Trust & Compliance

Security & Defensibility

Two distinct concerns in discovery: data security of attorney-client privileged material, and defensibility of the TAR workflow in court. Both addressed here — factually, without false certification claims.

Data Security

Client document data — including attorney-client privileged material — is processed with strict data handling controls.

Encryption at Rest

All stored documents and metadata encrypted using AES-256. Encryption keys managed per-matter with access controls tied to matter-level permissions.

Encryption in Transit

TLS 1.3 on all data transmission paths. No plaintext transfer of document content. HTTPS-only; HSTS enforced.

Data Residency — US Only

All document data processed and stored on AWS infrastructure in US regions (us-east-1 / us-west-2). No data transferred to non-US infrastructure.

No Training on Client Data

Customer document data is not used to train shared models. The predictive model for each matter is trained exclusively on that matter's reviewed documents.

Per-Matter Data Isolation

Each matter is a logically isolated environment. Document data from one matter is not accessible within another matter's context, regardless of shared organization.

Data Deletion

Document data deleted from Discovarc infrastructure within 30 days of matter close, or on request. Deletion confirmation provided upon request.

Access Controls

Role-based access control (RBAC)

Access to each matter's document set is controlled by role assignments. Three roles: Matter Administrator (full access, including model configuration and privilege roster management), Senior Reviewer (review + QC access), Reviewer (review only, no configuration access).

Matter-level access isolation

Users provisioned on Matter A cannot access documents, review decisions, or audit logs from Matter B, regardless of shared organization affiliation. Privilege log data for a matter is accessible only to users provisioned on that matter.

Audit log of all review actions

Every user action that affects a document's classification state generates an audit log entry: who made the decision, when, and what the prior state was. This log is the basis for protocol documentation export.

TAR Workflow Audit Trail

The audit trail is the technical backbone of FRCP Rule 26 cooperative disclosure for TAR workflows. Courts and opposing counsel that scrutinize predictive coding methodology want to see the chain of custody on how each document's classification was determined.

Discovarc generates a timestamped audit trail of every classification event in the workflow:

  • Prediction generated: model version, document ID, confidence score at time of prediction
  • Reviewer decision recorded: user ID (anonymized), decision type, timestamp
  • Reviewer override: when a reviewer changes a model prediction, both states are logged
  • QC sampling triggered: sample set ID, sampling parameters, QC reviewer ID
  • Protocol milestone: seed set finalized, stopping criterion met, final export generated

This audit trail is exported as part of the TAR protocol documentation package designed to support FRCP Rule 26 disclosure.

Concept illustration of a TAR review workflow audit trail log showing timestamped review decisions and system actions for court admissibility documentation

SOC 2 Type II Assessment

Discovarc's infrastructure is designed with SOC 2 Type II controls in mind — our security architecture, access controls, and monitoring practices are aligned with the SOC 2 Trust Services Criteria. We are currently progressing through the SOC 2 Type II assessment process.

No false certification claim: we will not publish a SOC 2 Type II certification until the assessment is complete and the report is issued. A vendor security questionnaire is available on request while the formal assessment is in progress.

Security questionnaire requests: email [email protected] with the subject "Security Questionnaire Request." We respond to security review requests within 3 business days.

FRCP Rule 26 & Cooperative Discovery

Federal Rule of Civil Procedure 26 imposes obligations on parties to cooperate on discovery process decisions and to be transparent about the methodology used. For TAR workflows, courts have interpreted Rule 26's general cooperative framework as requiring disclosure of the TAR protocol, seed set construction approach, and stopping criteria applied.

Discovarc's audit trail and protocol documentation exports are designed to provide supervising counsel with the factual documentation needed to meet these disclosure obligations. The documentation describes what Discovarc did — it does not constitute legal advice on the sufficiency of the disclosure in any specific jurisdiction or matter.

Regulatory framing: References to FRCP Rule 26 on this page describe the factual framework within which Discovarc's audit trail and protocol documentation features were designed. Discovarc makes no claim of regulatory certification or court endorsement. All references to case law (e.g., Da Silva Moore, Rio Tinto Plc v. Vale SA) are informational references to publicly available court opinions — not representations that Discovarc's specific implementation has been approved by any court.

Security questionnaire on file — request it.

Send security questionnaire requests to [email protected] or use the contact form.

Contact Us