Security overview
DVLP Studio builds AI products for law firms and operations teams. Our products handle sensitive information — client documents, case files, project data, and internal communications. Every design decision in our infrastructure prioritizes data isolation, confidentiality, and auditability.
This page describes our current security posture. It is reviewed quarterly and updated as our infrastructure evolves. For any specific question not answered here, contact our security team directly.
For prospective customers: We are happy to complete vendor security questionnaires, sign mutual NDAs, and provide our SOC 2 readiness report on request. Email
info@dvlpstudio.com with "Security review" in the subject.
Per-client data isolation
Every customer receives a dedicated, isolated environment for their data. This is the most important security property of our products and is non-negotiable.
- Separate database instances. Each law firm or enterprise customer is provisioned a dedicated Supabase project — not a shared schema, not a multi-tenant database with row-level security as the only control.
- Separate storage buckets. Customer documents are stored in dedicated storage buckets with customer-specific access policies.
- Separate vector databases. Embeddings derived from your documents are stored in your dedicated vector store, never combined with any other customer's data.
- Separate access tokens. Each customer environment uses its own set of credentials. A compromised credential cannot reach another customer's environment.
Encryption
All data is encrypted both at rest and in transit using industry-standard cryptographic algorithms.
- At rest: AES-256 encryption for all stored data, including database records, document storage, and vector embeddings.
- In transit: TLS 1.3 for all network communication. HTTP requests redirect to HTTPS; HTTP Strict Transport Security (HSTS) is enforced.
- Key management: Encryption keys are managed by our infrastructure providers (AWS KMS and Supabase) with regular rotation.
- Application secrets: API keys, database credentials, and OAuth tokens are stored in encrypted secrets management and never committed to source control.
Access controls
Customer data is accessed only by authorized personnel under explicit need-to-know circumstances.
- Role-based access control (RBAC) on all customer-facing systems and admin interfaces.
- Multi-factor authentication (MFA) required for all DVLP Studio employee access to production systems.
- Principle of least privilege — engineers are granted the minimum access necessary to perform their function.
- Customer admin self-service — your firm controls user provisioning, role assignment, and revocation within your environment.
- Session management — automatic timeout after inactivity, configurable by customer admins.
ABA compliance for legal customers
For our Legal Intelligence customers, our security posture is designed around ABA Model Rule 1.6 (confidentiality), ABA Formal Opinion 512 on generative AI (July 2024), and state bar guidance where stricter.
Model Rule 1.6 — Confidentiality
Information relating to your firm's representation of clients is held in strict confidence. We do not access, view, share, or analyze your firm's documents except as required to provide the service and respond to support requests with your explicit authorization.
Opinion 512 — Generative AI
- No model training on your data. Your documents, queries, and outputs are never used to train any AI model — ours or any third party's. This is written into our Data Processing Agreement.
- Cited output. Every AI-generated answer includes citations to the specific source documents it relied on, enabling effective attorney supervision under Rule 5.3.
- Audit logs. Every query, every document accessed, and every draft generated is logged with timestamps and user IDs for your firm's audit records.
Engagement letter language
We provide standard engagement letter language for AI disclosure to clients, designed to satisfy ABA Rule 1.4 and applicable state bar guidance. Available on request.
Infrastructure providers
We operate on a small set of audited, enterprise-grade infrastructure providers.
- Hosting: AWS (US-West-2 primary region) and Vercel (for static assets and serverless functions). Both providers are SOC 2 Type II and ISO 27001 certified.
- Database: Supabase (PostgreSQL with row-level security, SOC 2 Type II certified).
- AI inference: Anthropic (Claude) and OpenAI for selected embedding operations. Both providers contractually commit not to train on customer API data.
- DNS and CDN: Cloudflare with DDoS protection and WAF rules enabled.
Incident response
We maintain a documented incident response plan that defines roles, communication procedures, and escalation paths in the event of a security incident.
- Detection: Continuous monitoring of system logs, error rates, and access patterns. Suspicious activity triggers automated alerts.
- Customer notification: If a security incident affects customer data, we notify affected customers within 72 hours of detection, consistent with GDPR Article 33 timing.
- Root cause analysis: All incidents result in a written post-mortem shared with affected customers, including remediation steps and prevention measures.
Audit & logging
Comprehensive logging is maintained for all access, queries, and changes to customer data.
- Authentication logs — every login, MFA event, and session creation.
- Access logs — every read or write operation against customer data, with user ID and timestamp.
- AI query logs — every prompt submitted, document retrieved, and response generated.
- Retention: Logs are retained for a minimum of 12 months. Customer admins can request audit log exports at any time.
Data Processing Agreement & legal terms
We provide a standard Data Processing Agreement (DPA) for all customers handling regulated or confidential data. The DPA covers GDPR controller/processor relationships, data residency, subprocessor management, and incident notification obligations.
For customers handling protected health information (PHI), we sign Business Associate Agreements (BAAs) on a case-by-case basis. Note that our standard products are not configured for HIPAA-regulated workloads — please contact us before processing PHI on our platform.
For security questions, vendor reviews, vulnerability reports, or incident disclosures:
- General security inquiries: info@dvlpstudio.com
- Existing customer security: support@dvlpstudio.com
- Responsible disclosure: If you've discovered a security vulnerability in our products, please report it to info@dvlpstudio.com with "Security disclosure" in the subject line. We acknowledge reports within one business day.