Our principles

Law firms handle sensitive client information. We built MatterReady with that responsibility in mind.

Conservative by default

We collect only what's needed for intake qualification. We don't store credentials, financial account numbers, or sensitive data beyond what serves the intake process.

Attorneys stay in control

MatterReady surfaces information and signals. It does not make decisions for your firm. Every conflict flag requires attorney review. Every matter requires attorney approval before proceeding.

No legal advice, ever

MatterReady does not provide legal advice. Qualification scores indicate completeness, not case merit. Conflict signals are flags for review, not determinations. Legal judgment remains with your attorneys.

Your data is yours

We don't sell data. We don't use your client information for purposes beyond providing the MatterReady service. You can export everything at any time. If you leave, you take your data with you.

Security controls

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database connections require SSL. API traffic is HTTPS-only.

Infrastructure

Hosted on Vercel's edge network with automatic failover. Database hosted on Neon with point-in-time recovery. All infrastructure is US-based.

Access controls

Role-based permissions limit data access by function. All administrative actions are logged in an audit trail. Two-factor authentication available for all accounts.

Authentication

Staff and attorneys authenticate via Google or Microsoft SSO by default. No shared passwords. Session tokens are short-lived and scoped to a single tenant.

Tenant isolation

Every firm is a separate tenant. Data is isolated at the database level. There is no cross-tenant data sharing. Each firm's data is accessible only to their authorized users.

Integration security

Clio and Microsoft 365 connections use OAuth — we never see your passwords. API tokens are encrypted at rest and revocable at any time from your settings.

AI integration security

MatterReady supports AI assistant integration via the Model Context Protocol (MCP). The same conservative approach applies.

No PII exposure

AI assistants see operational signals only — priority scores, due dates, risk levels. Client names, contact information, and matter details are never exposed to external AI systems.

Revocable API keys

Each AI connection uses a separate API key that you can revoke instantly. Keys are hashed — we never store them in plaintext. You control which AI tools have access.

Audit trail

Every AI request is logged: what was accessed, when, and by which key. Request payloads are never logged to prevent accidental data exposure.

Data retention & portability

Automated daily snapshots

MatterReady creates encrypted snapshots of your firm's data daily. Snapshots are retained according to your plan's retention policy. No configuration required.

Self-service restore

Firm administrators can restore from any available snapshot directly from admin settings. No support ticket needed.

Full data exports

Export all your firm's data at any time — leads, intakes, documents, and settings. Exports are encrypted and can be used to migrate to another system or for your own records.

Compliance & privacy

CCPA compliant — California Consumer Privacy Act
Data processing agreements available on request
Data retained only as long as needed for service delivery
Right to deletion honored within 30 days of request
No cross-tenant data sharing — your data stays yours

For detailed information, see our Privacy Policy and Terms of Service.

Security FAQ

Where is my data stored?

All data is stored in US-based infrastructure. The application runs on Vercel's edge network. The database is hosted on Neon (PostgreSQL) with automated backups and point-in-time recovery.

Does MatterReady store my Clio password?

No. Clio integration uses OAuth authorization. You grant access through Clio's own authorization flow. MatterReady never sees or stores your Clio login credentials. You can revoke access at any time from either MatterReady or Clio.

Who can access my firm's data?

Only users you authorize. Each firm is an isolated tenant with role-based access controls. Staff see what their role permits. MatterReady support does not access your data without explicit permission.

What happens to my data if I cancel?

You can export all your data before canceling. After cancellation, data is retained for 30 days in case you change your mind, then permanently deleted. You can request immediate deletion if preferred.

Is client intake data shared with AI models?

Client PII is never sent to external AI services. AI features like qualification scoring run on structured metadata — practice area, completeness indicators, and field presence — not on client names, addresses, or case narratives.

Does MatterReady make legal decisions?

No. Conflict signals are flags for attorney review, not legal determinations. Qualification scores indicate data completeness, not case merit or viability. Every decision that matters is made by your attorneys.

How are documents handled?

Documents uploaded during intake are encrypted at rest and in transit. Access is limited to authorized users within your firm. Documents sync to Clio when matters are pushed, and can be exported at any time.

Can I get a data processing agreement (DPA)?

Yes. We provide DPAs on request for firms that need them. Contact hello@matterready.io and we'll send one over.

Is MatterReady SOC 2 certified?

We are working toward SOC 2 Type II certification. Our infrastructure providers (Vercel, Neon) maintain their own SOC 2 certifications. We follow SOC 2-aligned practices for access control, encryption, and audit logging.

How do I report a security concern?

Email security@matterready.io. We take security reports seriously and will respond within one business day.

Questions?

If you have security or compliance questions that aren't answered here, reach out. We're happy to discuss our practices in detail.

Security & Trust