Case Compass is built on enterprise-grade cloud infrastructure with strict access controls, encrypted data handling, and a privacy-first AI architecture — purpose-built for law firms that can't afford to compromise on security.
Built entirely on Amazon Web Services — the same infrastructure trusted by the world's largest financial and healthcare institutions.
Client data and legal intake information is protected at every layer — from the moment it's submitted to long-term storage.
All databases and file storage are encrypted at rest using AES-256 via AWS-managed keys. This applies to client intake data, case records, documents, and all platform data.
All data transmitted between clients, the platform, and third-party services is protected by TLS 1.2 or higher. HTTPS is enforced across all endpoints.
Each law firm operates in a fully isolated database environment. Tenant data is never commingled. Subdomain-based routing provides an additional logical isolation layer.
AWS RDS automated backups with point-in-time recovery enabled. Production data is backed up daily with a defined retention window and tested restore procedures.
Uploaded documents (intake forms, signed retainers, evidence) are stored in private S3 buckets. Files are accessed only via short-lived presigned URLs — never publicly accessible.
All production data is stored and processed in AWS us-east-2 (Ohio, United States). We do not transfer data outside the United States without your explicit knowledge.
Most AI tools route your data through shared infrastructure. We don't. Case Compass is built on a Bring Your Own Key architecture.
Your API Key. Your Data. Zero Sharing.
Waypoint AI scoring uses your firm's own API credentials for all requests. Your intake data travels directly between your account and the AI provider — it never passes through a shared Case Compass AI pool, is never used for model training, and is never accessible to other firms. You control the key; you control the data.
Your intake data is never combined with data from other Case Compass customers. Each AI request is isolated to your account's credentials.
Case Compass does not use your firm's data — leads, intakes, case details, or anything else — to train, fine-tune, or improve AI models. Ever.
Since the AI key is yours, you can audit usage directly with the AI provider, see exactly what was sent, and revoke access independently of Case Compass at any time.
The criteria your firm builds in Waypoint represents years of institutional knowledge. BYOK ensures that expertise can't inadvertently be shared or exposed to other firms.
Access to your firm's data is tightly controlled at every level — from login to API request.
Security controls are enforced at the application layer, not just the infrastructure level.
Global rate limiting enforced at 1,000 requests per 15 minutes per IP. Authentication endpoints are further restricted to 10 requests per 15 minutes to prevent brute-force attacks.
All API inputs are validated and sanitized before processing. Prisma ORM provides query parameterization, preventing SQL injection attacks at the database layer.
Internal error details are never exposed to clients. Sentry captures full error context server-side while returning only safe, generic messages to end users.
Development, staging, and production environments are fully isolated with separate databases, queues, and credentials. Production secrets are never used in non-production environments.
All services run in AWS ECS containers with defined task definitions. Deployments are automated via CodeDeploy — eliminating manual server access as an attack vector.
Key system events are logged and monitored via Sentry and AWS CloudWatch. Anomaly detection and alerting help identify and respond to potential security incidents.
We work only with established, enterprise-grade vendors. All sub-processors are bound by data processing agreements and confidentiality obligations.
We do not sell your data.
Case Compass does not sell, rent, or share your firm's data or your clients' information with any third party for marketing, advertising, or any purpose beyond operating the platform. See our Privacy Policy for full details.
Common questions from law firms evaluating Case Compass.
Where is our data stored?
All production data is stored in AWS us-east-2 (Ohio, United States) on encrypted RDS instances and private S3 buckets. We do not replicate data outside the United States.
Can Case Compass employees access our client data?
Access to production systems is restricted to a small number of authorized personnel on a need-to-know basis. We do not access client data except to provide support at your explicit request, or as required by law.
Does Case Compass use our data to train AI?
No. Case Compass operates on a Bring Your Own Key (BYOK) model for all AI features. Your intake data flows directly between your account and the AI provider using your firm's own credentials. We have no technical ability to intercept or retain that data for training purposes.
What happens to our data if we cancel?
Upon cancellation, your firm's data can be exported in full upon request. After a defined retention period, all data is deleted from our systems. We do not retain data after the retention window expires.
Is Case Compass HIPAA compliant?
Case Compass serves personal injury, mass tort, and other practice areas where intake forms commonly capture health-related information — injury details, treatment history, and related protected health information (PHI). We take this seriously. All data is stored encrypted at rest and in transit on AWS infrastructure, access is strictly role-controlled, and your data is never used for AI training or shared with third parties. If your firm requires a HIPAA Business Associate Agreement (BAA), reach out to us at security@casecompass.io and we can discuss your specific requirements.
Do you offer a Data Processing Agreement (DPA)?
Yes. We can provide a Data Processing Agreement for firms with specific regulatory or compliance requirements. Contact us at privacy@casecompass.io to request one.
How do you handle security vulnerabilities?
We maintain a responsible disclosure process. If you discover a potential security issue, please report it to security@casecompass.io. We acknowledge all reports within 48 hours and commit to timely remediation.
Our team is happy to walk through our security practices, provide documentation, or answer specific questions from your firm's IT or compliance team.
security@casecompass.io Schedule a Security Review