# Scope security overview

One-page security posture for procurement and security review. Current
as of 2026-05-31. For the detailed questionnaire pre-fills see
SIG-Lite-2026.md, CAIQ-Lite.md, and VRM-generic.md in this directory.

## What Scope is

Scope is an AI-dispatched legal vendor procurement platform. Law firms
and carriers ask their AI assistant for a litigation vendor (court
reporter, process server, expert witness, records vendor, e-discovery,
and more). Scope returns named vendors with prices computed from each
vendor's standing rate card, runs the dispatch, processes the firm-to-
vendor payment, and writes the audit record to completion.

## Architecture

```mermaid
flowchart LR
  A["Firm AI client<br/>(Claude, ChatGPT, Cowork)"] -->|OAuth 2.0 bearer| B["Scope MCP transport<br/>/api/mcp/legal"]
  A -->|OAuth 2.0 bearer| C["Scope REST API<br/>/api/v1/*"]
  B --> D["Next.js app<br/>(Vercel, US-East)"]
  C --> D
  D -->|RLS-scoped queries| E["Supabase Postgres<br/>(US-East)"]
  D -->|destination charge<br/>+ application fee| F["Stripe Connect"]
  D -->|transactional email| G["Resend"]
  D -->|append-only| H["audit_log<br/>(tenant-scoped)"]
```

## Data flow

1. The firm's AI client authenticates with an OAuth 2.0 access token (or
   a personal access token for CI / power users).
2. Requests hit the Scope MCP transport or the REST API. Every request
   is rate-limited per tenant and resolves to a single tenant via the
   token.
3. Server-side queries run against Supabase Postgres under Row Level
   Security. Every tenant-scoped table gates reads and writes by the
   caller's organization.
4. Payments move firm-to-vendor through Stripe Connect as destination
   charges with an application fee. Scope never holds firm or vendor
   funds; the money moves on the vendor's connected account and Scope's
   cut peels off as the application fee.
5. Every state-mutating action writes one append-only row to the
   tenant-scoped audit_log: actor identity, IP, user agent, and the
   before/after state.

## Encryption posture

- Data in transit: TLS 1.2+ on every connection (Vercel edge, Supabase,
  Stripe, Resend).
- Data at rest: Supabase Postgres at-rest encryption (AES-256).
- API tokens: stored as SHA-256 hashes, never in plaintext. The
  plaintext token is shown once at creation.
- OAuth and integration secrets: AES-256-GCM at rest.
- Webhook authenticity: HMAC-SHA256 signatures on inbound webhook
  payloads (Stripe Connect signature verification on every event).

## Access control

- OAuth 2.0 access tokens scope every request to one tenant.
- Role-based access control: five roles (firm admin, attorney,
  paralegal, billing, vendor). Every server action gates on a
  capability, not a role name, so re-tiering a role does not weaken any
  call site. Firm admins manage users, roles, billing, and settings
  within their tenant only.
- Row Level Security on every tenant-scoped table. Cross-tenant reads
  are blocked at the database layer, not just the application layer.
- The administrative database client is used only in genuine admin paths:
  audit-log writes, payment webhook handlers, and Scope-internal cross-
  tenant analytics. It is never reachable from a tenant-authenticated
  request path.

## Hosting and subprocessors

- Vercel: application hosting and edge network. US-East.
- Supabase: Postgres database, authentication, and storage. US-East.
- Stripe: payment processing (Stripe Connect).
- Resend: transactional email.

## Audit and logging

- Append-only audit_log table, tenant-scoped, covering scope, dispatch,
  vendor, rate card, credential, payment, user-permission, and settings
  mutations. Carries actor, IP, user agent, and before/after state.
- Per-matter audit export (CSV and PDF) and a carrier feed: a single
  signed URL a panel firm can hand a carrier that explains every dollar
  on a matter, backed by the LEDES 1998B billing export.

## Incident response

- Defined severity tiers (SEV-1 through SEV-4) with response-time
  targets.
- Tenant notification for any incident affecting that tenant's data.
- Post-incident review for every SEV-1 and SEV-2.

## Certifications status

- SOC 2 Type I: in progress with Vanta, expected H2 2026.
- SOC 2 Type II: future state after Type I issuance.
- HIPAA BAA: available on the claims vertical; required per vendor at
  claims onboarding. Not required on the legal vertical.
- HITRUST CSF: under consideration if top-25 carrier sales materialize.

Items not yet in place are on the post-launch roadmap (target Q3-Q4 2026)
and are flagged honestly in the questionnaire pre-fills.