# Vendor risk management questionnaire - Scope responses Generic VRM questionnaire covering the questions enterprise procurement teams ask outside of SIG or CAIQ. Current as of 2026-05-31. --- ## Company and product **Q: What does the product do?** Scope is an AI-dispatched legal vendor procurement platform. Firms ask their AI assistant for a litigation vendor; Scope returns named vendors with computed prices, runs the dispatch, processes firm-to-vendor payment, and writes the audit record to completion. **Q: Where is data hosted?** United States (US-East). Vercel for application hosting, Supabase for database, authentication, and storage. **Q: Who are the subprocessors?** Vercel (hosting), Supabase (database/auth/storage), Stripe (payments), Resend (transactional email). All maintain SOC 2 Type II. ## Data handling **Q: What customer data does Scope store?** Matter metadata (matter name, jurisdiction, parties, vendor category, budget), vendor records, dispatch and payment records, and the audit log. Scope does NOT store firm client files or the firm's client list. **Q: Does Scope perform conflict checks?** Scope gates every dispatch on a conflict check. The check runs against the firm's own CMS, where the client list and matter history live. Scope does not replace the firm's conflict screen; it ensures the screen happens before any vendor sees the matter. **Q: Is data segregated by customer?** Yes. Row Level Security on every tenant-scoped table enforces isolation at the database layer. The administrative database client is used only in genuine admin paths (audit writes, payment webhooks, internal analytics) and is never reachable from a tenant request. **Q: How is data deleted?** Hard-delete with cascade on tenant-initiated deletion. Secrets are cryptographically erased. Audit records are retained by design as the compliance record. ## Security controls **Q: Encryption?** TLS 1.2+ in transit. AES-256 at rest (Postgres). AES-256-GCM for secrets. API tokens stored as SHA-256 hashes. **Q: Authentication?** OAuth 2.0 access tokens, personal access tokens for CI, and SSO (SAML 2.0 + OIDC) configurable per tenant. RBAC with five roles and capability-based gating. **Q: Audit logging?** Append-only tenant-scoped audit log on every mutation, carrying actor, IP, user agent, and before/after state. Exportable as CSV and PDF, per matter, date range, or firm. **Q: Rate limiting?** Per-tenant, default 1000 req/min, configurable. Rate-limit headers on every response. ## Compliance **Q: SOC 2?** Type I in progress with Vanta, expected H2 2026. Type II after Type I. **Q: HIPAA?** BAA available on the claims vertical, per vendor at onboarding. The legal vertical does not process PHI. **Q: Cyber insurance?** Cyber: 1M aggregate, 10K retention. E&O: 1M limit, 25K retention (includes 1M media liability). GL: 1M per occurrence / 2M aggregate. Higher limits (5M+) are on the post-launch roadmap as enterprise deals require. **Q: Penetration testing?** Dependency scanning in CI today. A formal third-party pen-test cadence is on the post-launch roadmap (target Q3-Q4 2026). ## Business continuity **Q: Backups?** Supabase automated daily backups with point-in-time recovery. **Q: Disaster recovery?** RPO is bounded by Supabase PITR. Formal RTO/RPO targets and a tested DR runbook are on the post-launch roadmap. ## Integration and portability **Q: Can we integrate with our ELM / CMS?** Yes. REST API with OpenAPI 3.1 spec, inbound matter sync endpoint, LEDES 1998B billing export, and audit export. Reference architectures published for TeamConnect, Passport, Onit, Clio, and 8am Legal (CASEpeer / MyCase). Live connectors are partner-deal triggered. **Q: Can we export our data?** Yes. LEDES 1998B billing export, CSV and PDF audit export, and a carrier feed (a signed URL that explains every dollar on a matter).