MotionValidator Logo
FAQs Security & Trust Early Access Log In
SECURITY & TRUST

Your documents. Your privilege. Our responsibility.

MotionValidator processes privileged legal documents. We don't take that lightly. This page explains exactly how we protect your work, your clients, and your practice.

CORE PRINCIPLES

Your work is not our training data.

We never use your documents to train our models. Not anonymized. Not aggregated. Not ever. Your briefs verify and delete. Period.

Privilege protection is non-negotiable.

We strip personally identifiable information before processing. Attorney-client privilege stays intact. Confidential information never leaves our secured infrastructure.

You control retention.

Documents auto-delete after 7 days. You can delete manually at any time. No exceptions. No "archives for quality assurance." When you delete, it's gone forever and beyond recovery.

Transparency over opacity.

This page tells you exactly what we do with your data, how our systems work, and what protections are in place.

DATA HANDLING

What happens when you upload a document.

We designed a linear pipeline that minimizes the time your data spends at rest. From the moment you upload to the moment of deletion, every step is automated and encrypted.

01

Upload & Encryption

Your document is transmitted over TLS 1.3 and encrypted at rest using AES-256. It never touches unencrypted storage.

02

PII Stripping

Before processing, we automatically redact personally identifiable information—names, addresses, phone numbers, SSNs, and financial numbers. This layer runs before any AI analysis.

03

Processing

Your brief is analyzed within our secured infrastructure. For AI inference, we use SOC 2, ISO 27001, HIPAA, and PCI DSS certified providers. Before any external inference call, we strip all personally identifiable information and replace sensitive content with anonymized placeholders. Citation verification happens against our internal replica of the Free Law Project corpus; we make no external API calls for case law lookups.

04

Storage

Processed documents and verification reports are stored encrypted in isolated, access-controlled storage, in separate silos for every user. Audit logs track every access event.

05

Deletion

After 7 days, documents and all associated data are permanently deleted from all systems, including backups. You can manually delete anytime before the 7-day window. Deletion is irreversible, even with a court order.

TECHNICAL SECURITY

Infrastructure & Hardening

🔒

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption for all data at rest
  • Encrypted backups with separate key management
  • Key rotation on regular schedule
🛡️

Network Security

  • Isolated virtual private cloud (VPC) architecture
  • Multi-layer firewall protection
  • Intrusion detection and prevention systems
  • Regular vulnerability scanning and penetration testing
🔑

Application Security

  • RBAC with principle of least privilege
  • Multi-factor authentication for administrative access
  • Input validation to prevent injection attacks
  • OWASP Top 10 compliance in development practices
🤖

Third-Party AI Providers

We use external inference providers selected based on strict criteria:

  • SOC 2 Type II & ISO 27001 certified
  • HIPAA & PCI DSS compliant

Before content reaches these providers:

  • All personally identifiable information is stripped
  • Sensitive content is replaced with placeholders
  • No case-specific details that could identify parties

These providers process only the linguistic structure of your arguments—not the confidential details.

👁️

Logging & Monitoring

  • Comprehensive audit logging of document access
  • Real-time monitoring for anomalous activity
  • Automated alerts for security-relevant events
  • Log retention for forensic analysis
COMPLIANCE

Our Framework

SOC 2 Type II Principles

While we are not yet SOC 2 certified, our infrastructure is designed around SOC 2 Trust Service Principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. We are working toward formal certification in 2026.

ISO 27001 Alignment

Our information security management practices align with ISO 27001 standards, including risk assessment, access control policies, and secure development lifecycles.

LEGAL & PRIVACY

Privilege & GDPR

Attorney-Client Privilege

We recognize that documents uploaded to MotionValidator may contain privileged communications. Our processing preserves privilege via:

  • No human review of document contents
  • Automated PII redaction
  • No sharing of content with third parties
  • Secure deletion

GDPR & Privacy Law

We practice data minimization and purpose limitation. Documents are processed solely for verification. Users may delete any data at any time; our system does not retain it for any purpose.

ACCESS CONTROL

Who can see your documents

User Access: Only you. We do not share documents between users.

Administrative Access: Restricted to essential personnel only, logged, auditable, and subject to MFA. Granted only for debugging with user consent.

Third-Party Access: We use certified external AI inference providers (SOC 2, ISO 27001, HIPAA, PCI DSS compliant) for language model processing. Before your content reaches these providers, we strip all personally identifiable information and replace sensitive details with anonymized placeholders. Our case law verification queries our own replica of the Free Law Project corpus that exists within our infrastructure; there are no external API calls for legal research. We do not share document contents with any other third parties.

Subpoenas: We will challenge overbroad requests, but because documents auto-delete after 7 days, we often would not have materials relevant to a subpoena anyway. We will inform users whose accounts become subject to a subpoena unless legally prevented from doing so.

INCIDENT RESPONSE

If something goes wrong

Security Incident Protocol

In the event of a security incident, we execute a 5-step protocol:

  1. Containment: Affected systems isolated immediately.
  2. Investigation: Forensic analysis to determine scope.
  3. Notification: Users notified within 72 hours.
  4. Remediation: Vulnerabilities patched and systems restored.
  5. Review: Root cause analysis and process updates.

User Notification

We will notify you directly with:

  • Description of what happened and data affected
  • Steps we've taken to remediate
  • Actions you should consider taking
TRANSPARENCY

Commitments we make.

No Training on User Data

Many AI companies have ambiguous policies. We don't. Your documents are never used to train our models. This is foundational to MotionValidator.

No Analytics on Content

We don't analyze aggregated document data to build market intelligence products. We verify your brief and delete it.

No Sale of Data

We do not sell, rent, or license user data or usage pattern data. Our business is legal verification services, not data brokerage.

Open Communication

We will not retroactively apply policy changes to documents already processed. You will be notified before any policy changes.

Standards in Progress

Security is an ongoing process. We are actively pursuing formal certifications to validate our internal practices.

SOC 2 Type II Certification Target: Q3 2026
ISO 27001 Certification Target: Q4 2026
State Bar Ethics Compliance Review Ongoing

This page will be updated as certifications are achieved.

Still have concerns?

Security and privilege protection are not optional for legal practice. If you have specific questions about our practices or threat modeling:

Email: support@motionvalidator.com

Response time: Within 24 hours for security-related inquiries

Last Updated: January 2026