Security at Motion Ready

Security Overview

Your trust is our foundation. Attorney-client confidentiality is not a compliance checkbox — it is the professional obligation that defines our relationship with you and your clients. We employ multiple layers of technical and organizational controls to protect your confidential information at every stage of the drafting process.

Encryption

All data is encrypted in transit and at rest using current industry standards:

• In transit: TLS 1.3 for all connections between your browser, our servers, and our infrastructure providers
• At rest: AES-256 encryption for all stored data, including documents, case materials, and generated drafts
• Database: Database storage uses AES-256 with per-tenant encryption keys
• Backups: All backup snapshots are encrypted before storage

Access Controls

We enforce strict controls over who can access your data:

• Row-Level Security: Row-Level Security policies ensure your data is never accessible to other accounts — enforced at the database level, not the application layer
• Role-based permissions: Staff can only access data their role requires; clerks see only assigned orders; no lateral access between client accounts
• Multi-factor authentication: Required for all staff accounts
• Session management: Short-lived JWT tokens with automatic expiry; HTTP-only cookies prevent XSS token theft
• API rate limiting: Per-IP and per-user rate limits prevent abuse and brute-force attempts

Infrastructure

We partner with enterprise-grade providers that maintain rigorous security certifications. See Trusted Providers below for the full table of named vendors and their certifications.

• Cloud hosting provider (SOC 2 Type II) — global edge network with DDoS protection
• Database and authentication provider (SOC 2 Type II) — row-level security enforced at the database layer
• Payment processor (PCI DSS Level 1) — we never store card numbers or cardholder data
• AI inference provider (SOC 2 Type II) — enterprise API agreement with contractual prohibition on training data use
• Transactional email provider (SOC 2 Type II) — delivery receipts and notification emails only

None of our infrastructure providers are permitted to use your data for their own purposes. Each operates under a data processing agreement with Motion Ready.

Audit Logging

We maintain comprehensive audit trails for all data access and system events:

• Every read and write operation on your orders, documents, and case materials is logged with timestamp, user identity, and action type
• Logs are immutable — they cannot be modified or deleted by application-layer code
• Security events (login attempts, permission denials, unusual access patterns) trigger automated alerts
• Logs are retained for 2 years for compliance and incident investigation

Staff and Training

The human side of security is as important as the technical side:

• All staff and contractors sign confidentiality agreements before accessing any client data
• Regular security awareness training covers phishing, social engineering, and data handling
• Access is provisioned on a need-to-know basis and revoked immediately upon role change or termination
• Staff access to production systems requires MFA and is logged
• Background checks are conducted on all personnel who handle client data

Backups

Your data is protected against loss:

• Daily encrypted backups with 30-day retention
• Point-in-time recovery available for the past 7 days
• Backups are stored in a separate region from primary data
• Recovery procedures are tested quarterly

Note: Our 365-day matter data retention policy means case materials are permanently deleted after that period. Maintain your own copies of all case materials in your firm's document management system.

AI Security Measures

Our use of AI introduces additional considerations that we address through specific controls:

• No model training: Third-party AI providers do not train on our API traffic per their terms of service as of 2026. Our enterprise API agreements include contractual restrictions on training use.
• Isolated processing: Each order's AI processing is isolated — there is no cross-client data sharing in AI contexts
• Encrypted API calls: All AI API calls use TLS 1.3 encrypted connections
• Data minimization: We send only the data necessary for each drafting phase to AI systems
• Quality gates: Automated quality checks review outputs at multiple stages before delivery. A final approval gate must be cleared before any motion is released to the client portal.
• Audit logging: Every AI processing call is logged with inputs and outputs for audit and compliance purposes
• Separate credentials: AI system API keys are separate from all other service credentials and rotated regularly

Privilege Preservation

Motion Ready operates as a Legal Process Outsourcing (LPO) service under the direct supervision of the hiring attorney. Under ABA Formal Opinion 08-451 (LPO privilege analysis) and the Restatement (Third) of the Law Governing Lawyers §§ 70–73, communications and work product shared with LPO providers acting under attorney direction generally maintain their privileged status.

ABA Formal Opinion 512 (2023) further confirms that attorneys using AI-assisted drafting tools maintain privilege and work product protection provided they exercise competent supervision over the AI output — which is a structural requirement of our workflow, not optional. Texas attorneys should also consult the State Bar of Texas Professional Ethics Committee guidance, which aligns with ABA Opinion 512 on AI supervision and confidentiality obligations.

Technical Safeguards

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Strict role-based access controls limit data visibility to authorized personnel
• All AI processing occurs in isolated environments with no cross-client data sharing
• Comprehensive audit trails for all data access
• Case materials permanently deleted after 365 days per our retention policy
• Third-party AI providers do not train on our API traffic per their terms of service as of 2026

Recommended Steps for Your Practice

1. Privilege Log: Include Motion Ready in your privilege log as an LPO vendor operating under attorney direction — consistent with how firms log other litigation support vendors.
2. Work Product Doctrine: Filing packages constitute attorney work product prepared in anticipation of litigation, reflecting mental impressions, conclusions, opinions, and legal theories of counsel.
3. Attorney Supervision: Our workflow ensures mandatory attorney review before delivery, maintaining the supervisory control courts examine when evaluating privilege claims.
4. AI Disclosure: If your jurisdiction requires disclosure of AI-assisted drafting, such disclosure does not waive privilege over the underlying work product or attorney-client communications.
5. Data Retention: Maintain your own copies of all case materials. Our 365-day retention policy means materials are permanently deleted after that period.

Every filing package includes an Attorney Instruction Sheet with detailed privilege preservation guidance specific to your order.

Compliance and Standards

• SOC 2 Type II: Our infrastructure providers maintain SOC 2 Type II compliance, demonstrating rigorous security controls.
• ABA Formal Opinion 512 (2023): We comply with ABA guidance on AI disclosure and competent supervision, ensuring attorneys retain professional responsibility over AI-assisted work product.
• Texas TDPSA: Texas Data Privacy and Security Act (effective July 1, 2024) compliance for Texas residents, including data subject rights and security requirements applicable to our processing activities.
• CCPA/CPRA: California Consumer Privacy Act compliance for California residents.
• Attorney-Client Privilege: Our systems and processes are designed to protect the confidentiality of attorney work product. See Section 8 for details.
• PCI DSS Level 1: Payment card processing is handled by our payment processor, which maintains the highest level of PCI compliance. We never store card numbers.

Trusted Providers

Our security posture depends on the quality of the providers we choose. We use only providers with demonstrated security programs:

Report a Vulnerability

We take security seriously and support responsible disclosure. If you discover a potential vulnerability in our platform, please report it to us before public disclosure so we can protect attorneys and their clients.

Safe Harbor

We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, provided you: (a) do not access, modify, or exfiltrate client data beyond what is necessary to demonstrate the vulnerability; (b) do not perform denial-of-service attacks or social engineering; and (c) report your findings to us promptly.

Disclosure Timeline

• Acknowledgment: We will acknowledge your report within 48 hours
• Investigation: We will provide an initial assessment within 10 business days
• Remediation: We aim to remediate confirmed vulnerabilities within 90 days of your report. We will keep you informed of progress.
• Coordinated disclosure: After 90 days, or upon remediation (whichever is sooner), you are free to publish your findings. We ask for advance notice so we can coordinate timing.

What to Include

Please include: the nature of the vulnerability, steps to reproduce, potential impact, affected URLs or components, and any relevant screenshots or logs. The more detail you provide, the faster we can respond.