Security at Reeve
Written for the people whose job is to say no.
Law firms run on privileged material, so this page skips the badges-and-adjectives approach and states exactly what we access, what we store, what we never store, and how you’d verify it. The engineering documents behind every claim here — a section-by-section security review, a one-page data-flow map, and a scope-by-scope permissions justification — are available to any firm on request, before any contract.
The architecture in one paragraph
One application, one encrypted database per deployment, TLS on every connection. Read-only connections to your email, calendar, and document metadata; a write path only to your practice-management system, and only for entries a lawyer approved. One AI classification API (Anthropic, commercial terms: no training on your data). Every row is scoped to your firm; every endpoint checks who’s asking before it answers.
What we never do
- Store message bodies, subjects, or document contents — anywhere, ever.
- Read document contents at all: we see file names, folders, and edit times only. On Google Drive that restriction is enforced by the permission itself — we request the metadata-only scope, so Google will refuse any content request our code could ever make. On OneDrive, where Microsoft offers no metadata-only permission, the restriction is enforced in our code: every request selects metadata fields only, no code path requests file content, and the storage schema has no column that could hold document contents. Both are verifiable in our security review.
- Request write, send, or delete permission from Google or Microsoft.
- Bill, push, or send anything without a human approving that entry.
- Train AI models on your data — ours or anyone else’s.
- Show ads, sell data, or let another product touch your records.
The hard questions
You send our email to an AI company?
Message text is sent to Anthropic’s commercial API for one purpose: classifying whether an activity is billable and drafting a time-entry line. Three things make this defensible to a privilege-conscious firm:
- No training. Under Anthropic’s Commercial Terms of Service, API inputs and outputs are not used to train models. This is a contractual term of the paid API, not a settings toggle.
- Limited retention. Anthropic retains commercial API inputs and outputs only briefly (measured in days, for abuse monitoring) and offers zero-data-retention arrangements for qualifying customers — an upgrade path we can pursue for firms that require it.
- We store none of it. The message content exists in our system’s memory for the seconds classification takes, then is discarded. What we persist is the output: a generated billing description, a duration, a classification, and a pointer to where the original lives — in your mailbox, where it always was. An automated scanner sweeps every database column for verbatim message text to prove this stays true.
How does the classification actually work?
Semantically, with full context — not keywords. The classifier reads the message (participants, subject, body, thread position) alongside your firm’s matter list and contacts, and returns a forced-schema JSON verdict: the API is instructed that its only legal move is to call a structured “classify” function with named fields (classification, matter choice from a closed list, activity type, suggested duration, confidence, description). It cannot reply in prose, and a malformed response fails closed as an error that gets retried — never a silently-guessed entry.
What about prompt injection — a malicious email that manipulates the AI?
The honest answer is that prompt injection is real everywhere LLMs read untrusted text, so we designed for the blast radius rather than pretending to eliminate the vector:
- The classifier has no tools, no egress, and no agency. It cannot send email, fetch URLs, call APIs, write to the database, or take any action. It returns one JSON object into a schema validator, and that is the whole of its power.
- Matter choices are validated against your firm’s list — a hostile email can’t invent a matter or redirect work product somewhere else.
- Worst case is a mislabeled draft in a human review queue. If a crafted email fools the classifier, the result is one wrong suggestion sitting in front of an attorney, marked with its source. Nothing is billed, pushed, or sent anywhere without a human approving that specific entry.
- That is why the approval gate and the audit trail are design requirements, not features: the system is built so that its one AI-driven judgment is always reviewable and never self-executing.
Is our data encrypted? Why not end-to-end?
In transit: TLS on every hop (browser↔app, app↔providers, app↔database). At rest: the database and its backups are encrypted by the platform, OAuth tokens are additionally encrypted at the application layer with AES-256-GCM (plaintext tokens never stored or logged — verified on live rows), and passwords are bcrypt-hashed.
True end-to-end encryption — where only your devices hold the keys and we can never read content — is structurally impossible for this category of product, and it’s worth being direct about why: a service cannot classify text it cannot read. This is not unique to us — Gmail itself reads your mail server-side to filter spam, thread conversations, and search; your practice-management system reads everything you put in it. The honest version of “we can’t read your data” for a classification service is what we built instead: read transiently, store nothing of the content, prove it with a scanner, and let you revoke access instantly (disconnect in-app destroys the stored token immediately).
Has anyone independent verified this?
Google-scoped applications in this category are subject to CASA (Cloud Application Security Assessment) Tier 2, an independent security assessment required for Google’s restricted-scope verification and repeated annually. Our CASA Tier 2 assessment is part of the current verification process; the pre-assessment hardening (single-use OAuth state, purpose-bound tokens, rate limiting, security headers, fail-closed production boot) is already shipped and documented in our security review. We’ll share assessment status with any firm on request.
How do you measure accuracy — and what happens when the AI is wrong?
Every review action is recorded, so accuracy is measured, not asserted: the Reports page shows the approved-without-edit rate over your own entries, alongside edit counts, false-positive rate, and unmatched rate. When a draft is wrong, the correction paths are immediate and all human: edit the entry, reassign the matter, split it, merge it, or reject it — each recorded, each feeding the metrics the managing partner sees. Low-confidence and duplicate entries arrive visually flagged and are excluded from bulk approval.
What do you retain, and how do we leave?
Retention while active: draft and billed entries (your work product), firm records synced from your practice-management system, encrypted OAuth tokens, and operational logs (audit trail, push log, token counts). Never message bodies.
Leaving is a first-class, tooled path: attorneys and managing partners can download a CSV of entries from the dashboard any time; on offboarding we run a complete export (entries with rates, amounts, and practice-system references, audit trail, push history, firm records) and hand it to you. Firm deletion then runs under a double-confirmation and cascades at the database level — attorneys, entries, matters, clients, tokens, notifications, logs — the whole tenant. Backups age out on the platform’s rolling window (days, not months). You can also revoke our access yourself at any moment: disconnect in-app, or revoke from your Google or Microsoft account pages — either kills our access immediately.
What happens if you shut down?
You are never locked in, and your data never strands: your billing records live in your practice-management system the moment entries are pushed, and the export above hands you everything else in open formats (CSV/JSON). Our terms commit to a wind-down notice period of at least 60 days with export tooling available throughout, followed by deletion of all firm data. The worst-case outcome of our disappearance is that you stop gaining recovered time — nothing you billed is lost, because it was always written into your own systems.