CaseVault is built for abuse survivors navigating family court. Security isn't a feature — it's the foundation.
All case data, messages, and evidence entries are encrypted at rest using AES-256 before they touch disk. File attachments stored in R2 use the same encryption. Your case materials cannot be read without your credentials.
Every request to CaseVault is served over TLS 1.2 or higher with HSTS (HTTP Strict Transport Security) enforcing HTTPS. Mixed-content pages are never served. All cookies are HttpOnly with SameSite=Strict.
Every document access, entry creation, and user action is recorded with user ID, action type, timestamp, and IP address. Logs are append-only and immutable — no edits or deletes. Admin audit logs are retained for 7 years.
CaseVault never collects or stores your home or work address. Survivors use a virtual mailbox address — never a physical one. This is the core privacy guarantee the platform is built around.
Case-level isolation ensures users only see data for cases they're authorized on. Roles include owner, attorney, judge, and support. No cross-case data leakage — the system enforces this at the database query level.
Multi-factor authentication via TOTP (Google Authenticator, Authy, etc.) is required for attorney and judge accounts. Protects against credential compromise for high-sensitivity roles with access to court documents.
You can export all your case data as JSON at any time. Account deletion removes personal information while preserving system integrity. Data export and deletion are both self-serve via the app.
Passwords are hashed with bcrypt (cost factor 12) — never stored in plaintext. Legacy SHA-256 hashes are automatically upgraded on login. Session tokens are cryptographically random with configurable expiry.
CaseVault is designed to meet SOC 2 Type II requirements. Security controls documented here support government contract procurement. For a full Security Posture document, contact the CaseVault team.
In the event of a confirmed data breach, CaseVault will notify affected users within 72 hours of confirmation. Notification will be sent to the registered email address and in-app notification system. Our breach response process includes internal escalation, forensic investigation, user notification, and regulatory reporting where required.