Security
Our commitment to security
Legal professionals are entrusted with some of the most sensitive information that exists — client strategy, privileged communications, confidential case facts. Any tool that enters that workflow carries a corresponding responsibility. CiteClerk is built around a simple principle: we should hold as little of your data as possible, for as short a time as possible, in as few places as possible.
CiteClerk is built for legal professionals who handle confidential client matters. Our security architecture reflects that reality.
1. Document handling
Documents you upload to Check Cite are processed entirely in memory. They are never written to disk, stored in our database, logged, or retained after processing completes. CiteClerk cannot produce, subpoena, or disclose documents it does not store.
2. Authentication
All authentication is handled by Clerk, a SOC 2 Type II certified identity provider. CiteClerk does not store passwords. Sessions use short-lived, signed JWTs that expire automatically.
3. Payment processing
All payment processing is handled by Stripe. CiteClerk never receives, transmits, or stores credit card numbers or bank account details. We receive only a payment confirmation and subscription status.
4. Data minimization
CiteClerk collects only what is necessary to provide the service: your email address, citation query history (for the History feature), and monthly usage counts. Citation queries — the formatted citation results, not your documents or any client information — are cached in Redis for 7 days to improve response times, then automatically deleted.
5. Infrastructure
CiteClerk runs on Vercel (hosting), Neon (database), and Upstash Redis (caching). All three are SOC 2 compliant, meaning they have independently verified controls over security, availability, and confidentiality. All data is transmitted over HTTPS. No data is transmitted to AI model providers in a form that identifies you or your clients.
6. AI and training
Citation queries are never used to train AI models. LLM providers (OpenAI, Anthropic, Google) receive only the minimum input needed to process a request and do not retain it for training under their API terms.
7. Responsible disclosure
If you discover a security vulnerability in CiteClerk, please report it to security@citeclerk.com. We will acknowledge your report within 48 hours and work to address confirmed vulnerabilities promptly. We ask that you give us reasonable time to respond before any public disclosure.
8. Independent security review
CiteClerk has not yet undergone an independent penetration test. We intend to commission an independent security review post-launch and will update this page when that review is complete.
Questions about security may be directed to: security@citeclerk.com
CiteClerk LLC | https://citeclerk.com | Effective June 1, 2026