Summary
Juris is built to the SOC 2 Trust Services Criteria and our internal Kwata Security Standard, and is aligned with PIPEDA and Alberta PIPA. Your data is encrypted, isolated per firm, never used to train AI, and never sold, and it is yours to export or delete anytime. A formal third-party SOC 2 attestation and ISO 27001 certification are on our roadmap. Security questions: security@kwatateam.com.
Frameworks we align with
We hold ourselves to recognized privacy and security frameworks. We use precise language about where we stand: we describe what we are built to and aligned with, and we are explicit about what is on our roadmap versus held today.
To be clear on terminology: SOC 2 is an independent attestation and ISO 27001 is a certification — both are pursued through accredited third parties, and we will say we hold them only once we do. Today, Juris is engineered to meet those criteria and we operate a documented internal standard.
How we protect your data
Our controls map to the SOC 2 Trust Services Criteria and our internal PESNO standard:
- ·Encryption at rest and in transit. All data moving to and from Juris is protected with TLS 1.2+/1.3. Every uploaded document, its extracted text, and its search-index entries are encrypted at rest under a key unique to your firm — stored files, database text, and the search index hold ciphertext only. Storage is schema-per-tenant and access-controlled.
- ·Isolated per firm. Each firm's data lives in a dedicated, logically separated tenant — never co-mingled with another firm's.
- ·Least-privilege access. Role-based access, optional two-factor authentication (TOTP), and signed sessions that can be revoked server-side.
- ·Privilege protection. Documents you flag as privileged are excluded from all AI processing at the data layer — they are never sent to any AI provider.
- ·Audit logging. Significant actions — document access, AI processing, case changes — are logged and retained.
- ·Monitoring & backups. Continuous health monitoring, automated backups, and an incident-response and breach-notification process.
- ·Secure by design. Input validation, protections against common web vulnerabilities (OWASP Top 10), security headers, and a build pipeline that blocks unverified releases.
Where your data lives, and how AI is handled
All core data — accounts, cases, documents, and audit logs — is stored on infrastructure we operate directly, not on third-party SaaS. Your data is never used to train AI and never sold, and it is yours to export or delete at any time.
AI features can be enabled or disabled per case, and any document you mark privileged is excluded from all AI processing — it is filtered out at the database-query level and never embedded or sent to our AI provider. When AI is used, only the relevant, non-privileged excerpts needed to answer your request are sent to our AI provider, which is contractually prohibited from training its models on your data (zero-data-retention terms). We never sell your data and never use your case content to train AI. Full details — including our subprocessors — are in our Privacy Policy.
What we don't do
- ·We do not sell your personal information or case data — ever.
- ·We do not use your case content to train AI models.
- ·We do not share data with advertising networks, data brokers, or third-party analytics companies (our analytics are self-hosted).
- ·We do not expose privileged documents to AI.
On our roadmap
We are pursuing the credentials that let firms verify our posture independently:
- ·A formal SOC 2 Type II attestation through an accredited auditor.
- ·ISO/IEC 27001 certification.
- ·Continuous, automated monitoring of our public security posture across every Kwata product.
Report a vulnerability
If you believe you've found a security issue, please email security@kwatateam.com. We investigate every report and will acknowledge yours promptly. Please give us a reasonable window to remediate before any public disclosure.
Juris is operated by Kwata Team.