Security & Trust

How we protect your data, your clients, and your practice.

The BenchSlap Pledge:

We do not read your documents. We do not train models on your data. We do not share, sell, or transfer your case files to anyone, ever. Your documents are encrypted, isolated, and yours alone.

1. Encryption

Every document you upload is encrypted before it touches our storage. Every connection to our servers is secured.

Data in transit TLS 1.3 (HTTPS enforced on all endpoints) Data at rest AES-256 encryption on all stored documents Per-case isolation Each Case Vault has its own encryption key (DEK) Key management Keys encrypted with a master key, rotatable without re-encrypting data Password hashing PBKDF2 with 600,000 iterations (OWASP 2025 standard) Session tokens SHA-256 hashed, /16 subnet-bound, auto-expiring

2. Zero-Training Guarantee

Your documents, case files, and legal work are never used to train, fine-tune, or improve any model — ours or anyone else's. When our tools analyze your documents, the content is processed in real-time and not retained beyond the session.

Document text is extracted, analyzed, and results returned — the original file is deleted from processing storage immediately after extraction.
Citation verification queries use only the extracted citation text (e.g., "Smith v. Jones, 123 P.3d 456"), never your full document.
No document content is logged, cached, or stored outside your encrypted Case Vault.

3. Case Vault Isolation

Each case you create is a Case Vault — a cryptographically isolated container. Documents in one vault cannot be accessed from another, even by the same user, unless explicitly linked.

Separate encryption key per vault
Access control enforced at the database level (row-level security)
Linked vaults require explicit user action and can be unlinked at any time

4. Data Deletion

You control your data completely:

Delete a document: Permanently removes the encrypted file and extracted text from our systems.
Delete a Case Vault: Destroys all documents, analysis results, and the vault's encryption key.
Delete your account: Removes all vaults, documents, session data, and personal information within 30 days.
Request full export: Contact us to receive a complete export of your data before deletion.

5. Infrastructure

Hosting DigitalOcean (US data centers, SOC 2 Type II certified) Database Managed PostgreSQL with automated backups and encryption at rest Application Node.js (LTS), behind nginx with rate limiting and DDoS mitigation Monitoring Automated health checks, error logging, and anomaly detection Access control SSH key-only authentication, fail2ban intrusion prevention

6. What We Do Not Do

We do not sell your data to anyone.
We do not use your data for advertising.
We do not share your data with third parties except as required to provide the service (e.g., payment processing via Stripe).
We do not access your documents without your explicit permission or a valid legal obligation.
We do not store payment card numbers — all payment processing is handled by Stripe (PCI-DSS Level 1 certified).

7. Compliance

CCPA: California residents may request access, deletion, and opt-out. See our Privacy Policy.
UPL: BenchSlap is a legal technology tool, not a law firm. We do not provide legal advice. See our Disclaimer.
Ethics: Designed for use by licensed attorneys and pro se litigants. Our tools support your judgment — they do not replace it.

8. Contact

Security concerns, data requests, or questions about our practices:

Email: security@benchslap.pro

For general support: support@benchslap.pro

Last updated: March 2026