Confidentiality & Data Security Policy

1. Scope and Applicability

This Confidentiality & Data Security Policy applies to all case information, attorney work product, client communications, and any other privileged or confidential materials submitted to or generated through the ExpertDraft.ai platform. This policy governs the conduct of JMKA LLC, its employees, contractors, and all expert witnesses participating in the ExpertDraft network.

2. Security Measures

2.1 Encryption

• Data at Rest: All case data, documents, and reports are encrypted using AES-256 encryption
• Data in Transit: All communications between clients and our servers use TLS 1.2+ encryption
• Document Storage: Uploaded documents are stored in encrypted cloud storage with access logging

2.2 Access Controls

• Role-Based Access: Case data is isolated per user account. Attorneys can only access their own cases; experts can only access their assigned reports
• Row-Level Security: Database row-level security policies enforce data isolation at the infrastructure level
• Principle of Least Privilege: Each user and system component has access only to the minimum data necessary for its function

2.3 AI Processing Security

• AWS Bedrock: Case materials are processed by AWS Bedrock. Data sent to Bedrock is not retained after processing and is not used for model training
• No Persistent Storage: Case information processed by the AI is not stored beyond the generation session
• Isolation: Each report generation request is processed in isolation with no cross-contamination between cases

3. Infrastructure Security and SOC 2

Our infrastructure providers (AWS, Supabase, Stripe) maintain SOC 2 Type II certifications. ExpertDraft implements security controls consistent with SOC 2 trust service criteria, including:

• Network isolation — production databases are not directly accessible from the public internet
• Real-time monitoring for unauthorized access attempts
• Audit logging of all data access events
• Regular review of access controls and security configurations

4. HIPAA Safeguards

ExpertDraft implements administrative, technical, and physical safeguards consistent with HIPAA requirements for the protection of protected health information (PHI). We maintain Business Associate Agreements (BAAs) with subprocessors that process protected health information.

5. Attorney-Client Privilege and Work Product Protections

5.1 Preservation of Privilege

ExpertDraft.ai is designed to function as a tool used by attorneys in anticipation of litigation. All case information submitted to the Platform is treated as confidential attorney work product. Our systems and processes are structured to preserve, not waive, any applicable attorney-client privilege or work product protections.

5.2 Expert Witness Engagement

Expert witnesses in the ExpertDraft network are engaged as consulting experts retained by the attorney through our platform. Case information is disclosed to assigned experts solely for the purpose of preparing expert reports. Experts are contractually bound by non-disclosure obligations before any case information is shared.

5.3 No Voluntary Disclosure

We will not voluntarily disclose any case information to any third party except as required by law, court order, or as necessary to provide the services described in our Terms of Service. In the event of a legal demand for case information, we will promptly notify the submitting attorney unless prohibited by law from doing so.

6. Non-Disclosure Agreements

6.1 Platform-Wide Confidentiality

All users must acknowledge and accept our confidentiality terms before using the Platform. This establishes mutual confidentiality obligations and restricts the use of case information to the specific purpose for which it was submitted.

6.2 Expert Witness NDAs

Every expert witness in the ExpertDraft network executes a comprehensive NDA that includes:

• Prohibition on disclosing case information to any unauthorized party
• Obligation to use case information solely for report preparation
• Requirement to destroy or return all case materials upon completion
• Prohibition on retaining copies of case documents beyond the engagement
• Surviving obligations that continue indefinitely after the engagement ends

6.3 Employee and Contractor NDAs

All JMKA LLC employees and contractors with access to case information execute NDAs with terms at least as restrictive as those imposed on expert witnesses.

7. Document Handling Procedures

7.1 Upload and Storage

Documents uploaded to the Platform are immediately encrypted and stored in secure cloud storage. Each document is assigned a unique identifier and access is logged. Only the submitting attorney, assigned expert witness, and authorized administrators can access uploaded documents.

7.2 Access Logging

Every access to case documents is logged with a timestamp, user identity, and action taken. Access logs are available to the submitting attorney upon request.

7.3 Document Destruction

Upon case closure or at the attorney’s request, all case documents can be permanently destroyed from our systems. Backup copies are purged within 30 days of destruction request.

8. Expert Witness Information Barriers

We maintain strict information barriers between cases and experts:

• Expert witnesses can only view case information for reports they are specifically assigned to
• Experts cannot search for, browse, or discover cases they are not assigned to
• Case assignment is controlled by platform administrators, not by experts
• Conflict-of-interest screening is performed before case assignment
• If a conflict is identified, the expert is immediately removed from the case and all access is revoked

9. Incident Response

9.1 Breach Notification

In the event of a data breach affecting case information, we will notify all affected attorneys within 72 hours of discovery. Notification will include the nature of the breach, the types of information affected, the measures taken in response, and recommendations for protective action.

9.2 Response Protocol

Our incident response protocol includes:

• Immediate containment and investigation
• Notification to affected users within 72 hours
• Notification to relevant regulatory authorities as required by law
• Post-incident review and implementation of preventive measures
• Written incident report provided to affected parties

10. Data Retention and Destruction

• Active Cases: All case data is retained for the duration of active engagement
• Completed Cases: Case data and reports are retained for the duration of the account plus 30 days after a deletion request
• Expert Working Copies: Experts must destroy all working copies within 14 days of report delivery
• On-Demand Deletion: Attorneys may request deletion of case data at any time, subject to legal retention requirements

11. Subprocessors

The following third-party services process case data under contractual confidentiality obligations:

• AWS (Bedrock): AI processing — no data retention, BAA in place
• Supabase: Database hosting, file storage, and authentication — encrypted at rest
• Stripe: Payment processing — PCI DSS Level 1 compliant, no access to case data
• Resend: Transactional email delivery
• Vercel: Application hosting — no persistent storage of case data
• Cloudflare: DNS management and email routing

We maintain Business Associate Agreements with subprocessors that process protected health information. We evaluate all subprocessors for security and confidentiality compliance before engagement.

12. Your Responsibilities

As a user of the Platform, you are responsible for:

• Maintaining the security of your account credentials
• Ensuring you have the authority to submit case information to the Platform
• Obtaining any necessary client consents for sharing case information with our service
• Complying with your own ethical and professional obligations regarding client confidentiality
• Reporting any suspected security incidents to us immediately at security@expertdraft.ai

13. Changes to This Policy

We may update this policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated to registered users via email at least 30 days before taking effect. The current version of this policy is always available at this URL.

14. Contact Us

For questions about this policy, to report a security concern, or to request case data deletion:

JMKA LLC
Wyoming, USA
Security: security@expertdraft.ai
Legal: legal@expertdraft.ai