Security · trust · isolation
Your clients stay your clients. Quietly enforced at the row.
SupaCorp holds corporate records for Canadian law offices. That is a serious job. Here is how the product is built so that one firm literally cannot see another firm's data, and how we protect the work you do on behalf of your clients.
Row-level firm isolation
Every table that holds firm data enforces Postgres row-level security keyed to your organization. Queries are restricted at the database level so one firm cannot access another firm's data.
Encrypted at rest, TLS in transit
All storage is encrypted at rest, including generated documents and intake uploads. All transport is over TLS. We use Supabase Postgres with production-grade encryption and backups.
No secrets in the browser
Integration credentials (Actionstep, Clio, QuickBooks, Cosmolex, Microsoft 365) live server-side only, encrypted with AES-256-GCM before being written. Browsers never see the keys.
Expiring client intake
Public intake links are tokenized and expire. Clients submit documents via an expiring link. Files are automatically routed to the correct matter.
Audit-ready activity
Every material event, such as a document generated, filing submitted, intake received, or access changed, is written to an immutable activity log you can export.
Least-privilege access
Users see the matters and entities their role permits. Reviewer and approver roles are real, not cosmetic. Access changes are logged.
The architecture
How the product is built, in plain terms.
Share our complete architectural details with your IT team for review.
- Application
- Next.js App Router on Vercel. Server Actions for every mutation. React Server Components by default, so sensitive reads never cross a network boundary they shouldn't.
- Data
- Supabase Postgres with row-level security on every table. Queries are strictly org-scoped and enforced at the database level. Backups and point-in-time recovery are enabled.
- Secrets
- Integration tokens and webhooks sealed with AES-256-GCM server-side. The encryption key is an environment variable, never checked in, rotated on request.
- Transport
- TLS everywhere. OAuth2 with PKCE for Microsoft Graph. Webhooks verified with signed payloads.
- Auth
- Supabase Auth with email and password, org-scoped sessions, and middleware-enforced route protection. SSO available on Firm+.
Commitments
What we owe you, in writing.
These are the commitments we make to every firm on the platform. They show up in our terms, and we will honour them on a handshake call just as readily.
- We will never sell your data or your clients' data.
- Your firm's data is not used to train models or improve analytics for other firms.
- You can export your full data (entities, minute books, documents) on request.
- We are committed to the transparent and prompt reporting of any material security incidents.
Questions from your IT team?
We answer security questionnaires without outsourcing them.
When your firm performs its security due diligence, your questions won't be bounced between support tiers. Send us your questionnaire, and the founders who engineered the platform will reply directly.