# SIG Lite 2026 - Scope pre-filled responses

Standardized Information Gathering (SIG) Lite, Shared Assessments
Program structure. Pre-filled against Scope's actual posture as of
2026-05-31. Questions Scope cannot honestly answer "yes" to are flagged
"Not yet - on the post-launch roadmap (target Q3-Q4 2026)".

This document covers the core SIG Lite control families. A reviewer who
needs the full ~150-question instrument can request the complete
workbook; the responses below are the substantive controls a procurement
security team probes first.

---

## A. Enterprise risk management

| # | Question | Response |
|---|----------|----------|
| A.1 | Is there an information security policy? | Yes. Documented policies under counsel and Vanta review (access control, encryption, incident response drafted; data classification, vendor management, business continuity, change management, audit logging scaffolded). |
| A.2 | Is the policy reviewed at least annually? | Yes, on the SOC 2 cadence. |
| A.3 | Is there a named security owner? | Yes. The founder owns security today; a dedicated security function is a post-launch hire. |

## B. Access control

| # | Question | Response |
|---|----------|----------|
| B.1 | Is access role-based? | Yes. Five roles (firm admin, attorney, paralegal, billing, vendor). Capability-based gating on every server action. |
| B.2 | Is least privilege enforced? | Yes. Roles grant only the capabilities they need; firm_admin is the only superset role and is scoped to a single tenant. |
| B.3 | Is multi-factor authentication available? | Yes via SSO (SAML / OIDC) once a tenant configures it. Password auth supports email verification. |
| B.4 | Is SSO supported? | SAML 2.0 (Okta, Azure AD, generic) and OIDC (Google Workspace, generic) - configurable per tenant in firm settings. |
| B.5 | Is access logged? | Yes. Append-only audit_log records actor, IP, user agent, and before/after state on every mutation. |
| B.6 | Are tokens stored securely? | Yes. API tokens stored as SHA-256 hashes; OAuth/integration secrets AES-256-GCM at rest. |

## C. Application security

| # | Question | Response |
|---|----------|----------|
| C.1 | Is data tenant-isolated? | Yes. Row Level Security on every tenant-scoped table. Cross-tenant reads blocked at the database layer. |
| C.2 | Is input validated server-side? | Yes. All mutations validate server-side; the API enforces field requirements independent of the client. |
| C.3 | Are webhooks authenticated? | Yes. HMAC-SHA256 signature verification on inbound webhooks (Stripe Connect). |
| C.4 | Is there rate limiting? | Yes. Per-tenant rate limiting, default 1000 req/min, configurable per tenant. Rate-limit headers on every response. |
| C.5 | Is there a documented API spec? | Yes. OpenAPI 3.1 spec served at /api/v1/openapi.json with a human-readable viewer at /developers/api. |

## D. Encryption

| # | Question | Response |
|---|----------|----------|
| D.1 | Is data encrypted in transit? | Yes. TLS 1.2+ on every connection. |
| D.2 | Is data encrypted at rest? | Yes. Supabase Postgres at-rest encryption (AES-256). Secrets AES-256-GCM. |
| D.3 | Is key management documented? | Partial. Managed-key model via Supabase/Vercel. Customer-managed keys: Not yet - on the post-launch roadmap. |

## E. Third-party / subprocessor risk

| # | Question | Response |
|---|----------|----------|
| E.1 | Are subprocessors disclosed? | Yes. Vercel, Supabase, Stripe, Resend. Published on the trust page. |
| E.2 | Are subprocessors security-reviewed? | Yes. All four maintain SOC 2 Type II. |
| E.3 | Is a DPA available? | Yes for the platform; per-subprocessor DPAs in place. |

## F. Business continuity / availability

| # | Question | Response |
|---|----------|----------|
| F.1 | Is data backed up? | Yes. Supabase automated daily backups with point-in-time recovery. |
| F.2 | Is there a documented RTO / RPO? | Partial. RPO bounded by Supabase PITR; formal RTO/RPO targets: Not yet - on the post-launch roadmap. |
| F.3 | Is there a tested DR plan? | Not yet - on the post-launch roadmap (target Q3-Q4 2026). |

## G. Compliance and audit

| # | Question | Response |
|---|----------|----------|
| G.1 | SOC 2? | Type I in progress with Vanta, expected H2 2026. Type II after Type I issuance. |
| G.2 | HIPAA? | BAA available on the claims vertical, per vendor at onboarding. Legal vertical does not process PHI. |
| G.3 | Is there an audit trail? | Yes. Tenant-scoped append-only audit_log, exportable as CSV and PDF per matter, per date range, per firm. |

## H. Incident response

| # | Question | Response |
|---|----------|----------|
| H.1 | Is there an incident response plan? | Yes. Drafted policy with SEV-1 to SEV-4 tiers and response targets. |
| H.2 | Are customers notified of incidents affecting their data? | Yes, per the IR policy. |
| H.3 | Is there a post-incident review process? | Yes for SEV-1 and SEV-2. |

## I. Privacy

| # | Question | Response |
|---|----------|----------|
| I.1 | Is personal data minimized? | Yes. Scope stores matter metadata and vendor records; it does not store firm client files. Conflict screening runs against the firm's own CMS, not a Scope-held client list. |
| I.2 | Are data subject requests supported? | Yes via the privacy contact. |
| I.3 | Is data retention documented? | Partial. Audit data is retained indefinitely by design (compliance record); a tenant-configurable retention policy is on the post-launch roadmap. |