Security & Compliance

Security is not a feature. It is the foundation.

RedactLaw was built from the ground up for lawyers handling the most sensitive documents in existence. Every architectural decision — from encryption to data retention — starts with the assumption that your files can never be compromised.

Request Security ReviewView Compliance Details

Enterprise-grade security, out of the box

These are not aspirational goals. They are the baseline we ship with today.

SOC 2 Type II

Independent audit of our security controls, availability, and confidentiality — renewed annually.

AES-256 Encryption

All documents are encrypted at rest using AES-256, the same standard used by the U.S. government for classified data.

TLS 1.2+

Every connection between your browser and our servers is encrypted in transit with TLS 1.2 or higher.

US-Based Data Centers

All infrastructure runs in AWS data centers located in the United States. Documents never leave U.S. soil.

HIPAA BAA Available

We execute Business Associate Agreements for firms handling protected health information.

ABA Ethics Compliant

Our security practices align with ABA Model Rules 1.1, 1.6, and Formal Opinion 477R on technology competence and confidentiality.

Data Handling

How your documents are processed

Your files are encrypted at every stage of the pipeline. Here is exactly what happens from upload to download.

1

Encrypted in Transit

Your document is uploaded over TLS 1.2+. The connection is encrypted end-to-end before data leaves your browser.

2

Processed in Memory

AI detection and redaction happen in isolated, ephemeral containers. Documents are never written to unencrypted disk.

3

Encrypted at Rest

The redacted output is stored with AES-256 encryption. Encryption keys are managed through AWS KMS with automatic rotation.

4

User-Controlled Retention

You choose how long files are kept — 24 hours, 7 days, 30 days, or manual deletion. When deleted, data is permanently purged.

AI & Data Privacy

We never train on your data

Your documents are processed for one purpose: to detect and redact the information you tell us to remove. They are never used to train, fine-tune, or improve any AI model. Period.

  • Zero data training — documents are never fed into model training pipelines
  • Complete data isolation — one client cannot access or influence another
  • Ephemeral processing — AI inference happens in isolated containers that are destroyed after each job
  • No third-party AI sharing — your data stays within our controlled infrastructure

Our Data Promise

Your documents will never be used for AI training
Your data is isolated from every other client
Processing containers are destroyed after each job
You can delete all data at any time, permanently

Compliance

Built to meet the standards your firm requires

We do not just check boxes. Every compliance standard we list is backed by documentation, audits, and enforceable commitments.

HIPAA

Health Insurance Portability and Accountability Act

  • Business Associate Agreement (BAA) execution on all plans
  • All 18 PHI identifiers covered by detection engine
  • Audit trail meets HIPAA accountability requirements
  • Encryption meets the HIPAA Security Rule technical safeguards

For healthcare litigation, insurance defense, and medical malpractice firms handling protected health information.

SOC 2 Type II

Service Organization Control

  • Annual independent audit by a licensed CPA firm
  • Covers security, availability, and confidentiality trust principles
  • Continuous monitoring with evidence collection
  • Report available under NDA upon request

For firms and corporate legal departments that require vendor security audits before onboarding new tools.

ABA Ethics

Model Rules & Formal Opinions

  • Supports Rule 1.1 technology competence obligations
  • Aligns with Rule 1.6 confidentiality duty for electronic data
  • Consistent with Formal Opinion 477R on secure communication
  • Audit trail supports Rule 5.1/5.3 supervisory responsibilities

For every attorney who has a duty of technology competence when handling client data electronically.

Infrastructure

US-based. No exceptions.

All RedactLaw infrastructure runs on Amazon Web Services in the United States. Your documents are never transferred across international borders and are never processed outside of U.S. jurisdiction.

  • AWS US-East and US-West regions with automatic failover
  • No cross-border data transfer — ever
  • Multi-AZ redundancy for high availability
  • 24/7 monitoring with automated threat detection and alerting
  • Regular penetration testing by independent third-party firms

Primary Region

US-East (N. Virginia)

Active

Failover Region

US-West (Oregon)

Standby

Uptime (30d)

99.98%

Healthy

Last Pen Test

January 2026

Passed

Cross-Border Transfer

None

Enforced

Access Controls

Control exactly who sees what

Fine-grained access controls ensure that only the right people can view, edit, or download documents in your workspace.

Role-Based Access

Assign Admin, Attorney, Paralegal, and Viewer roles with scoped permissions for each document set.

SSO / SAML

Integrate with your existing identity provider — Okta, Azure AD, OneLogin, and any SAML 2.0 compatible IdP.

Audit Logging

Every login, file access, download, and configuration change is logged with timestamps and user attribution.

MFA Required

Multi-factor authentication is required for all accounts. Supports authenticator apps, SMS, and hardware keys.

Data Retention

Your data, your deletion schedule

You control exactly how long RedactLaw retains your documents. Choose an automatic retention window or delete files manually at any time. When data is deleted, it is permanently purged from all systems — including backups — within 24 hours.

  • Configurable retention: 24 hours, 7 days, 30 days, or manual only
  • Deletion is permanent — files are purged from primary storage and backups
  • Deletion confirmation with audit trail entry
  • Workspace-wide or per-document retention policies

Retention Options

24 Hours

Available

Files are automatically deleted 24 hours after processing completes. Ideal for one-time redaction jobs.

7 Days

Available

Keeps files available for a week of review, then purges automatically. Good for active productions.

30 Days

Available

Extended retention for complex matters requiring multiple rounds of review before final delivery.

Manual

Available

Files persist until you explicitly delete them. Full control for matters with unpredictable timelines.

What happens when data is deleted: The file is removed from primary storage immediately. Encrypted backups are purged within 24 hours. Encryption keys are rotated so that even residual encrypted fragments become unreadable. A deletion confirmation is logged in your audit trail.

Get Started

Need more details before you commit?

We are happy to walk your IT or compliance team through our security architecture, share our SOC 2 report under NDA, or execute a BAA for your firm.

Request BAAContact for Enterprise Security Review

SOC 2 report available under NDA. BAA execution typically within 48 hours.

Trusted by firms that cannot afford to get security wrong

Start with 5 free documents per month. No credit card required. Enterprise plans include BAA, SSO, and dedicated support.

Start Redacting Free

SOC 2 certified. US-hosted. HIPAA BAA available.