Security Practices

1. Infrastructure & Hosting

BigLaw Bear is hosted on Vercel's edge network with Supabase (AWS us-east-1) as our database and storage provider. Both Vercel and Supabase maintain SOC 2 Type II compliance. All data is stored in the United States.

2. Encryption

All data is encrypted at rest (AES-256 via AWS) and in transit (TLS 1.2+). Database connections use SSL. File storage uses server-side encryption. HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age and preload directive.

3. Access Control

Row-level security (RLS) is enforced at the database layer on all tables. Firm accounts are fully isolated; no firm can access another firm's data. Student demographic data is stored in a separate table with no direct firm access. All access control is enforced server-side, not client-side.

4. Authentication

Students authenticate via Supabase Auth (email + password with email verification and Cloudflare Turnstile bot protection). Firm portal accounts use scoped JWT authentication with configurable session expiration and automatic idle timeout after 30 minutes of inactivity.

5. Audit Logging

All firm-side data access events are logged, including profile views, data exports, application status changes, and message sends. Logs include timestamps, user attribution, and action targets. Audit logs are available to firm administrators on the Activity Log page and cannot be modified or deleted.

6. Data Rights

Students can export all their data at any time, control their profile visibility, withdraw applications, and permanently delete their accounts with cascading removal of all associated data including uploaded files, demographic responses, and engagement history.

7. Backup & Recovery

Database backups are performed daily by Supabase with point-in-time recovery available. Backups are stored in AWS with the same encryption standards as production data.

8. Sub-Processors

All sub-processors store and process data within the United States.

9. Data Residency

All student and firm data is stored in AWS us-east-1 (Northern Virginia, United States). No data is stored or processed outside of the United States.

10. Employee Access

Access to production data is restricted to BigLaw Bear's founding team on a need-to-know basis. We do not employ overseas contractors with access to production student or firm data.

11. Incident Response

In the event of a confirmed data breach, BigLaw Bear will notify affected firms within 72 hours and affected students within 72 hours, consistent with applicable state breach notification laws. Incident response includes containment, investigation, remediation, and a post-incident report provided to affected parties.

12. Penetration Testing

BigLaw Bear conducts regular internal security reviews of authentication, authorization, and data access patterns. A third-party penetration test is planned as part of our SOC 2 Type II readiness program.

13. Responsible Disclosure

If you discover a security vulnerability in BigLaw Bear, please report it to security@biglawbear.com. We will acknowledge receipt within 48 hours and work to address the issue promptly. We ask that you give us reasonable time to remediate before public disclosure.

14. SOC 2 Roadmap

BigLaw Bear is actively building toward SOC 2 Type II certification. Our infrastructure partners (Supabase, Vercel, Resend) each maintain SOC 2 Type II compliance, providing a strong security foundation. We are implementing additional organizational controls (including formal access policies, audit logging, incident response procedures, and vendor management) to prepare for our own certification.

15. Contact

For security inquiries:

security@biglawbear.com

For privacy inquiries:

privacy@biglawbear.com

For a copy of our security questionnaire or Data Processing Agreement, contact us at the addresses above.