Security.

We design the platform around three principles: Customer Content stays inside the customer's tenant and is only used to serve that tenant; permissions and ethical walls follow the user through retrieval and generation; and every meaningful action produces an auditable record.

We do not currently hold SOC 2, ISO 27001 or other independent security certifications. We are building our programme so that, when we pursue attestations, we can meet them credibly rather than announce them prematurely. Where we describe practices below, they reflect what we do today.

Each customer is provisioned into a logically isolated tenant. Application-layer controls enforce that a user can only reach data that belongs to their tenant and that they are authorised to see within it.

We do not cross-tenant-train. Customer Content from one tenant is never used to produce outputs, embeddings or model behaviour for another tenant.

Customer administrators manage users, roles and group membership. We support enterprise single sign-on via SAML 2.0 and OIDC and user provisioning via SCIM for plans that include it.

Ethical walls and matter-level access restrictions are enforced at the retrieval and generation layers - not only at the UI - so a user cannot see or cite information their walls prevent.

Internal access to production is limited to a small group of engineers, gated by SSO and multi-factor authentication, granted on a need-to-know basis and logged.

Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using industry-standard algorithms provided by our cloud infrastructure, with keys managed through our cloud provider's key management service.

JudicialMind runs on established cloud infrastructure providers. We use the security features those providers offer - network isolation, managed identity, key management, hardened images and baseline monitoring - and we build on top of them rather than reinventing them.

Administrative access to infrastructure is SSO-gated, requires multi-factor authentication, and is logged.

Our engineering practice includes code review for changes that touch the product, dependency management and vulnerability scanning for known issues in third-party libraries, and automated checks in CI.

For AI features, we apply layered defences against prompt injection and data exfiltration - including input and tool-call constraints, retrieval scoping and output filtering - and we document model invocations in audit logs. Where we use third-party models, we contract for no-retention and no-training terms wherever the provider supports them.

Customer administrators have access to tenant-scoped audit data covering authentication, retrieval, generation, approvals and administrative actions. This supports internal review, client reporting and legal hold.

System logs are used for operations, security monitoring and incident response. Access to logs is restricted and reviewed.

We monitor dependencies for known vulnerabilities and update them on a risk-based cadence. We plan to run regular third-party penetration tests and to publish summary letters to customers under NDA as the programme matures.

If you believe you have found a security issue, please report it responsibly - see the "Responsible disclosure" section below.

We back up critical data regularly and test our ability to restore it. Our infrastructure is designed so that the loss of a single component does not take the service down, and we keep documented operational runbooks for common failure modes.

We do not guarantee a specific availability SLA on early-access plans. Enterprise plans may include contractual availability commitments.

We have an incident response process that covers detection, triage, containment, remediation, communication and post-incident review. In the event of a security incident affecting Customer Content, we will notify affected customers in line with our contractual commitments and applicable law.

Team members accept confidentiality obligations and complete security awareness training appropriate to their role. We screen new hires where permitted by law.

Vendors and subprocessors that handle Customer Content are bound by written agreements and confidentiality terms, and are reviewed before onboarding.

While we do not currently hold independent certifications, we align our programme to widely recognised frameworks - including the principles behind SOC 2, ISO/IEC 27001 and the NIST Cybersecurity Framework, together with privacy and AI-governance practices from ISO/IEC 27701 and the NIST AI Risk Management Framework. Alignment is not certification; we will say so clearly when that changes.

If you believe you have discovered a vulnerability in JudicialMind, please write to security@judicialmind.ai with details and steps to reproduce. We ask that researchers give us a reasonable opportunity to investigate and remediate before public disclosure, avoid accessing data that does not belong to them, and avoid disrupting the Service or other users.