Trust & security
Privileged work,
privileged environment.
PracticeAssistant is designed for environments where confidentiality, audit and professional responsibility are non-negotiable. Our security model reflects that.
Confidentiality, by construction
Tenant isolation, encrypted transport, audited action — the controls that make privileged work defensible.
Controls
Ten controls.
One promise.
We are early in our journey to formal certifications. We are not early in our commitment to building the controls that earn them.
Every record is scoped to its tenant. Row-level security policies are enforced at the database layer.
TLS 1.2+ in transit. AES-256 at rest. Encrypted, signed-URL access to document storage.
Email + password with planned SSO (SAML / OIDC). MFA can be required at the tenant level.
Ten roles with resource-level permissions, configurable per tenant.
Every AI call, document action, draft change and publication recorded with user, time and disposition.
Eight guardrails, confidence threshold, jurisdictional restrictions — set by the tenant administrator.
Your data is never used to train foundation models. Period.
Choose EU or US deployment regions to suit your data residency requirements.
Sub-processors are disclosed; OpenAI is used directly under enterprise data terms.
AI outputs remain drafts until a qualified user signs them off.
Compliance roadmap
Where we are. Where we are going.
PracticeAssistant operates today against an internal control framework modelled on SOC 2 Type II and ISO 27001. Independent attestation is planned for our second year of operation. We will not claim certifications we have not earned.
In the meantime: ask us anything. Our team is willing to discuss our security posture, our sub-processor list, our incident response runbook and our retention policies in detail, under NDA where appropriate.