Public Beta — Pre-Release Software — ProSeAI is a pre-release AI virtual assistant. Not a substitute for a licensed attorney, legal advice, or qualified legal counsel. All AI outputs must be independently verified. AI Accuracy Disclosure →
ProSeAI Back to Home
Security & Privacy

Your Legal Documents Deserve
Bank-Grade Protection

When you share your eviction notice, bankruptcy filing, or custody documents with ProSeAI, you are trusting us with some of the most sensitive information in your life. We take that responsibility seriously. Here is exactly how we protect it.

🔒
AES-256-GCM
At-rest encryption
🛡️
TLS 1.2+
In-transit encryption
🚫
Zero Data Sales
We never sell your data
🗑️
Delete Anytime
CCPA right to erasure
📋
CCPA + GDPR
Privacy law compliant
🔐
Zero-Knowledge DB
Encrypted before storage
Defense in Depth

Eight Layers of Security

LAYER 01

Transport Encryption

TLS 1.2+ on every connection

  • All traffic between your browser and ProSeAI is encrypted using TLS 1.2 or higher
  • HTTP connections are automatically redirected to HTTPS (301 redirect)
  • HTTP Strict Transport Security (HSTS) enforced with a 1-year max-age and preload
  • Your documents and messages are never transmitted in plaintext
LAYER 02

At-Rest Encryption

AES-256-GCM field-level encryption

  • Every document you create is encrypted with AES-256-GCM before being written to the database
  • Every chat message is encrypted individually with a unique random initialization vector (IV)
  • Case descriptions and sensitive case details are encrypted at the field level
  • Even a complete database dump is useless without the encryption key — which is never stored in the database
  • Authentication tag (128-bit) detects any tampering with encrypted data
LAYER 03

HTTP Security Headers

Industry-standard browser protections

  • Content Security Policy (CSP) — prevents cross-site scripting (XSS) attacks
  • X-Frame-Options: DENY — prevents clickjacking by blocking iframe embedding
  • X-Content-Type-Options: nosniff — prevents MIME-type sniffing attacks
  • Referrer-Policy: strict-origin-when-cross-origin — limits referrer information leakage
  • X-Powered-By header removed — no server fingerprinting
LAYER 04

Authentication & Sessions

Manus OAuth with signed HttpOnly cookies

  • ProSeAI never stores or sees your password — authentication is handled by Manus OAuth
  • Session cookies are HttpOnly (JavaScript cannot read them), Secure (HTTPS only), and SameSite
  • Session tokens are signed with a JWT secret — tampered tokens are rejected
  • All protected API routes verify your session on every request
  • Logout immediately invalidates your session server-side
LAYER 05

Rate Limiting & Abuse Prevention

Multi-tier protection against automated attacks

  • Global rate limit: 200 requests per 15 minutes per IP
  • Authentication endpoints: 20 requests per 15 minutes (brute-force protection)
  • AI/LLM endpoints: 30 requests per minute (prevents abuse)
  • Form submissions: 10 per hour (prevents spam)
  • 12-pattern prompt injection filter blocks jailbreak attempts before they reach the AI
LAYER 06

Access Controls & Data Isolation

Your data is only accessible to you

  • Every database query is scoped to your user ID — you cannot access another user's data
  • File uploads require authentication — unauthenticated uploads are rejected
  • All sensitive operations are logged to an audit trail
  • Admin operations require a separate admin role — regular users cannot access admin functions
  • Error messages never expose internal server paths, stack traces, or database structure
LAYER 07

Audit Logging

Complete record of data access and changes

  • Every document creation, update, and deletion is logged with timestamp and IP address
  • Every chat message is logged (encrypted) for security monitoring
  • Account changes (including deletion requests) are logged
  • File uploads and downloads are recorded
  • Audit logs are retained for 12 months
LAYER 08

Your Right to Delete

CCPA & GDPR compliant data deletion

  • You can request deletion of your account and all associated data at any time
  • Deletion requests are processed within 30 days (as required by CCPA)
  • You can cancel a deletion request within the 30-day window
  • After 30 days, all your data — documents, chat history, case files — is permanently purged
  • We will never sell, rent, or share your personal information with third parties
Regulatory Compliance

Privacy Law Compliance

CCPA
Compliant

California Consumer Privacy Act

  • Right to know what data we collect
  • Right to delete your data
  • Right to opt out of data sales (we never sell data)
  • Privacy Policy published and accessible
GDPR
Compliant

General Data Protection Regulation (EU/UK)

  • Lawful basis for processing (contract performance)
  • Right to erasure (delete account feature)
  • Data minimization — we only collect what is necessary
  • Privacy Policy with required disclosures
PCI DSS
Delegated to Stripe

Payment Card Industry Data Security Standard

  • ProSeAI never handles, stores, or transmits raw card numbers
  • All payment processing is handled by Stripe (PCI DSS Level 1 certified)
  • Stripe is the most widely trusted payment processor in the world
SOC 2
Roadmap — Q4 2026

Service Organization Control 2

  • Transport encryption (TLS 1.2+) ✓
  • At-rest encryption (AES-256-GCM field-level) ✓
  • Audit logging (12-month retention) ✓
  • Access controls (JWT + HttpOnly sessions) ✓
  • Rate limiting & brute-force protection ✓
  • Vulnerability disclosure program (security.txt) ✓
  • Vanta automated compliance monitoring — enrolling Q3 2026
  • Formal SOC 2 Type II audit — target Q4 2026

SOC 2 Type II Certification Roadmap

ProSeAI is pursuing SOC 2 Type II certification — the gold standard for cloud security audits. The technical controls required for SOC 2 are already implemented. We are now formalizing the audit evidence process with Vanta automated compliance monitoring. Below is our public roadmap.

Q2 2026 — Complete
Technical Controls
  • AES-256-GCM encryption
  • Audit logging
  • Rate limiting
  • Security headers
  • Vulnerability disclosure
Q3 2026 — In Progress
Compliance Automation
  • Vanta enrollment
  • Evidence collection
  • Policy documentation
  • Vendor risk assessment
  • Penetration test
Q4 2026 — Target
Formal Audit
  • SOC 2 Type II audit
  • Auditor engagement
  • Report publication
  • Customer-facing trust portal
  • Annual re-certification

Attorney subscribers will receive the SOC 2 report upon completion. Enterprise customers may request a current security posture summary at [email protected].

What We Will Never Do

Sell your personal information or legal documents to third parties
Share your data with advertisers, data brokers, or marketing companies
Store your raw credit card numbers or payment details (Stripe handles all payments)
Use your legal documents to train AI models without explicit consent
Access your documents for any purpose other than providing the service you requested
Retain your data after you request deletion (beyond the 30-day grace period)

Security Questions or Concerns?

If you discover a security vulnerability or have questions about how we protect your data, please contact us immediately.

🔒 [email protected]Privacy Policy →