Security Protocol

Last Updated: April 30, 2026

How Settled approaches data protection, infrastructure security, AI boundaries, and operational integrity. This document describes our current controls, guiding principles, and compliance direction.

Security Approach

  • Defense in Depth

    We layer multiple security controls across infrastructure, application code, and organizational processes. No single control is treated as sufficient on its own.

  • Privacy by Design

    Data protection is incorporated from the earliest stages of product development, not retrofitted after the fact.

  • Least Privilege Access

    Internal access to systems and data is scoped to the minimum needed for each role. Permissions are reviewed and adjusted as responsibilities change.

Data Protection Controls

  • Encryption in Transit

    Data exchanged between users and our services is transmitted over TLS-encrypted connections.

  • Encryption at Rest

    Sensitive data stored in our systems is encrypted at the storage layer using industry-standard algorithms (AES-256 where supported by our cloud provider).

  • Role-Based Access Control

    The platform enforces role-based permissions. Internal access to production data is restricted to personnel whose responsibilities explicitly require it.

  • Authentication Controls

    User accounts are protected by standard authentication. Internal administrative access requires additional verification measures.

AI and Evidence Boundary

The platform's strongest user-facing trust commitment is that the AI assistant does not see your uploaded evidence files.

  • Approved Invariant

    Raw uploaded evidence is not sent to external AI providers by default. The contents of uploaded documents, images, and PDFs are not transmitted to third-party AI services for review or analysis in v1.

  • What AI Receives

    The intake assistant receives sanitized user-typed text, workflow signals, and limited attachment metadata — counts, filenames, content types, file sizes, and a deterministic kind classification (such as invoice-like or receipt-like). It does not receive file contents.

  • PII Sanitization Before AI Calls

    User-typed text is processed through a sanitizer that masks recognizable personal patterns (such as names, emails, phone numbers, identifiers, and card numbers) before any external AI request.

  • Allowlist-Based Prompt Construction

    Inputs to the AI are constructed from a closed schema, not by stripping fields off arbitrary user payloads. Adding a new field to that schema requires explicit code review.

  • Future Direction

    Local document text extraction may be added in a future release. Where this happens, processing is intended to remain inside our platform infrastructure, and only minimized, redacted, structured facts may be passed to external AI services.

Infrastructure Security

  • Controlled Cloud Infrastructure

    Our platform runs on enterprise-grade cloud infrastructure (AWS) with redundancy across availability zones. Network configuration, access roles, and storage encryption are managed under our cloud account.

  • Site / Platform Separation

    The public marketing site and the authenticated platform are deployed as separate surfaces with distinct hosts. The platform's session cookie is host-only and cannot be read from the marketing host.

  • Security Monitoring

    We use automated tooling to scan for anomalous activity and known vulnerability patterns across our infrastructure and application layer.

  • Audit Logging

    Administrative actions and significant system events are logged and retained. Logs are protected from unauthorized modification.

Data Minimization

We design the platform around GDPR-aligned data minimization. We collect what is needed to operate cases and meet our legal obligations, and we limit the data shared with external services — including AI providers — to what is necessary for the feature to function.

Incident Posture

  • Defined Process

    We follow a defined process covering detection, containment, investigation, and remediation. Findings drive both immediate fixes and longer-term improvements.

  • Customer Notification

    Affected customers are notified in line with our contractual obligations and applicable legal requirements.

  • Vulnerability Reporting

    Suspicious activity or potential security concerns can be reported to security@settled.com. Reports are reviewed in good faith.

Compliance Direction

We describe our compliance posture in plain terms. Where a certification does not yet exist, we say so.

  • SOC 2 Readiness

    Settled is designed with SOC 2 readiness practices in mind. We are not currently SOC 2 Type II certified. We will update this page if and when an audit completes.

  • GDPR Alignment

    We design the platform around GDPR-aligned data minimization and aim to honor data subject rights consistent with GDPR principles where applicable.

  • CCPA Posture

    We honor data subject requests aligned with CCPA principles where applicable.

  • ISO 27001

    We are exploring ISO 27001 alignment as part of our security roadmap. We are not currently ISO 27001 certified.

User Responsibilities

  • Credential Protection

    Users are responsible for maintaining the confidentiality of their login credentials. Credentials must not be shared with others.

  • Document Integrity

    Users are responsible for ensuring that documents uploaded to the platform are accurate, authorized, and free from malicious content.

  • Incident Reporting

    Suspicious activity or potential security concerns should be reported promptly to security@settled.com. All reports are reviewed.

Questions or concerns about security?

Contact Security Team