Your clients' data handled as if it were privileged.
How Docketwright approaches encryption, access control, and data residency for law firm deployments. This page covers the questions your managing partner and IT counsel will ask.
Security framework
Built with SOC 2 controls in mind.
Our SOC 2 Type II audit is in preparation. The controls described on this page reflect how Docketwright is built — not a compliance certification we don't yet hold.
Encryption at rest and in transit
All data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted at the storage layer using AES-256. Database credentials and API keys are stored in a secrets management service, not in application configuration files. Encryption key management follows least-privilege access principles — no engineer has standing access to production key material.
Access control and role-based permissions
Docketwright implements role-based access control across all user tiers: attorney, paralegal, legal ops, and administrator. Attorneys are scoped to matters they are assigned to — an attorney in the corporate group cannot browse litigation matters. Administrators control user provisioning and permission assignment. All access changes are logged with actor identity and timestamp.
Data residency — US-only processing
All Docketwright data is processed and stored on US-based infrastructure. We do not route law firm matter data through offshore infrastructure or use cross-border data transfer arrangements. For Enterprise deployments, we offer on-premise or private cloud options for firms that require data to remain within their own infrastructure boundary.
Audit logging
Docketwright maintains an immutable audit log for all matter-level events: conflict checks run and cleared, engagement letters generated and routed, deadline acknowledgments, and user access events. Audit records are timestamped, actor-attributed, and retained per your firm's configured retention policy. Logs are exportable for professional responsibility review or external auditor access.
Incident response
Docketwright maintains a written incident response policy covering detection, containment, notification, and post-incident review. In the event of a confirmed data incident affecting law firm data, we will notify affected clients within 72 hours of confirmation. Our incident response plan is available to Firm and Enterprise tier clients upon request and NDA.
Vendor questionnaire availability
Most law firms run a vendor security review before onboarding any technology that touches matter data. We have a completed security questionnaire in standard format available for IT and general counsel review. Contact us at [email protected] with subject "Security questionnaire request" and we'll provide it under NDA within 2 business days.
A note on compliance language
We don't claim SOC 2 certification we haven't completed, HIPAA compliance for data we don't process, or security postures we haven't validated. The controls described on this page reflect how Docketwright is actually built. If you have specific compliance requirements for a vendor handling law firm operational data, we'll work through them with you directly — not through marketing copy.