Security & Trust

Version: 1.0

This document is an overview. Specific controls may vary by deployment and plan. Enterprise customers may request a security addendum and DPA.

1. Platform security principles

• Least privilege access control
• Tenant isolation to separate firm data
• Defense-in-depth across application, network, and data layers
• Auditability for key actions and administrative changes

2. Authentication & authorization

• JWT-based authentication and role-based authorization
• Entitlements enforcement (server-side) for subscription and access modes
• Administrative controls for firm admins (tenant admins)

3. Data protection

• Encryption in transit: TLS 1.2+ for all client-server communications
• Encryption at rest: All data stored in Firebase/Firestore is encrypted using AES-256 encryption with Google-managed encryption keys
• Database security: Firestore Security Rules enforce tenant isolation and role-based access at the database level
• Access controls: Least-privilege access for all users and service accounts
• Key management: Secure handling of service-to-service credentials using Google Cloud Secret Manager
• Retention controls for certain AI session data (configurable per tenant)

4. Logging & monitoring

• Request correlation IDs for tracing
• Central logging for security-relevant events (best-effort)
• Rate limiting and abuse prevention controls

5. Vulnerability management

• Regular dependency updates
• Secure development practices
• Responsible disclosure: please report issues to security@counselgrid.com

6. Incident response

We maintain processes to triage, contain, remediate, and learn from security incidents. Where legally required, we will notify impacted customers and regulators.

7. Contact

Security inquiries: security@counselgrid.com

Related documents: Terms · Privacy · Acceptable Use · Compliance · DPA