Security & Trust

How we protect your data and what we don't do with it.

Our principles

Law firms handle sensitive client information. We built MatterReady with that responsibility in mind.

Conservative by default

We collect only what's needed for intake qualification. We don't store credentials, financial account numbers, or sensitive data beyond what serves the intake process.

Attorneys stay in control

MatterReady surfaces information and signals. It does not make decisions for your firm. Every conflict flag requires attorney review. Every matter requires attorney approval before proceeding.

No legal advice, ever

MatterReady does not provide legal advice. Qualification scores indicate completeness, not case merit. Conflict signals are flags for review, not determinations. Legal judgment remains with your attorneys.

Your data is yours

We don't sell data. We don't use your client information for purposes beyond providing the MatterReady service. Your data is never used to train AI models. You can export everything at any time. If you leave, you take your data with you.

Security controls

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database connections require SSL. API traffic is HTTPS-only.

Infrastructure

Hosted on Vercel's edge network with automatic failover. Database hosted on Neon with point-in-time recovery. All infrastructure is US-based.

Access controls

Role-based permissions limit data access by function. All administrative actions are logged in an audit trail. Two-factor authentication available for all accounts.

Authentication

Staff and attorneys authenticate via Google or Microsoft SSO by default. No shared passwords. Session tokens are short-lived and scoped to a single tenant.

Tenant isolation

Every firm is a separate tenant. Data is isolated at the database level. There is no cross-tenant data sharing. Each firm's data is accessible only to their authorized users.

Integration security

Clio and Microsoft 365 connections use OAuth — we never see your passwords. API tokens are encrypted at rest and revocable at any time from your settings. A current list of MatterReady subprocessors is available at /subprocessors.

AI integration security

MatterReady includes AI-powered features — chatbot intake, qualification scoring, billing intelligence, and an AI assistant — all built with the same conservative approach we apply to the rest of the platform.

No training on your data

MatterReady does not use your data to train AI models. Our AI provider (OpenAI) is contractually prohibited from using API data for model training. Data sent to AI providers is used solely to generate responses for the specific request.

Permission-scoped access

AI features only access data the requesting user is already authorized to view. The chatbot sees only public-facing intake configuration. The assistant queries only data permitted by the user's role. AI never creates new access pathways.

MCP API key controls

External AI connections via Model Context Protocol use separate API keys that you can revoke instantly. Keys are hashed — we never store them in plaintext. Every request is logged in the audit trail.

Human review required

All AI outputs — qualification scores, billing anomaly flags, assistant responses — are informational and require attorney review. AI does not make autonomous decisions or take actions without human approval.

For our full AI commitments, see our AI Principles page.

Data retention & portability

Automated daily snapshots

MatterReady creates encrypted snapshots of your firm's data daily. Snapshots are retained according to your plan's retention policy. No configuration required.

Self-service restore

Firm administrators can restore from any available snapshot directly from admin settings. No support ticket needed.

Full data exports

Export all your firm's data at any time — leads, intakes, documents, and settings. Exports are encrypted and can be used to migrate to another system or for your own records.

Compliance & privacy

  • CCPA compliant — California Consumer Privacy Act
  • GDPR data subject rights supported
  • Data processing agreements available on request
  • Data retained only as long as needed for service delivery
  • Right to deletion honored within 30 days of request
  • No cross-tenant data sharing — your data stays yours

For detailed information, see our Privacy Policy and Terms of Service.

Security FAQ

Where is my data stored?

All data is stored in US-based infrastructure. The application runs on Vercel's edge network. The database is hosted on Neon (PostgreSQL) with automated backups and point-in-time recovery.

Does MatterReady store my Clio password?

No. Clio integration uses OAuth authorization. You grant access through Clio's own authorization flow. MatterReady never sees or stores your Clio login credentials. You can revoke access at any time from either MatterReady or Clio.

Who can access my firm's data?

Only users you authorize. Each firm is an isolated tenant with role-based access controls. Staff see what their role permits. MatterReady support does not access your data without explicit permission.

What happens to my data if I cancel?

You can export all your data before canceling. After cancellation, data is retained for 90 days for retrieval, then permanently deleted. You can request immediate deletion if preferred.

Is client intake data shared with AI models?

MatterReady uses AI APIs to power features like chatbot intake, qualification scoring, and the AI assistant. Data is used solely to generate responses for the specific request. Our AI providers are contractually prohibited from using API data to train their models. Data is handled according to provider API data processing terms. Client PII is not sent to AI providers for features like qualification scoring, which operate on structured metadata (practice area, completeness indicators) rather than raw client details. For full details, see our AI Principles.

Does MatterReady make legal decisions?

No. Conflict signals are flags for attorney review, not legal determinations. Qualification scores indicate data completeness, not case merit or viability. Every decision that matters is made by your attorneys.

How are documents handled?

Documents uploaded during intake are encrypted at rest and in transit. Access is limited to authorized users within your firm. Documents sync to Clio when matters are pushed, and can be exported at any time.

Can I get a data processing agreement (DPA)?

Yes. We provide DPAs on request for firms that need them. Contact hello@matterready.io and we'll send one over.

Is MatterReady SOC 2 certified?

We are working toward SOC 2 Type II certification. Our infrastructure providers (Vercel, Neon) maintain their own SOC 2 certifications. We follow SOC 2-aligned practices for access control, encryption, and audit logging.

How do I report a security concern?

Email security@matterready.io. We take security reports seriously and will respond within one business day.

Questions?

If you have security or compliance questions that aren't answered here, reach out. We're happy to discuss our practices in detail.

Contact Us