Authentication & Access Control

Draftroom uses Microsoft OAuth for authentication. We do not store passwords. Every login is verified through Microsoft’s identity platform using the secure PKCE protocol.

• Domain allowlist — Only users from authorized firm domains can access the platform. Your firm administrator controls which domains are permitted.
• Session timeouts — Sessions expire after 30 minutes of inactivity and have an 8-hour absolute limit.
• Login lockout — Accounts are temporarily locked after repeated failed login attempts to prevent brute-force attacks.
• Bot protection — Login is protected by Cloudflare Turnstile to prevent automated attacks.
• Role-based access — Three-tier permission model (administrator, company admin, user) ensures users only access their own firm’s data.

Data Encryption

Your data is encrypted both at rest and in transit.

• In transit — All connections use HTTPS with TLS. HSTS headers ensure browsers always connect securely.
• At rest — Documents stored in AWS S3 are encrypted using server-side encryption. Database records are encrypted via AWS RDS encryption.
• API keys — If you bring your own LLM provider key, it is encrypted with strong key-derivation before storage and is never exposed in plaintext.

Document Processing

When you submit a transcript for processing:

• Your document is uploaded to encrypted storage and processed within our secure AWS environment.
• We send document content to AI providers (such as Anthropic and OpenAI) for analysis. These providers operate under zero-retention policies for API usage — your data is not stored or used for model training.
• Generated work products are stored in your account and accessible only to authorized users at your firm.
• You can purge your documents and work products at any time through your account settings.

Infrastructure

Draftroom runs entirely on Amazon Web Services (AWS), which maintains SOC 2 Type II certification and numerous other compliance certifications.

• Private networking — Application servers run in private subnets with no direct internet access. All traffic flows through a load balancer.
• Non-root containers — Application containers run as an unprivileged user, limiting the impact of any potential vulnerability.
• Automated backups — Database backups are performed automatically by AWS RDS.
• No shared hosting — Draftroom runs on dedicated compute resources, not shared servers.

Application Security

We follow security best practices throughout the application:

• Input validation — All user input is validated and sanitized. Database queries use parameterized statements to prevent injection attacks.
• Cross-site protections — CSRF tokens protect all form submissions. Output encoding prevents cross-site scripting. Clickjacking is blocked via frame restrictions.
• Rate limiting — Request rate limits protect against abuse on login, upload, and API endpoints.
• Security headers — Content Security Policy, HSTS, and other security headers are applied to every response.
• Dependency management — All dependencies are pinned to exact versions and scanned for known vulnerabilities.

Audit & Monitoring

All significant actions are logged for accountability and incident response:

• Logins, logouts, failed login attempts, and account lockouts
• Job submissions, confirmations, deletions, and data purges
• Administrative actions including configuration changes and user management
• Email alerts are sent automatically for critical security events
• Infrastructure is monitored via AWS CloudWatch with automated alerting

Compliance & Policies

Draftroom is pursuing SOC 2 Type II readiness. We maintain formal security policies covering:

• Information Security Policy
• Data Classification & Handling
• Incident Response Plan
• Change Management
• Data Retention & Disposal
• Business Continuity & Disaster Recovery
• Vendor Assessment
• Access Review Procedures

Policies are reviewed annually and updated as our security posture evolves.

Vendor Security

We carefully evaluate the security posture of every vendor in our supply chain. All critical vendors maintain SOC 2 Type II certification or equivalent:

• AWS — Infrastructure (SOC 2, ISO 27001, FedRAMP)
• Cloudflare — Network security and DDoS protection (SOC 2, ISO 27001)
• Anthropic — AI processing (SOC 2, zero-retention API policy)
• OpenAI — AI processing (SOC 2, zero-retention API policy)
• Microsoft — Authentication (SOC 2, ISO 27001)
• Stripe — Payment processing (PCI DSS Level 1, SOC 2)