SophieScribeby SophieLex

Compliance

Privilege as architecture, not a checkbox.

How SophieScribe handles attorney-client privilege, ethical walls, and the broader compliance obligations that apply to a law firm running AI-assisted intake and drafting.

Draft for review

Technical claims on this page are grounded in our architecture. ABA Model Rules interpretations and state-bar specifics are pending review by legal-ethics counsel before this page becomes our authoritative compliance statement.

Privilege

Privilege handling

Every session, extraction, and draft carries a data classification that travels with it through the audit trail.

Privileged

Attorney-client communications. Highest classification. Cannot be downgraded without an attorney-recorded reason and an audit-log entry.

Work Product

Material prepared in anticipation of litigation. Default for AI-generated drafts until reviewed.

Confidential

Sensitive matter information that is not privileged. Internal access only.

Internal

Firm-operational, non-client data (e.g. Personal workspace content).

Public

Marketing material, published documents — not used for client matter content.

A classification ratchet prevents an AI output from being downgraded below the input's classification — if the source transcript is Privileged, the extracted issue cannot be exported at a lower classification.

Conflicts

Ethical walls

Conflicts of interest are enforced before any read, not after.

  • Matters carry a practice-group attribute. The matter's ethical- wall configuration lists which practice groups (or individual users) are excluded.
  • The authorization service applies the ethical-wall check before membership and share-policy checks. A user excluded by a wall cannot read the matter, regardless of role.
  • Attempted reads that fall behind a wall are denied silently to the user and captured in the audit log for compliance review.
  • Wall changes (add a user to an exclusion list, expand a wall) require an explicit attorney action and are themselves audit- logged.

ABA Model Rules

How SophieScribe supports your professional obligations

Specific Rule interpretations remain pending legal-ethics review. The architectural mappings below are grounded in the product.

Rule 1.1 — Competence

Tech competence (Comment 8). SophieScribe documents what the AI does, surfaces source citations, and preserves attorney control over every output, so the attorney remains the decision-maker.

Rule 1.6 — Confidentiality

Subprocessors that touch confidential data are listed publicly. AI vendors operate under terms that prohibit training on customer data. Encryption at rest and in transit is the default. Audio/video are never stored.

Rule 1.7 / 1.9 / 1.10 — Conflicts

Ethical walls are enforced architecturally (see Ethical walls above), not relied on as a procedural reminder.

Rule 5.3 — Supervisory responsibility over non-lawyers (incl. AI)

Every AI output enters an attorney review queue scoped to the matter. Per-item Confirm / Dismiss / Edit. Two-step approval for drafts. Audit log captures the attorney decision.

Rule 5.5 — Unauthorized practice

AI outputs are labeled Work Product and are never client-facing until an attorney reviews and approves. The product does not allow direct client communication without an attorney in the loop.

Rule 8.4 — Misconduct

Tamper-evident audit log makes after-the-fact reconstruction of attorney decisions possible — useful both for the firm internally and for any bar-complaint defense.

SOC 2

SOC 2 posture

Where we are, what the auditor will see, what evidence is already producing.

Status

SOC 2 Type II in progress. Type I report expected after the initial evidence window completes; Type II report follows after the observation period. Specific dates are tracked internally and published here when audit milestones land.

Evidence pipelines producing today:

  • Append-only audit log with per-row HMAC checksums (CC6.1, CC7.2)
  • Quarterly access reviews on production database access (CC6.2)
  • Change management via PR + required reviews on auth, crypto, and IaC paths — enforced by CODEOWNERS (CC8.1)
  • Vendor management with quarterly subprocessor review (CC9.1)
  • Compliance-drift CI job that blocks PRs touching compliance-relevant paths without a corresponding ledger update (CC8.1 evidence)

Audit trail

What the audit log captures

If it touches a privileged matter, an authenticated event lands in the log.

Authentication

Login, logout, account lockout, MFA events, password resets, invitation lifecycle.

Matter access

Reads, share-policy changes, ethical-wall edits, user exclusions / un-exclusions.

AI & approvals

Every AI tool call, classification ratchet, approval, dismissal, draft creation, draft approval/rejection.

External pushes

PMS OAuth events, calendar entry creates, document pushes, notification deliveries (and failures).

The log is append-only at the database level, signed at the row level with an HMAC tied to a server-side key, and retained 7 years by default. Logs can be exported as part of a data subject request or in response to a bar complaint or court order.

Holds

Litigation hold

When a matter enters litigation hold, the transcript-discard policy is suspended for that matter. Existing artifacts are preserved at the same encrypted-at-rest tier; new artifacts inherit the hold. Release of the hold is an attorney-authorized action that is itself audit-logged.

Procurement & compliance contact

For compliance officers running procurement: we provide a questionnaire response, DPA, current subprocessor list, SOC 2 status update, and architecture documentation under NDA. Request via our contact page.

Bring SophieScribe to your firm

Evaluate SophieScribe in a private, matter-scoped pilot.

Tell us a little about how your firm runs and we'll set up a walk through against your own meeting types. No recordings required, deployment options reviewed up front.

Request a demoDiscuss secure deployment

Confidentiality preserved · designed for privileged work