Casetext

Uncompromising data security

Your data’s security is our top priority—and embedded into all our processes, which we work continually to keep improving.

Why do more than 40 of the Am Law 100 trust their data to Casetext?

Stringent policies

Our security program includes the governance and technical controls to ensure the platform, data, and code are secure and monitored. Security policies align to NIST 800-53 Moderate and NIST Cybersecurity Framework (CSF). We maintain a mapping of our controls onto ISO 27001 and SOC 2 standards. Casetext is on track to obtain SOC 2 attestation in 2023.

Encrypted data

All data are encrypted in transit and at rest in Casetext systems.
 We secure all data in transit via TLS 1.2+. Systems are configured to require the TLS protocol, meeting industry standards for externally facing systems. Symmetric encryption (AES-256) is used to protect data at rest, ensuring data is viewable only by authorized users.

Independent auditing

Casetext has partnered with sophisticated, independent external security resources
 to ensure we properly execute
 our security program. Regular vulnerability assessments and penetration tests—and review of our policies, vendor management, and risk management programs—are critical to our infosec program.

Casetext application security

All user access is protected by industry standard, role-based authentication
Perimeter firewalls block unauthorized ports 
and protocols
Customer instances 
and data are logically separated
All access to data sources, queries, and results is logged and audited
All code is thoroughly reviewed and tested before deployment to production
Data source credentials are encrypted and stored in a secure secrets manager
Single Sign On is available and integrates with your secure identity provider
Network vulnerability 
scans are performed monthly
Third-party 
penetration testing is performed annually

Keeping data private and secure in CoCounsel

Professional-grade rigor
Data entered into CoCounsel is subject to substantially more rigorous security controls than are consumer-facing LLMs and
 products like GPT-4 and ChatGPT.
zero-retention api
Zero-retention API
CoCounsel accesses the AI model through private, dedicated servers and through a zero-retention API—meaning OpenAI cannot view any of that data, store it longer than required to process the request, or use any of it to train the AI model.
User-controlled data
Users retain ownership of and control over their data and can remove it completely from the CoCounsel platform at any time. 

How we serve CoCounsel

  • CoCounsel is a cloud-based application. All data is stored in Casetext’s Google Cloud environment. Data stores and
 services are hosted in US-West regions.

  • The user-facing web application is served from a Heroku
 Private Space in the US-West region.

Data encryption

  • All data are encrypted in transit and at rest in our systems.

  • Casetext secures all data in transit via TLS 1.2+. Systems are configured to require the TLS protocol, meeting industry standards for externally facing systems. An up-to-date assessment of our
 TLS configurations is available at SSL Labs SSL Test.

  • Symmetric encryption (AES-256) is used to protect data at rest.
 This ensures data is only viewable by authorized users.

Independent verification

and auditing

  • Casetext has partnered with sophisticated, independent
external security resources to ensure we properly execute
 our security program.

  • We treat consistent monitoring of our platform through regular vulnerability assessments and penetration tests, along with
review of our policies, vendor management, and risk management programs, as critical for our information security program.

  • We rely on our relationships with security, compliance,
and governance partners to ensure Casetext is held to
the highest standards.

Learn more about our security program

Download white paper

Our additional security programs

We require annual security training for all Casetext employees, including review of and attestation to Casetext’s Information Security & Privacy Policies. Our annual secure developer training is based on OWASP Top 10.
Our asset management policies require tracking and inventory of all hardware. Antivirus and mobile device management is installed on all laptops. Auto-updates and hard drive encryption are enforced.
Our identity and access management program ensures data is only available to appropriate parties. Casetext employees are granted platform access for administration purposes only, and such access is fully monitored and regularly audited.
We maintain a robust vendor management program and require vetting of all third-party software and contractors.
Our Incident Response Plan and Business Continuity/Disaster Recovery Plan are reviewed and tested annually.
Want to learn more?
One of our representatives would be happy to share a
thorough overview of our privacy and security program.
Contact us

Put Casetext to work for you

Sign up today to test drive the power of CoCounsel.
Free trial
© 2023 Casetext Inc.
Casetext, Inc. and Casetext are not a law firm and do not provide legal advice.
California Notice at Collection and Privacy Notice