How does Statular protect attorney-client privileged information?

Confidential client information is treated as the most sensitive data class on our platform. It is encrypted at rest with AES-256, and transmitted only over TLS 1.2 or higher. Statular does not use client information to train AI models, and our infrastructure is hosted in the United States. These controls are designed to support attorneys' duties of confidentiality and competent technology use under ABA Model Rule 1.6 and equivalent state bar rules.

Does Statular train AI models on my firm's or my clients' data?

No. Statular does not train AI models on customer data, and we do not allow our AI subprocessors—including OpenAI, Anthropic, and Google—to do so either. We process and store your data only as needed to deliver our services.

Where is our firm's data hosted and processed?

Statular's application, databases, document storage, and backups are hosted on Amazon Web Services in the United States.

Does Statular support multi-factor authentication (MFA)?

Yes. MFA is offered for every customer account, including attorney accounts and client portal accounts. We strongly recommend that attorneys and firm administrators enable it across their team.

Can I delete a client matter or export client data?

Yes. Authorized firm users can manage and delete matters and client records within the Statular application. Customers can also request a full data export or firm-level deletion by emailing contact@statular.com or through their account administrator. We process verified requests in accordance with our terms of service and applicable privacy law.

Who are Statular's subprocessors?

Statular uses a small number of vetted, US-based subprocessors for hosting, identity, payments, communications, and AI services. Foundational subprocessors are SOC 2 attested or equivalent and are subject to our vendor risk management program.

Security

Security built for licensed attorneys and their clients.

Statular protects licensed attorneys and their clients' data through enterprise-grade security measures. This page describes the security program and technical controls we use to keep that data confidential, available, and trustworthy. For details on how we collect, use, and share personal information, see our privacy policy.

AES-256 at rest, TLS 1.2+ in transitMulti-factor authenticationUS-based infrastructure

Program & people

Organizational security

Security is a company-wide responsibility at Statular. Our policies are designed so the people who handle your data are aligned with the controls that protect it.

Information security program

We maintain an information security program aligned to the SOC 2 Trust Services Criteria.

Security assessments

Our infrastructure providers undergo independent third-party audits. Statular performs regular security audits to scan our application for vulnerabilities.

Endpoint and physical safeguards

Company-issued devices are encrypted and protected with strong authentication, including hardware security keys for sensitive systems.

Infrastructure

Cloud and infrastructure security

Statular runs on hardened, US-based cloud infrastructure operated by trusted providers.

Hardened cloud infrastructure

Statular is hosted on Amazon Web Services in the United States. AWS provides physical security, network isolation, and platform-level controls under their published security and compliance program.

Encryption in transit

All traffic between your browser, the Statular application, and our backend services is encrypted with TLS 1.2 or higher. HTTPS is enforced and we refuse insecure connections.

Encryption at rest

Databases, document storage, and database backups are all encrypted at rest with AES-256.

Logging and monitoring

Application, infrastructure, and security events are continuously logged and monitored. Anomalies and failures generate alerts so the engineering team can respond quickly.

Vulnerability management

We continuously scan for known vulnerabilities in our dependencies, container images, and infrastructure. Findings are triaged based on severity and exploitability.

Access control

Access and authentication

Access to user data is tightly scoped and reviewed on a regular cadence. Strong authentication is required across the company.

Multi-factor authentication

Multi-factor authentication (MFA) is mandatory for all Statular employees on production systems and sensitive tools. MFA is offered for every customer account, and we strongly recommend that attorneys and firm administrators enable it across their team.

Activity audit trail

Each matter maintains an activity audit trail that records who changed what and when. Attorneys and firm administrators can review the audit trail to support oversight, conflict checks, and investigations.

Strong credentials

All team members are required to use strong, unique passwords and to use a company-approved password manager.

Least-privilege access

Access to production systems is limited to roles that require it.

AI & subprocessors

AI data privacy and subprocessors

Statular uses AI to support features such as document review, drafting assistance, and flowchart generation. We protect user data and prevent it from being used for AI training.

No training on customer data

Statular does not train AI models on your data. Where we use AI subprocessors—such as OpenAI, Anthropic, or Google—we do so under terms that prohibit them from training their models on your data.

Vetted, US-based providers

AI providers go through the same vendor risk review as any other subprocessor: SOC 2 attestation, data residency, retention terms, and contractual privacy commitments are evaluated before approval.

Human in the loop

All outputs produced by Statular's AI systems are first drafts subject to attorney review and explicit acceptance prior to being used in any documents.

Engineering

Application security and development

Security is built into how we design, write, and review code.

Secure development lifecycle

Engineers follow secure coding practices, mandatory code review, automated tests, and integration checks before code reaches production. Sensitive changes go through additional review.

Patch and update management

Application dependencies and underlying infrastructure are kept current with security patches via regular, automated reviews.

Data isolation

Statular enforces strict ownership checks on every request to prevent cross-tenant access and data exposure.

Incident response

Incident response and continuity

If something goes wrong, we want to know quickly, respond decisively, and learn from it.

Continuous monitoring and on-call

Production systems are monitored continuously. Team members are available to respond to incidents and security alerts 7 days a week.

Customer notification

If a security incident affects customer data, we will notify impacted customers promptly with details and remediation steps.

Post-incident review

Every significant incident is followed by a written post-mortem with root-cause analysis and corrective actions. Findings feed directly back into the security program.

Vendor risk

Vendor and risk management

Subprocessors are part of the security perimeter. We pick them carefully and review them on an ongoing basis.

Vendor risk reviews

Every subprocessor is reviewed before it is approved. We evaluate SOC 2 or equivalent attestations, data residency, retention terms, contractual privacy commitments, and incident history.

SOC 2-attested infrastructure

Statular uses SOC 2-attested service providers for the foundational layers of our platform—including hosting, storage, identity, payments, and email delivery.

Compliance

Compliance and certifications

We hold ourselves and our subprocessors to recognized standards. Where customers have specific compliance requirements, our security team is happy to walk through them in detail.

SOC 2: Statular's information security program is aligned to the SOC 2 Trust Services Criteria, and our foundational infrastructure providers maintain current SOC 2 attestations.
ISO/IEC 27018: Statular's cloud infrastructure provider, Amazon Web Services, maintains ISO/IEC 27018 certification—the international standard for protection of Personally Identifiable Information (PII) in public cloud environments.
Data residency: Customer data is hosted in the United States across our database and document storage tiers.
Privacy: We honor data deletion and export requests in accordance with our terms and applicable privacy law.

This page describes our current security program and is provided for informational purposes. Specific contractual commitments may be set forth in a master subscription agreement, data processing agreement, and the Statular privacy policy and terms of service. We review and update this program at least annually, or sooner if our operations or the threat landscape change materially.

FAQ

Frequently Asked Questions

Common questions from procurement, IT, and compliance teams evaluating Statular. For anything not covered here, reach us at contact@statular.com.

Statular reserves the right to update this policy as our operations, infrastructure, or the threat landscape evolves. Material changes will be reflected on this page.