Security & privilege

Impact Witness is a communication and documentation tool your firm uses to gather and organize your client's account — analogous to a case-management system, an e-discovery platform, or a court-reporting service. It is not a third party that your client confides in independently. Every moment is captured at your firm's direction, during active representation, to help prepare the case — the posture in which attorney-client privilege and the work-product doctrine are designed to apply.

The AI in Impact Witness operates in a limited, behind-the-scenes role: it categorizes moments and drafts follow-up questions and a damages-narrative summary that your attorney reviews and sends. It does not advise your client and never messages your client on its own. Substantive case communications are authored by your firm.

ABA Formal Opinion 477R (2017) endorses cloud-based legal tools that meet recognized safeguards; thousands of firms rely on Filevine, Litify, Clio, Westlaw, and Lexis under the same framework, and courts have generally not treated intermediary tools like email or document platforms as defeating privilege. Impact Witness's stack is materially equivalent and content-minimized.

Important: Impact Witness is designed to support a claim of attorney-client privilege and work-product protection — it cannot guarantee that any particular communication will be held privileged. Whether a given communication is protected is a fact-specific legal determination for your firm. Two separate instruments support it: the public SMS consent every client gives for text messaging (see our SMS program page), and a separate standalone client agreement — provided to your firm and signed at onboarding — that carries the privilege and work-product acknowledgment. How you deploy the tool with your clients is what ultimately controls.

• Encryption. AES-256 at rest across all tables, storage, and backups; TLS 1.3 in transit for every connection.
• Per-firm isolation. Each firm's data is isolated by Postgres row-level security, enforced at the database layer — not in application code — so a bug in the app cannot expose one firm's data to another. A user from Firm A cannot read or modify Firm B's data by any means.
• Infrastructure. Data is stored in a Supabase Postgres database on AWS in HIPAA-eligible regions. AWS carries SOC 2 Type II, ISO 27001, and HITRUST certifications; Supabase is SOC 2 Type II audited.
• Authentication. Handled by Supabase Auth — bcrypt-hashed credentials, JWT-based sessions, and a firm-wide password policy (12+ characters, mixed character classes). Passwords are never stored in plaintext.

• Twilio (SMS) — SOC 2 Type II, ISO 27001, HIPAA-eligible. SMS payloads are limited to a client first name, message body, and timestamps. No diagnoses, treatment plans, or work product travel by SMS.
• OpenAI (categorization & draft follow-ups) — every call sets store: false and organization-level API logging is disabled, so prompts and responses are not stored for retrieval, and client content is never used to train any model. Only the moment body plus intake context (no identifiers beyond a first name) is sent.
• Stripe (payments) — PCI DSS Level 1. Impact Witness never sees or stores card numbers; only the last four digits and the payment-intent ID, for invoices.
• Resend (transactional email) — SOC 2 Type II. Email is limited to administrative messages; substantive case content is never emailed.

• Does not sell or share client moment content with third parties.
• Does not use client content to train AI models (store: false; vendor data-sharing disabled).
• Does not send OpenAI any client identifier beyond a first name, and does not enable data-sharing or model training.
• Does not transmit diagnoses, government identifiers, or financial account numbers by SMS.
• Does not store passwords in plaintext.

• Sample standalone client agreement — separate from the public SMS consent — combining the SMS authorization with a privilege and work-product acknowledgment, for onboarding
• Supabase SOC 2 Type II report (under NDA)
• Twilio compliance attestation
• Row-level-security policy export for any table
• Privacy and data-processing addendum

Email admin@impactwitness.com to request any of the above. See also our Privacy Policy, Terms, and SMS program.