Security at Reeve

Written for the people whose job is to say no.

Law firms run on privileged material, so this page skips the badges-and-adjectives approach and states exactly what we access, what we store, what we never store, and how you’d verify it. The engineering documents behind every claim here — a section-by-section security review, a one-page data-flow map, and a scope-by-scope permissions justification — are available to any firm on request, before any contract.

The architecture in one paragraph

One application, one encrypted database per deployment, TLS on every connection. Read-only connections to your email, calendar, and document metadata; a write path only to your practice-management system, and only for entries a lawyer approved. One AI classification API (Anthropic, commercial terms: no training on your data). Every row is scoped to your firm; every endpoint checks who’s asking before it answers.

What we never do

The hard questions

You send our email to an AI company?

Message text is sent to Anthropic’s commercial API for one purpose: classifying whether an activity is billable and drafting a time-entry line. Three things make this defensible to a privilege-conscious firm:

How does the classification actually work?

Semantically, with full context — not keywords. The classifier reads the message (participants, subject, body, thread position) alongside your firm’s matter list and contacts, and returns a forced-schema JSON verdict: the API is instructed that its only legal move is to call a structured “classify” function with named fields (classification, matter choice from a closed list, activity type, suggested duration, confidence, description). It cannot reply in prose, and a malformed response fails closed as an error that gets retried — never a silently-guessed entry.

What about prompt injection — a malicious email that manipulates the AI?

The honest answer is that prompt injection is real everywhere LLMs read untrusted text, so we designed for the blast radius rather than pretending to eliminate the vector:

Is our data encrypted? Why not end-to-end?

In transit: TLS on every hop (browser↔app, app↔providers, app↔database). At rest: the database and its backups are encrypted by the platform, OAuth tokens are additionally encrypted at the application layer with AES-256-GCM (plaintext tokens never stored or logged — verified on live rows), and passwords are bcrypt-hashed.

True end-to-end encryption — where only your devices hold the keys and we can never read content — is structurally impossible for this category of product, and it’s worth being direct about why: a service cannot classify text it cannot read. This is not unique to us — Gmail itself reads your mail server-side to filter spam, thread conversations, and search; your practice-management system reads everything you put in it. The honest version of “we can’t read your data” for a classification service is what we built instead: read transiently, store nothing of the content, prove it with a scanner, and let you revoke access instantly (disconnect in-app destroys the stored token immediately).

Has anyone independent verified this?

Google-scoped applications in this category are subject to CASA (Cloud Application Security Assessment) Tier 2, an independent security assessment required for Google’s restricted-scope verification and repeated annually. Our CASA Tier 2 assessment is part of the current verification process; the pre-assessment hardening (single-use OAuth state, purpose-bound tokens, rate limiting, security headers, fail-closed production boot) is already shipped and documented in our security review. We’ll share assessment status with any firm on request.

How do you measure accuracy — and what happens when the AI is wrong?

Every review action is recorded, so accuracy is measured, not asserted: the Reports page shows the approved-without-edit rate over your own entries, alongside edit counts, false-positive rate, and unmatched rate. When a draft is wrong, the correction paths are immediate and all human: edit the entry, reassign the matter, split it, merge it, or reject it — each recorded, each feeding the metrics the managing partner sees. Low-confidence and duplicate entries arrive visually flagged and are excluded from bulk approval.

What do you retain, and how do we leave?

Retention while active: draft and billed entries (your work product), firm records synced from your practice-management system, encrypted OAuth tokens, and operational logs (audit trail, push log, token counts). Never message bodies.

Leaving is a first-class, tooled path: attorneys and managing partners can download a CSV of entries from the dashboard any time; on offboarding we run a complete export (entries with rates, amounts, and practice-system references, audit trail, push history, firm records) and hand it to you. Firm deletion then runs under a double-confirmation and cascades at the database level — attorneys, entries, matters, clients, tokens, notifications, logs — the whole tenant. Backups age out on the platform’s rolling window (days, not months). You can also revoke our access yourself at any moment: disconnect in-app, or revoke from your Google or Microsoft account pages — either kills our access immediately.

What happens if you shut down?

You are never locked in, and your data never strands: your billing records live in your practice-management system the moment entries are pushed, and the export above hands you everything else in open formats (CSV/JSON). Our terms commit to a wind-down notice period of at least 60 days with export tooling available throughout, followed by deletion of all firm data. The worst-case outcome of our disappearance is that you stop gaining recovered time — nothing you billed is lost, because it was always written into your own systems.

Want the full paper trail — security review, data-flow map, scope justifications, DPA? Email [SUPPORT_EMAIL] and we’ll send all of it before you sign anything.