Security wasn't an afterthought. It was step one.

AES-256 encryption at rest, TLS 1.3 in transit. Column-level Fernet encryption for PHI/PII fields. Key rotation without plaintext exposure. Every firm's data is fully isolated with row-level security.

Three roles — admin, lawyer, paralegal — enforced on every endpoint. Multi-tenancy with firm-level isolation. Microsoft OAuth 2.0 for enterprise SSO. Tokens accepted only via Authorization header, never in URLs.

HIPAA Safe Harbor compliance: SSN, medical record numbers, credit cards, emails, phone numbers, DOB, patient names, and 11 more identifier types automatically scrubbed from all AI outputs and logs.

Every AI output passes through citation verification (US legal citation format validation), hallucination detection (fabricated case names flagged), and privilege protection before reaching the attorney.

7 privilege categories detected automatically: attorney-client, work product, joint defense, common interest, FRE 408 settlement, deliberative process, and none. Flagged content requires manual review.

Append-only audit logging for all 48 agent actions, document access, and configuration changes. Correlation IDs for end-to-end request tracing. NIST SP 800-61r2 incident response plan documented.