Access Controls

Authentication

• Email/password authentication via Supabase Auth.
• Sessions are managed with short-lived JWTs. Refresh tokens are rotated on each use.
• Sessions expire after a period of inactivity.

Row-Level Security

Every database query is scoped to the authenticated user via PostgreSQL Row-Level Security (RLS). A user cannot query, read, or write another user's matters, files, or case data — even if they share the same database instance. RLS policies are enforced at the database level, not just the application layer.

Role-Based Access

• Admin: Can manage workspace billing, team membership, and firm settings in addition to normal case access.
• Attorney, paralegal, and expert: Use individual logins and work inside the shared firm workspace based on the application permissions currently available.
• Granular reviewer/viewer roles: Separate reviewer-only or viewer-only account types are not currently shipped.

Firm membership is enforced at the database layer, and admin-only actions are also enforced in application routes and server actions.

CaseProof Staff Access

CaseProof personnel do not have routine access to customer matter data by default. Production access is restricted to a limited set of authorized personnel for support, security, and legal compliance needs, and that access is logged.

Audit Logs

Critical actions — including file uploads, deletions, chronology generation, and exports — are logged with the authenticated user ID, timestamp, and IP address when available. Audit logs are stored in Supabase and are available in the in-app case audit screen for signed-in workspace members who can access that case.

Session Management

• JWTs are short-lived and must be refreshed periodically.
• Refresh tokens are rotated on each use, preventing token reuse after logout.
• Logging out invalidates the current session immediately.