What we do with your data, and what we don't.
Scope sits between AI workflows and credentialed vendor work. The data that flows through us includes case captions, claimant identifiers, deposition notices, and bid pricing - the kind of data your firm's GC and your carrier's privacy office will both ask hard questions about. This page is the answer.
Where we are. Where we're going. By when.
Readiness assessment underway via Vanta. Type I report (point-in-time controls snapshot) targeted for Q3 2026. Available to founding-cohort buyers under NDA.
Type II adds a 6-12 month operating-evidence period after Type I report issues. Considered for AmLaw 200 and top-25 carrier sales after Type I lands.
Business Associate Agreement (BAA) available for claims-vertical engagements where Protected Health Information (PHI) is transmitted. Legal-vertical Matters do not require HIPAA coverage; PHI is not routinely transmitted through the platform in that vertical. Encryption controls, access logging, breach-notification procedures are in place for claims-vertical handling.
Considered if top-25 carrier sales materialize. 12-18 month certification timeline. Not on critical path.
Considered for international expansion. Not currently planned for domestic legal/claims path. Will revisit if buyer demand materializes.
Data Processing Agreement (DPA) available. CCPA, CPRA, VCDPA, and equivalent state laws supported. Data residency: US-only by default; EU residency available for Buyer Pro.
Embedded payments and vendor financing arrive in 2027. Built for them.
Scope's revenue stack at maturity includes embedded payment processing (Stripe Connect-style, 50-75 bps on buyer→vendor flow) and vendor instant-pay financing (capital-facility-funded, ~5% net spread). These add regulatory obligations beyond SOC 2. We're posturing for them now.
State-by-state money transmitter analysis underway. Likely partner-funded model via Stripe Treasury or Modern Treasury (avoids requiring 50-state MTL licensing in-house). Specialized counsel engaged Q4 2026.
For vendor instant-pay financing. Some states require commercial-lending licenses for receivables purchases at scale. Strategy under development - likely Reg D / commercial-only structure that minimizes state-license burden, with capital-facility partner originating.
Required once Scope mediates payment flow at material volume. Built on the same Vanta controls foundation as SOC 2. Timing follows Type I issuance.
Goldman / i80 Group / Atalaya Capital / Boathouse Capital - the tier of asset-backed capital partners that fund Faire's Net-60 and Stripe Capital. Scope's bid + completion data is the underwriting moat.
Coverage in place.
Certificates of Insurance (COI) available to any prospective buyer or vendor on request via trust@scope.bid. We name additional insureds on request for enterprise engagements.
First- and third-party cyber. Covers data breach, ransomware, business interruption, regulatory defense. $10K retention.
Technology errors and omissions. Covers professional-services failures and platform-mediated business losses. $1M media liability bundled. $25K retention.
Standard CGL for business operations. $1M per occurrence, $2M aggregate, $0 deductible. Available for naming additional insureds.
What gets encrypted, where, by whom.
- ·Encryption in transit: All HTTP traffic is TLS 1.3. Internal service-to-service calls are mTLS. No plaintext anywhere on the wire.
- ·Encryption at rest: AES-256 on the database (Supabase managed PostgreSQL with at-rest encryption enabled). Object storage (file uploads, transcripts) AES-256 with per-tenant keys.
- ·Authentication: Supabase Auth with JWT-based session tokens and SHA-256 hashed API tokens for MCP access. Tokens are revocable. Multi-factor authentication available for all accounts; required for Buyer Pro.
- ·Row-level security:Every table in our PostgreSQL schema has RLS policies enforced at the database layer. A vendor cannot read another vendor's bid; a buyer cannot read a winning vendor's identity until award. The protection is structural, not application-layer.
- ·Access logging: Every read and write is logged with user, timestamp, IP, and resource. Logs retained for 365 days. Available to Buyer Pro tenants on request.
- ·Data residency: US-only by default. Vercel and Supabase instances run in us-east-1. EU residency available for Buyer Pro on request (provisions us-east-1 mirror in eu-west-1).
- ·Data minimization: The MCP server passes only the fields required for a dispatch decision (category, jurisdiction, scope, budget). It does not pass case-strategy memos, work-product, or full claimant medical files. Sensitive uploads stay in your CMS or claims system; Scope routes the request, not the underlying file.
Who else touches your data.
We use a small number of trusted infrastructure providers. Each runs their own SOC 2 / ISO 27001 audited program. We commit to 30days' notice before adding any new subprocessor with access to customer data.
| Subprocessor | Purpose | Data class | Audits |
|---|---|---|---|
| Vercel | Application hosting, edge runtime | Operational data, no customer data persisted | SOC 2 Type II, ISO 27001 |
| Supabase | PostgreSQL database, authentication, file storage | All customer data: matters, bids, reviews, vendor profiles, COIs | SOC 2 Type II, HIPAA-eligible |
| Resend | Transactional email delivery | Email addresses, email content (notification subjects/bodies) | SOC 2 Type II |
| Stripe (Connect) | Payment rail - destination-charge invoicing on the vendor's connected account. Funds flow direct to vendor, minus Scope's application fee. Onboarded vendors only. | Payment instruments, billing addresses, application-fee calculations, transfer reconciliation metadata | PCI DSS Level 1, SOC 1 + 2 |
| Anthropic / OpenAI / Microsoft | Optional AI workflow clients (controlled by buyer) | Whatever the buyer's AI client sends; we receive only the MCP tool calls | Each runs their own SOC 2 / ISO 27001 program |
| GitHub (Microsoft) | Source code repository, MCP server distribution | No customer data; only public + private source code | SOC 2 Type II |
Different verticals, different sensitivities.
Case captions, witness names, deposition scope, records subject identifiers, sometimes SSN / DOB on subpoenaed records, work-product-privileged matter detail.
Attorney-client + work-product privilege handled. RLS prevents cross-firm visibility. SOC 2 Type I in progress + cyber + tech E&O.
HIPAA BAA on demand for records-retrieval matters. Sensitive uploads stay in your DMS - Scope routes, doesn't store. Governance queryable: scope_vendor_health and scope_credential_alerts surface COI / W-9 / insurance expiry across your roster; scope_roster_audit returns the append-only event chain per matter for compliance review.
Claimant PHI (medical records, IME reports), PII (SSN, DOB), surveillance subject identifiers, claim file numbers.
HIPAA covered-entity-vendor controls. NAIC Model Cybersecurity Law alignment. HITRUST CSF under consideration for top-25 carrier sales.
Carrier-specific BAA, segregated data namespaces, audit logs accessible to carrier's privacy office on request. Governance queryable: scope_vendor_health and scope_credential_alerts include BAA status per vendor; scope_roster_audit returns the append-only event chain per claim file for regulatory review.
Run Scope inside your perimeter.
Firms with strict network requirements can run Scope's MCP gateway inside their own perimeter via Anthropic Managed Agents tunnels. Dispatches flow through Scope's vendor network over outbound HTTPS only. No inbound firewall rules. No public endpoints. Same dispatch flow, same vendor bids, same Stripe Connect payment rail. Beta available - reference deployment live at scope-mcp-gateway.onrender.com.
See something? Send something.
We take security reports seriously and respond within 48 hours.
Founding firms get the security commitment in writing.
Your founding-cohort MSA includes a security commitment: SOC 2 Type I by Q3 2026, BAA available on request now, terminate-without-penalty if we miss the milestone. We don't hide behind "coming soon."
Every state change on every matter writes a row.
scope_activity is the append-only event log. Retained 365 days, available on request for audit. PII redacted in samples below.