TrustSecurity FAQ
Security questions, plainly answered.
The questions procurement officers, CISOs, and outside counsel ask before they sign. Answered the way we’d answer them on a call — directly, with the same language we use in the DPA, without marketing softening.
Where is matter data stored?
- Inside the customer’s tenant, in Microsoft Azure US regions by default (West US 2 and East US 2). Each firm’s matters live in an isolated Azure Cosmos DB partition with per-firm encryption keys. International deployment is configurable per tenant and is never automatic.
How is authentication handled?
- Microsoft Entra ID single sign-on by default. SAML and OIDC federation available on enterprise plans for customers running their own identity provider. Every endpoint enforces authentication; multi-factor authentication is supported and recommended for all users.
How is authorisation enforced?
- Azure RBAC at the platform layer; application-level role and matter-scope checks at every endpoint. The supervisor pattern enforces tenant boundaries at the orchestration layer — sub-agents cannot reach across tenants by construction.
How is data encrypted?
- TLS 1.2+ in transit. Azure-managed keys at rest by default. Customer-managed keys via Azure Key Vault available on enterprise plans — the firm holds the key material, JustineAI™ holds the access to use it. Key rotation is supported on demand.
Are customer matter data used for training?
- No. Eve-Genesis (Law Edition) — the synthetic-data substrate that fine-tunes the legal reasoner — is 100% synthetic by construction. Customer matter data is processed only to generate the requested artifacts. The training discipline is structural: the customer-data partition and the training-data partition are in different Azure subscriptions, under different identities, with no path between them.
What inherited attestations apply?
- The Microsoft Azure platform layer holds ISO 27001, ISO 27018, SOC 1/2/3, PCI DSS, and HITRUST CSF attestations, inherited as the foundation layer. JustineAI™’s own product-level attestation roadmap is tracked separately and surfaced on the Trust posture page as each is finalised.
How is incident response handled?
- Customers are notified of security incidents affecting their data in accordance with applicable US state breach-notification laws (including Cal. Civ. Code § 1798.82). State Attorneys General are notified as required by the laws of affected residents’ states. The JustineAI™ incident-response runbook is available under NDA for procurement review.
How are subprocessors handled?
- Subprocessors are documented on the subprocessors page; each is bound by a written agreement with data-protection commitments at least as protective as the customer agreement. Material changes are communicated to customers in advance via the DPA notification mechanism.
How is access to customer data logged?
- Every user action and every reasoning step taken by the supervisor or sub-agents is logged to Azure Monitor with actor identity, timestamp, action, and matter reference. Logs are retained for the contractual period (default seven years) and exportable as tamper-evident JSON for litigation discovery, ethics review, or malpractice insurance audit.
How is networking configured?
- Service-to-service traffic stays inside the Azure backbone via private endpoints. No backend services have public ingress in production. Web Application Firewall policies and CSP headers are enforced on every public surface.
How is data deleted?
- On written deletion request, personal information is deleted or anonymised within 90 days, subject to legal-hold and contractual retention obligations. Tenant deletion is cryptographically verifiable: customer-managed keys are revoked at the firm’s direction, after which the encrypted matter data is unreadable.
Is a Data Processing Agreement available?
- Yes. Eve-Legal, LLC enters into a DPA with customers where required, including for residents of states with comprehensive consumer-privacy laws. The DPA template enumerates each subprocessor and the corresponding data-protection commitments. Request via legal@justineai.com.