Security

All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). Documents uploaded for processing are encrypted at rest using AES-256 encryption. API keys and sensitive credentials stored in our system are encrypted with application-level encryption before being written to the database.

Deadline Pilot is hosted on Render, a SOC 2 Type II certified infrastructure provider. Our servers run in secure, managed environments with automatic security patches and updates. Database backups are performed daily and stored in geographically separated locations.

User authentication is handled by Clerk, an enterprise-grade identity platform. Clerk provides secure session management, multi-factor authentication support, and protection against common attacks like credential stuffing and brute force attempts. Passwords are hashed using bcrypt with industry-standard salt rounds.

Court documents uploaded to Deadline Pilot are processed securely. Document text is extracted server-side and sent to Anthropic's Claude for deadline analysis. Anthropic does not use customer data for model training. Processed documents are stored securely and can be deleted at any time by the user. We do not share your documents with any third parties beyond what is necessary for the extraction service.

Extraction data is retained based on your subscription plan. Free-tier users have 7-day retention, Premium users have 30-day retention, and Professional users have 365-day retention. You can manually delete your extraction history at any time from the History page. When data is deleted, it is permanently removed from our systems.

Deadline Pilot uses a small set of vetted sub-processors to deliver the service. The complete list, the purpose of each, and the type of data each receives is published on our sub-processors page. We will notify customers of any new sub-processor before it begins processing customer data.

Only NeuralSoft engineers with a documented operational need have access to production systems. Access is gated through Render's role-based controls and audited via Clerk and Render's activity logs. Database credentials, encryption keys, and AI provider keys are stored in Render's encrypted secret store — never in source control. Quarterly we review who has access and revoke any that is no longer required.

Every authenticated action that creates, modifies, or deletes customer data is recorded in an immutable audit log (database-level INSERT-only enforcement). Audit entries include the actor, action, timestamp, and IP address. Logs older than 90 days are archived to encrypted long-term storage and retained for a minimum of 7 years to support compliance review and incident forensics.

In the event of a security incident affecting customer data, we commit to:

• Notify affected customers within 72 hours of confirmed compromise.
• Provide a written description of what happened, what data was affected, and remediation steps.
• Publish a public post-mortem after material incidents (with sensitive details redacted).
• Cooperate fully with customer security reviews and any required regulatory notifications.

Our internal target time-to-detection is under 15 minutes for authentication or data-exfiltration anomalies, backed by real-time alerting on key metrics.

The production database is backed up automatically by Render with point-in-time recovery within the past 7 days. We perform a periodic restore drill against a non-production environment to verify the restore procedure works end-to-end. Document storage is replicated across multiple Cloudflare R2 regions; a regional outage does not cause data loss.

Deadline Pilot is not currently SOC 2 certified. We have committed to pursuing SOC 2 Type II readiness once we reach 50 paying customers, which is the threshold at which the formal audit cost becomes cost-effective for the customer base. In the interim, we implement and document the same operational controls SOC 2 requires (access reviews, immutable audit logging, incident response, encryption at rest and in transit) so the readiness gap is small when we begin the formal audit.

Reporting a vulnerability

If you discover a security vulnerability, please email security@deadlinepilot.com with reproduction steps. We aim to acknowledge within one business day and provide a remediation timeline within five business days. We do not currently run a paid bug-bounty programme, but credit researchers in our public security advisories where they prefer attribution.