Encryption

In Transit

• Protocol: TLS 1.2 or higher for all HTTP connections.
• Enforcement: Managed by Vercel. All HTTP traffic is automatically redirected to HTTPS. Older TLS versions are rejected.
• Coverage: All connections between your browser and CaseProof, and between CaseProof servers and third-party APIs (Supabase, OpenAI, Stripe).

At Rest — Database

• Algorithm: AES-256
• Provider: AWS RDS (managed by Supabase)
• Scope: All database tables, including case data, user records, matter metadata, and generated outputs.

At Rest — File Storage

• Algorithm: AES-256
• Provider: Supabase Storage (S3-compatible)
• Scope: All uploaded evidence files, documents, and attachments.

Passwords

Passwords are never stored in plaintext. Authentication is handled by Supabase Auth, which uses bcrypt hashing. CaseProof does not have access to raw passwords at any point.

API Keys and Secrets

• All API keys and application secrets are stored as environment variables in the deployment environment.
• Secrets are never committed to source code or stored in the database.
• Access to production environment variables is restricted to authorized personnel.