What we do, in plain English.
Drill into the DPA or sub-processors list for the deeper details.
Data encryption.
TLS 1.2+ in transit. AES-256-GCM at rest for every OAuth token, refresh token, and SMTP password. Encryption keys live in our secret store, not the database.
Mailbox access.
We request gmail.send / Mail.Send only. We never read your inbox. OAuth scopes are visible on the consent screen. Disconnect at any time and the token is deleted within seconds.
AI processing.
Drafts are generated using only the fields a client submits — never your mailbox or your case management system. Provider terms forbid training on inference data.
Audit log.
Every send, approve, mailbox change, and login is recorded with actor, IP, timestamp, and payload. Exportable to CSV on Firm and Scale.
Auto-send guardrails.
Auto-send mode never fires unless every safety check passes (no outcome promises, no fee mentions, no SOL specifics) and the model's confidence exceeds the firm's threshold.
Business Associate Agreements.
We sign BAAs on Firm and Scale tiers. Email legal@docketreply.com to start the paperwork.
Annual third-party audit.
Report available under NDA on request — email security@docketreply.com.