This page reflects controls currently implemented in the app today, including encryption, presigned URL file handling, role-based access controls, and Zoom clickjacking protections.
Documents, evidence, and core records are protected using AWS-managed encryption controls in storage and secure transport protocols in motion.
Documents and evidence are stored in Amazon S3 with Server-side encryption with S3-managed keys (SSE-S3 / AES-256). Core structured records are stored in encrypted DynamoDB tables.
API traffic runs over HTTPS (TLS 1.2+), and realtime app connectivity uses secure WebSocket channels (WSS). File operations are signed and time-limited through presigned URL workflows.
Vector-indexed case data is handled through Pinecone. Per Pinecone's published security documentation, stored data is encrypted at rest with AES-256, and data in transit is protected via TLS 1.2 over HTTPS/gRPC using AES-256 encryption.
Pinecone documents that stored data is encrypted using the 256-bit Advanced Encryption Standard (AES-256).
Pinecone documents TLS 1.2 protection for HTTPS/gRPC connections, using AES-256 encryption for data in transit.
Uploads and downloads are brokered through backend-generated presigned URLs. Frontend clients do not require direct S3 credentials.
The backend generates presigned POST URLs for controlled uploads. Signatures and expiry windows reduce exposure and enforce bounded access windows.
The backend generates presigned GET URLs for retrieval, with expiration controls. Access is temporary rather than permanent open links.
Access is governed by role and assignment context, including lawyer-level isolation paths for case access patterns.
Admin users maintain broader oversight, while non-admin lawyer access is constrained by assignment and scoped identifiers in backend handlers.
Lawyer-specific paths and filtering logic are implemented for case and media access patterns, with admin visibility preserved for firm-level operations.
Lawbotics AI workflows are built with a grounding-first approach: model calls run through Amazon Bedrock, retrieval uses case-scoped context, and prompt instructions are structured to keep responses precise and reduce drift.
Model inference for summary and AI workflows is executed through Amazon Bedrock integrations in backend services, rather than direct client-side model access.
CaseIQ Ask/Search style flows use retrieval over indexed case materials, so responses are context-grounded in firm/case data instead of free-form generation only.
Prompt templates and response formatting logic are used to constrain output style and reduce hallucination/drift in legal workflows.
Case-level AI interactions are designed around private workspace context and scoped access controls, aligned with role/assignment boundaries in the app.
Zoom-related endpoints include anti-clickjacking response headers to reduce iframe-based attack vectors during OAuth and meeting workflows.
Security headers include X-Frame-Options: SAMEORIGIN and Content-Security-Policy: frame-ancestors 'self' on Zoom integration responses.
Related headers include X-Content-Type-Options, X-XSS-Protection, and strict referrer policy directives for Zoom endpoint responses.
