and in transit. NAIC Model Cybersecurity Law alignment. Claims vertical is in preview.
Segregated data namespaces and per-matter audit records available to a carrier's privacy office on request. Governance is queryable: scope_vendor_health and scope_credential_alerts include BAA status per vendor; scope_roster_audit returns the append-only event chain per claim file.
See something? Send something.
We take security reports seriously and aim to acknowledge within 48 hours.
Founding firms get the security commitment in writing.
The MSA states our SOC 2 Type I target and gives you the audit evidence under NDA as it lands. We don't hide behind "coming soon."
Every state change on every matter writes a row.
scope_activity is the append-only event log. Available on request for audit. PII redacted in the sample below.