How we protect your data, your clients, and your practice.
The BenchSlap Pledge:
We do not read your documents. We do not train models on your data. We do not share, sell, or transfer your case files to anyone, ever. Your documents are encrypted, isolated, and yours alone.
1. Encryption
Every document you upload is encrypted before it touches our storage. Every connection to our servers is secured.
Data in transitTLS 1.3 (HTTPS enforced on all endpoints)Data at restAES-256 encryption on all stored documentsPer-case isolationEach Case File has its own encryption key (DEK)Key managementKeys encrypted with a master key, rotatable without re-encrypting dataPassword hashingPBKDF2 with 600,000 iterations (OWASP 2025 standard)Session tokensSHA-256 hashed, /16 subnet-bound, auto-expiring
2. Zero-Training Guarantee
Your documents, case files, and legal work are never used to train, fine-tune, or improve any model — ours or anyone else's. When our tools analyze your documents, the content is processed in real-time and not retained beyond the session.
Document text is extracted, analyzed, and results returned — the original file is deleted from processing storage immediately after extraction.
Citation verification queries use only the extracted citation text (e.g., "Smith v. Jones, 123 P.3d 456"), never your full document.
No document content is logged, cached, or stored outside your encrypted Case File.
3. Case File Isolation
Each case you create is a Case File — a cryptographically isolated container. Documents in one vault cannot be accessed from another, even by the same user, unless explicitly linked.
Separate encryption key per vault
Access control enforced at the database level (row-level security)
Linked vaults require explicit user action and can be unlinked at any time
4. Data Deletion
You control your data completely:
Delete a document: Permanently removes the encrypted file and extracted text from our systems.
Delete a Case File: Destroys all documents, analysis results, and the vault's encryption key.
Delete your account: Removes all vaults, documents, session data, and personal information within 30 days.
Request full export: Contact us to receive a complete export of your data before deletion.
5. Infrastructure
HostingDigitalOcean (US data centers, SOC 2 Type II certified)DatabaseManaged PostgreSQL with automated backups and encryption at restApplicationNode.js (LTS), behind nginx with rate limiting and DDoS mitigationMonitoringAutomated health checks, error logging, and anomaly detectionAccess controlSSH key-only authentication, fail2ban intrusion prevention
6. What We Do Not Do
We do not sell your data to anyone.
We do not use your data for advertising.
We do not share your data with third parties except as required to provide the service (e.g., payment processing via Stripe).
We do not access your documents without your explicit permission or a valid legal obligation.
We do not store payment card numbers — all payment processing is handled by Stripe (PCI-DSS Level 1 certified).
7. Compliance
CCPA: California residents may request access, deletion, and opt-out. See our Privacy Policy.
UPL: BenchSlap is a legal technology tool, not a law firm. We do not provide legal advice. See our Disclaimer.
Ethics: Designed for use by licensed attorneys and pro se litigants. Our tools support your judgment — they do not replace it.
8. Contact
Security concerns, data requests, or questions about our practices: