SOC 2 Type II
In progressAudit window underway. We can share our current control framework, monitoring posture, and progress under NDA during a procurement review.
+Security & trust
Legal intake data is sensitive on a different scale than typical SaaS.
NorthernPlus is built so that staying compliant is the path of least resistance, not a separate workstream. Below is an honest snapshot of where we are, where we're heading, and how we handle data for your firm and its clients.
+Compliance posture
Where we are today.
We don't oversell what we have. Here's the current state, item by item.
HIPAA-aligned posture
TodayEncryption, access controls, audit logging, and data segregation align with HIPAA Security Rule requirements. BAA execution available on the Advanced tier; full BAA-eligible posture across all subprocessors on roadmap.
Encryption in transit
TodayTLS 1.3 across every surface: client intake, admin console, voice agent, and integrations. No exceptions.
Encryption at rest
TodayAES-256 at rest across application database, file storage, and backups. Field-level encryption for sensitive intake data on roadmap.
Right to be forgotten
TodayTwo-click client redaction for GDPR and CCPA requests. PII is scrubbed in place; matter audit trails are preserved for bar-association recordkeeping.
Penetration testing
Pre-GAIndependent third-party penetration test scheduled before general availability. Report available to enterprise customers under NDA on completion.
+How we handle your data
The protections, in plain language.
Authentication
Email and password for admin access. Magic-link tokens for client intake, hashed at rest, with 14-day sliding expiry and instant revocation.
Today
Tenant isolation
Every workspace's data is scoped at the database query layer. Cross-tenant access is impossible by construction, not by convention.
Today
Audit logging
Every field edit, override, conflict-check decision, and admin action recorded with editor, timestamp, and version. Exportable for bar-association review.
Today
Voice call recording
Recordings and transcripts encrypted at rest. Retention configurable per workspace. TCPA-compliant consent capture at call start.
Today
Subprocessor list
Available on request and updated when material changes occur. We notify customers in advance of any subprocessor change that affects data handling.
Today
Data residency
US data centers by default. EU residency for Advanced-tier customers with the requirement.
Q3
Backup & recovery
Continuous database replication. Off-platform encrypted backups with 30-day retention and tested restore procedures.
Today
SSO & access reviews
SAML and OIDC SSO (Google, Microsoft, Okta) plus quarterly automated access reviews on the Advanced tier.
Advanced
+Reporting a vulnerability
If you discover a vulnerability, please report it directly to security@northernplus.com. We acknowledge reports within one business day, triage within three, and disclose responsibly with credit to the reporter when desired.
We do not pursue legal action against good-faith security research conducted under standard responsible-disclosure norms.
Vendor questionnaire?
We respond to security and procurement questionnaires within five business days. Bring yours to your demo or send it ahead.