Security & Compliance

Your clients trust you. We take that seriously.

Legal client data is among the most sensitive information that exists. CaseHug is built with security as the foundation — not a feature we added later.

HIPAA-Ready

AES-256 Encrypted

SOC 2 Type II Infrastructure

US-Only Data

Enterprise-grade protection. Standard on every plan.

Security isn't a premium add-on. Every plan gets the same protection — because client data deserves it.

🔐

HIPAA-Ready Architecture

CaseHug is designed to meet HIPAA Security Rule requirements for handling electronic Protected Health Information (ePHI). We sign Business Associate Agreements (BAAs) with all Firm plan subscribers as standard, and on request for Practice plans. Solo plan subscribers should contact us to discuss their specific needs. See our compliance roadmap for live readiness status.

BAA included on Firm plans, on request for Practice plans
ePHI handling procedures
Minimum necessary access controls
Compliance program under development

🛡️

AES-256 Encryption

Every document stored in CaseHug is encrypted at rest using AES-256 — the same standard used by banks and the US government. All data in transit uses TLS 1.3. There is no unencrypted path to client data.

AES-256 encryption at rest
TLS 1.3 for all data in transit
Encrypted database backups
Key rotation on schedule

📋

Complete Audit Trail

Every action taken in CaseHug is logged: document views, downloads, approvals, rejections, user logins, permission changes. You can export the full audit log for any matter at any time. Nothing is invisible.

IP address + timestamp per action
Document-level access logging
User authentication events
CSV export for compliance reporting

🗑️

Automatic Data Retention

Set data retention policies by matter type — 1 year, 3 years, 7 years, or custom. When a retention period expires, data is permanently and irreversibly deleted from all systems. We'll notify you before auto-deletion occurs.

Configurable per matter type
30-day pre-deletion warning
Permanent irreversible deletion
Deletion confirmation reports

🔑

Zero-Knowledge Client Links

Client intake links are time-limited, single-use, and expire automatically after completion or after your configured period. Expired links cannot be reactivated. Clients can never guess another client's link.

Cryptographically random tokens
Configurable expiration (24hr–90 days)
Automatic expiry on completion
No brute-force possible

👥

Role-Based Access Control

Every team member gets access to exactly what they need — nothing more. Attorneys can access all matters. Paralegals can be restricted to assigned matters. Admins manage the account. Permissions are enforced at every API endpoint.

Attorney, paralegal, admin, and intake roles
Matter-level permission assignment
Enforced at API level
Permission change audit logging

🌐

SOC 2 Type II Certified Infrastructure

CaseHug runs on AWS us-east-1 — data centers that hold their own SOC 2 Type II certification. All client data stays in the United States. CaseHug's own SOC 2 Type I attestation is targeted for Q4 2026 and Type II for Q3 2027 — see our compliance roadmap.

AWS us-east-1 (US-only data storage)
Infrastructure: SOC 2 Type II certified (AWS)
CalmIntake SOC 2 Type I target: Q4 2026
Geographic data restriction

🔍

Security Audits

CaseHug is committed to regular security assessments. Our first independent penetration test is scheduled for 2026. We operate a responsible disclosure program for security researchers.

First pen test scheduled 2026
Responsible disclosure program
Accelerated CVE patching
Security advisory notifications

Compliance questions, answered directly.

Do you sign Business Associate Agreements (BAAs)?

Yes. We sign BAAs with all Firm plan subscribers as a standard part of the onboarding process. Practice plan subscribers can request a BAA by emailing compliance@calmintake.com. Solo plan subscribers should contact us to discuss their specific compliance needs.

Is client data stored in the United States?

Yes. All client data, documents, and backups are stored in AWS us-east-1 (Northern Virginia). We do not transfer or store data outside the United States. This is enforced at the infrastructure level, not just by policy.

Can I get a copy of your security documentation?

Yes. We can provide our security questionnaire responses and compliance overview upon request under NDA. SOC 2 attestation and pen test documentation will be available after our first audits are completed in 2026. Contact security@calmintake.com for enterprise due diligence requests.

What happens to data when I cancel?

You have 90 days after cancellation to export all data — matters, documents, and audit logs. After 90 days, all data is permanently deleted from all systems. We send multiple email reminders before deletion and never delete data without adequate notice.

Do CaseHug employees have access to client documents?

CaseHug employees cannot access your client documents except when investigating a technical issue at your explicit written request. All employee access is logged, time-limited, and reviewed. We operate a strict need-to-know access policy internally.

Have a security question we didn't answer?

security@calmintake.com →

Security included. Zero extra cost.

Every plan includes HIPAA-ready infrastructure, encryption, audit trails, and data retention controls.

Start Free Trial View Pricing