DP
Security & Compliance

Security by Architecture,
Not Afterthought

Zero trust. Tenant isolation at every layer. 21 automated regression tests. 8 confidentiality classes. Immutable hash-chained audit trail.

Built for FedRAMP-aligned ATO evaluation.

0

Security regression tests

0

Confidentiality classes

0

Audit action types

0

Security test categories

Tenant Isolation

Every query, every document retrieval, every search operation is scoped to the authenticated tenant. There is no system-level query that can bypass tenant boundaries.

Row-level security enforced on every database query
Per-tenant object storage with separate MinIO prefixes
Per-tenant Elasticsearch index filtering on all searches
21 regression tests enforce cross-tenant denial with sealed/restricted variants

Identity & Access Control

Four-layer authorization model: gateway identity check, service-level policy enforcement, document confidentiality verification, and UI action visibility — with the server always authoritative.

OIDC/OAuth2 integration with Keycloak (SSO/MFA)
Layered RBAC/ABAC: gateway → service → document → UI
Court-scope claims in JWT tokens enforce operational boundaries
Break-glass access with mandatory separate audit event

Data Protection

PII is systematically excluded from logs, metrics, and Temporal search workflow attributes. The PiiScrubber class removes SSN patterns and email addresses from all observable outputs.

TLS 1.3 for all inter-service communication
AES-256 encryption at rest for PostgreSQL, object store, and search indices
Field-level encryption for high-sensitivity PII (SSN, financial data)
Temporal payload codec for workflow data encryption

Document Security

Document confidentiality is enforced at storage, search, API, and UI layers. A sealed document cannot be found in search, retrieved via API, or rendered in the UI without the appropriate role grant.

8 confidentiality classes from PUBLIC to GRAND_JURY_6E
Sealed and restricted document access requires specific roles (SEALED_VIEWER, JUDGE)
Legal hold prevents deletion and export purge
Every document access logged to immutable audit trail

Audit Trail

Every write operation across the entire platform produces an immutable audit event with the configuration snapshot that governed the decision. Tampering is detectable through hash chain verification.

Append-only PostgreSQL rules prevent UPDATE/DELETE on audit tables
Hash-chained entries: each event links to the previous tenant audit hash
36 action types covering filing, case, docket, document, deadline, notice, fee, workflow, snapshot, appeal, security, integration, and tenant lifecycle
Package provenance (snapshotId, decisionTraceId, packageComponentId) on every audited event

Operational Security

AI-assisted operations through the Model Context Protocol are governed by the same security model as human operations — with additional approval gates for any mutation.

MCP mutations require explicit human approval (_approval: true flag)
Per-user rate limiting (60 requests/minute on MCP operations)
Segregation of duties: package author cannot approve their own package
Every MCP invocation emits PRIVILEGED_ACCESS audit event

8 Document Confidentiality Classes

Every document in the system is assigned a confidentiality class that governs access at storage, search, API, and UI layers.

PUBLIC

Available to all authenticated users and PACER public access. Default classification for most filings.

SEALED CASE

Entire case sealed by court order. Requires SEALED_VIEWER role. Invisible in public search and PACER.

SEALED DOCUMENT

Individual document sealed within a public case. Docket entry visible; document content restricted to SEALED_VIEWER.

RESTRICTED DOCUMENT

Document restricted to case participants only. Excluded from public PACER access and general search results.

EX PARTE

Visible only to the filing party and the judge. Opposing counsel has no access until the court lifts the restriction.

IN CAMERA

Judicial eyes only. Submitted for private review by the judge — not accessible to any party or clerk without explicit grant.

CIPA CLASSIFIED

Classified Information Procedures Act material. Requires security clearance verification and SCIF-level access controls.

GRAND JURY 6E

Protected under Federal Rule of Criminal Procedure 6(e). Disclosure prohibited except by court order. Separate audit chain.

10 Automated Security Test Categories

Every build executes the full security regression suite. A single failure blocks deployment.

1

Cross-tenant case access denial

Tenant A cannot read, update, or list cases belonging to Tenant B — verified across all API endpoints.

2

Cross-court case access denial

Users with court-scope claims for Court X cannot access cases filed in Court Y within the same tenant.

3

Sealed document access enforcement

Documents classified SEALED_CASE or SEALED_DOCUMENT are invisible in search, API, and UI without SEALED_VIEWER role.

4

Restricted document access enforcement

EX_PARTE and IN_CAMERA documents enforce party-specific and judge-only access rules respectively.

5

Missing package snapshot rejection

Operations that reference a configuration snapshot that does not exist are rejected — fail-closed, not fail-open.

6

Wrong package snapshot rejection

Hash mismatch, wrong tenant, or revoked snapshot all produce immediate rejection with specific error codes.

7

Authorization denial audit logging

Every denied access attempt produces an audit event with the requesting principal, target resource, and denial reason.

8

PII scrubbing verification

SSN patterns (XXX-XX-XXXX) and email addresses are verified absent from all log outputs and search attributes.

9

Idempotency replay attack detection

Duplicate submission with the same idempotency key returns the original result without re-executing the operation.

10

Break-glass access audit distinction

Break-glass access produces a distinct audit event type, separate from standard access, enabling compliance review.

Ready for a security deep-dive?

Walk through our security architecture with your CISO or ATO evaluation team. We'll cover tenant isolation, audit trails, and FedRAMP-aligned controls in detail.

Request a DemoExplore Migration