Security Your Clients Deserve
ProvaLens is built from the ground up to protect sensitive legal and medical information. HIPAA compliant. Fully encrypted. Audit-logged. We'll sign a BAA before you upload your first document.
HIPAA
Compliant
256-bit
AES Encryption
SOC 2
Type II (Azure)
99.9%
Uptime SLA
BAA
Available
HIPAA Compliance Built In
Personal injury and employment law firms handle sensitive medical information daily. ProvaLens is designed to meet HIPAA requirements from day one.
Business Associate Agreement
We sign a BAA with every customer during onboarding. No uploads are permitted until the agreement is in place. We take our responsibilities as a business associate seriously.
Complete Audit Logging
Every access to PHI is logged with user, action, timestamp, and IP address. Audit logs are immutable and retained for 6+ years. Available for compliance reviews on request.
PHI Detection
Documents containing protected health information are automatically detected and flagged. Medical records, insurance documents, and healthcare correspondence receive enhanced protection.
Security & Confidentiality
Law firms trust ProvaLens with highly sensitive case materials. We take that responsibility seriously.
Data Protection
- All documents are encrypted in transit and at rest
- Each firm's data is logically isolated
- Access is restricted to authorized users only
AI Usage & Data Ownership
- Your data is never used to train public or third-party models
- You retain full ownership of all uploaded content
- AI outputs are generated only from your documents
Auditability & Accuracy
- Every answer includes document citations
- If ProvaLens cannot find support in your files, it will not fabricate an answer
- Designed to support attorney review, not replace it
Your Control
- Upload, query, and delete documents at any time
- Export answers and citations for internal use
- Attorneys remain fully responsible for legal judgment
HIPAA & Sensitive Data
ProvaLens is built to handle sensitive records, including medical documentation, with HIPAA-aware safeguards and best practices.
Bottom line: ProvaLens reduces risk — it does not introduce it.
End-to-End Encryption
Your data is encrypted at every stage of its journey. From the moment you upload a document to when you view search results, encryption protects your client's information.
In Transit
TLS 1.3 encryption for all data in motion. HTTPS only. No exceptions.
At Rest
AES-256 encryption for all stored documents, database fields, and backups.
Key Management
Azure Key Vault for secure key storage with automatic rotation.
Role-Based Permissions
Full access, user management, billing, integrations
Create matters, upload documents, run AI queries, export reports
View assigned matters, upload documents, basic search
Granular Access Control
Control exactly who can access what. Role-based permissions ensure team members only see the matters they're assigned to. Every firm's data is completely isolated.
Multi-Tenant Isolation - Your firm's data is completely separate from other firms. Database-level isolation ensures no cross-firm data access is possible.
Secure Authentication
Two-Factor Authentication
Optional 2FA with TOTP apps like Google Authenticator or Authy. Add an extra layer of security.
Session Management
Automatic session timeouts. Secure JWT tokens with short expiration. Refresh token rotation.
Account Lockout
Automatic lockout after failed login attempts. Protection against brute force attacks.
Secure Password Reset
Email verification with time-limited tokens. Password strength requirements.
Enterprise-Grade Infrastructure
ProvaLens runs on Microsoft Azure, a platform trusted by healthcare organizations, financial institutions, and government agencies worldwide.
Azure Cloud
Hosted on Microsoft Azure with HIPAA BAA. SOC 1/2/3 certified data centers. Geographic redundancy for disaster recovery.
Automated Backups
Daily encrypted backups with 30-day retention. Point-in-time recovery available. Backups stored in separate geographic region.
DDoS Protection
Azure DDoS Protection Standard. Web Application Firewall. Rate limiting and bot protection at the edge.
24/7 Monitoring
Real-time infrastructure monitoring. Automatic alerting for anomalies. Auto-scaling to handle load spikes.
AI with Privacy in Mind
We've carefully selected AI partners who take data privacy as seriously as we do. Your documents are never used to train AI models.
Anthropic (Claude)
SOC 2 Type II certified. Data not used for training. HIPAA BAA available. Zero data retention policy.
Azure OpenAI
Microsoft's enterprise AI with full Azure compliance. Data stays within your Azure tenant. HIPAA eligible.
No Training on Your Data
Your documents are processed and forgotten. We have contractual guarantees that your data will never be used to train AI models.
Your Data, Your Control
Data Export
Export all your data at any time. Documents, metadata, timelines, and research history. Your data belongs to you.
Complete Deletion
Request deletion of any matter or your entire account. Data is purged from all systems including backups within 30 days. Audit logs retained for compliance.
Retention Policies
Your documents are retained as long as you need them. No automatic purging. When you cancel, you have 90 days to export before deletion.
Security Questions?
Is ProvaLens HIPAA compliant?
Yes. We sign a Business Associate Agreement with every customer. All technical safeguards required by HIPAA are in place, including encryption, access controls, and audit logging.
Where is my data stored?
All data is stored in Microsoft Azure data centers in the United States. Backups are stored in a separate geographic region for disaster recovery.
Can I get a copy of your SOC 2 report?
We leverage Azure's SOC 2 Type II certification. We can provide our security questionnaire responses and penetration test results under NDA.
Is my data used to train AI models?
No. We have contractual agreements with all AI providers (Anthropic, Microsoft) that your data will never be used for training. Your documents are processed and forgotten.
What happens if there's a data breach?
We have an incident response plan in place. In the unlikely event of a breach, we will notify affected customers within 72 hours as required by HIPAA and applicable state laws.
Can I do a security review before signing up?
Absolutely. Contact our security team to schedule a review. We're happy to answer your security questionnaire, provide documentation, and discuss our practices in detail.
Ready to Protect Your Client Data?
Start your free trial or schedule a security review with our team.
Questions? Email our security team at security@provalens.ai