Security & Data Handling Reference.
Plain-language reference for procurement, CISO, and counsel review. Share this URL with your security team, or use your browser's Print function to produce a clean PDF.
1 · Overview
Esqio Technologies, Inc. ("Esqio") operates a consent-based AI timekeeping and billing automation platform delivered as software-as-a-service. The platform reads metadata from explicitly connected productivity tools, drafts time entries, and returns those drafts to the user for review and approval. This brief summarizes the security, privacy, and compliance posture of the platform for purposes of CISO, procurement, and counsel review.
Nothing in this document constitutes a contractual representation. Contractual terms governing security, confidentiality, indemnification, and incident response are contained in the executed Master Services Agreement and Data Processing Addendum.
2 · Certification Status — Plain English
We want to be explicit. Esqio is an early-stage company working with a small group of founding design-partner firms. We are not yet SOC 2 certified, ISO 27001 certified, or HITRUST certified. Our security program is designed to the control standards those frameworks codify, and formal certification is on our roadmap as we grow with our founding customers. If your procurement process requires an active SOC 2 report today, we will tell you that upfront rather than waste your time.
| Framework | Current status | Notes |
|---|---|---|
| SOC 2 Type II | Not certified; on roadmap | Controls designed to SOC 2 Trust Services Criteria; Type II audit targeted once we reach a stable customer cohort |
| ISO/IEC 27001 | Not certified; on roadmap | ISMS documentation in place; certification to be pursued after SOC 2 |
| GDPR (EU 2016/679) | Compliance obligation — adhered | DPA available on request; Standard Contractual Clauses for cross-border transfers |
| CCPA / CPRA | Compliance obligation — adhered | Privacy rights workflow in place for California residents |
| HIPAA | Capability: BAA available on request | HIPAA is not applicable to most of our customers; BAA provisioning supported for those who need it |
| ABA Model Rules of Professional Conduct | Designed for compliance | Controls and data-handling practices aligned with Rules 1.1, 1.6, 5.3 |
Why we're up-front about this. A false certification claim would be a credibility-ending mistake in legal tech. We'd rather earn your trust with an honest security posture today and a credible roadmap than inherit a procurement conversation on a lie.
3 · Data Collection — What Is and Isn't Captured
Esqio captures only what is necessary to draft a compliant time entry. All data ingestion requires explicit OAuth authorization by an administrator and is scoped to the minimum read-only permissions required by each integration.
Captured by default
- Calendar event metadata: subject, start/end, invitees, recurrence
- Email metadata: sender, recipients, subject, timestamp, folder
- Document metadata: filename, matter association, author, last-modified, application (Word, Excel, PowerPoint, PDF)
- Communication metadata: participant list, call duration, platform (Teams, Zoom)
- Application activity metadata: foreground app, active matter tag, session duration
Not captured
- Email or document body content — unless per-matter "deep read" is explicitly enabled by an administrator
- Audio or video recordings of any call
- Keystrokes, screenshots, or screen recordings
- Personal calendars, personal email accounts, or personal browsing
- Any activity occurring on applications that the administrator has not connected
4 · Encryption & Key Management
| Control | Standard |
|---|---|
| Encryption at rest | AES-256 (AWS KMS) |
| Encryption in transit | TLS 1.3 minimum; legacy ciphers disabled |
| Key rotation | Automated every 90 days; envelope encryption |
| HSM for root keys | FIPS 140-2 Level 3 (AWS CloudHSM) |
| Secrets management | AWS Secrets Manager with per-environment isolation |
| Customer-managed keys (CMK) | Available on Enterprise plans |
5 · Access Control
- SSO via SAML 2.0 and OpenID Connect (Okta, Azure AD, Google Workspace, OneLogin, JumpCloud)
- MFA enforcement available and required on Firm and Enterprise plans
- Role-based permissions at user, practice group, and matter level
- Attribute-based policies for partner/associate/staff differentiation
- Just-in-time access for Esqio staff; privileged actions require two-party approval
- Audit log captures every read, edit, export, and administrative action; 90-day default retention, 365-day on Enterprise
- Session policies configurable: timeout, device trust, IP allowlisting
6 · Tenant Isolation & Data Residency
Each customer's data resides in a logically isolated tenant with namespace-scoped encryption keys, enforced at the application, database, and object-storage tiers. No multi-tenant data mixing occurs for inference or training workloads. Enterprise plans may elect a physically dedicated tenant in a specified AWS region.
Default data residency: us-east-1 / us-west-2 (United States). Alternative regions on Enterprise: eu-west-2 (London), eu-central-1 (Frankfurt), ca-central-1 (Canada), ap-southeast-2 (Sydney).
7 · AI & Model Governance
- No training on customer data for shared models. Ever. This is a contractual guarantee.
- Firm-scoped adaptive learning occurs entirely within the customer's tenant. Weights are not pooled, replicated, or exfiltrated across tenants.
- Third-party foundation model inference (for narrative generation) uses zero-retention endpoints with enterprise agreements that preclude provider-side logging and training.
- Every AI-generated output is reviewable, editable, and rejectable by the end user before becoming a billable record.
- Model provenance, inputs, and outputs for each entry are auditable via the customer admin console.
8 · Attorney–Client Privilege Preservation
The platform is engineered to preserve attorney–client privilege, work-product doctrine, and common-interest privilege.
- Esqio acts as the customer's agent under ABA Model Rule 5.3; internal staff are contractually bound to the same confidentiality duties as law firm employees.
- Esqio personnel do not access customer data except as strictly required for support, and only with customer authorization logged in the audit trail.
- Privileged communications are not ingested by default; content-level access requires per-matter administrator opt-in.
- Government subpoena or compulsory-process procedures require Esqio to notify the customer prior to production unless prohibited by law.
9 · Incident Response
Esqio maintains a written incident response plan aligned to NIST SP 800-61. Customer notification obligations:
- Confirmed breach of customer data: written notice within 24 hours of confirmation, regardless of contractual obligation
- Suspected incident under investigation: status update within 72 hours
- Post-incident report: delivered within 30 days, including root cause, remediation, and forensic timeline
- 24×7 on-call engineering with a 15-minute response target for severity-1 security events
Reporting channel: security@esqio.ai — PGP key available at esqio.ai/.well-known/security.asc
10 · Availability & Disaster Recovery
| Metric | Target (Firm / Enterprise) |
|---|---|
| Uptime SLA | 99.9% / 99.95% |
| Recovery Time Objective (RTO) | 4 hours / 1 hour |
| Recovery Point Objective (RPO) | 1 hour / 15 minutes |
| Backup frequency | Continuous incremental + daily full |
| Backup retention | 30 days rolling / customer-configurable to 7 years |
| Multi-region failover | Available on Enterprise |
11 · Subprocessors
Current production subprocessors:
| Provider | Service | Region |
|---|---|---|
| Amazon Web Services | Compute, storage, database, KMS | US (default) or customer-selected |
| Anthropic, Inc. | Zero-retention LLM inference | US |
| Cloudflare | CDN, DDoS mitigation, WAF | Global edge |
| Datadog | Application monitoring (no customer data) | US |
| Stripe | Billing and payment processing | US |
Customers receive 30-day advance notice of subprocessor additions or changes, with a right to object on Enterprise plans.
12 · Data Portability, Retention, and Deletion
- Customer data is exportable in CSV and LEDES 2000 format at any time, self-serve, without charge.
- On contract termination, customer data is deleted within 30 days by default, with 7-year regulatory-hold retention available on Enterprise for firms subject to LEDES or client OCG requirements.
- Cryptographic deletion is verified by destruction of per-tenant KMS keys.
13 · Contact
Security vulnerabilities: security@esqio.ai
Procurement / contracts: contracts@esqio.ai
Privacy inquiries: privacy@esqio.ai
General sales: contact@esqio.ai
Esqio Technologies, Inc. · Delaware C-Corp · EIN redacted · Registered Agent on file
Need a completed CAIQ, a custom DPA, or a walkthrough of our security program with our team?