Tenant Isolation
Agency workspaces are separated by organization-scoped access checks and database-backed row-level security patterns.
Trust Center
Security built for investigation work.
CaseCore is designed for agencies that handle sensitive clients, case records, evidence, reports, billing, and field operations. Formal SOC 2 certification is an audit milestone; the protection standard is being built into the product now. CaseCore is designed around SOC 2-aligned controls, evidence collection, recovery workflows, and owner-visible security operations before the auditor's report exists.
Protection Standard
Built to protect agencies before the certificate arrives.
A SOC 2 report is proof from an auditor. CaseCore's standard is to build the controls first: limit access, log important actions, preserve recovery options, prepare incident response, and keep sensitive agency records separated by workspace and role.
Role-Based Access
Owner, admin, case worker, and support roles are enforced server-side so sensitive areas stay limited to authorized users.
Billing Privacy
Contractors and case workers do not receive owner billing controls or agency margin visibility.
Evidence Protection
Evidence uploads include file metadata and hash records for stronger chain-of-custody documentation.
Recovery Holds
Evidence removal moves items into a recovery window instead of immediate destruction, with owner/admin restore controls.
Audit Events
Security, support, recovery, staff, and administrative actions are logged for owner/admin review and audit exports.
Incident Response
CaseCore includes workflows for opening, containing, resolving, and documenting security incident response drills.
Abuse Protection
Public and costly workflows use rate limits, security headers, and platform firewall protections to reduce abuse risk.
Audit Readiness
Controls are being built before the audit.
CaseCore’s goal is to have the operating controls, logs, drills, and documentation already in place before formal SOC 2 fieldwork, so customers are protected now and the audit becomes confirmation of an existing security program.
Security
Access controls, audit logs, incident response, security headers, account lockdown, and rate-limit protections are built into the product.
Availability
The app runs on managed cloud infrastructure with production deployment rollback and continuity practices. Vendor backup evidence is reviewed as part of audit preparation.
Confidentiality
Case data, billing controls, evidence, staff records, and client links are scoped by role, organization, and purpose.
Processing Integrity
Evidence metadata, timestamps, hash values, report activity, billing activity, and case events help agencies verify operational records.
Privacy
Privacy policy, terms acceptance, audit logs, deletion request routing, U.S.-only scope, and children/minor case language are documented.
Data Recovery
CaseCore includes recovery holds, restore workflow, security event logging, and owner/admin recovery drills so data protection is operational, not just a policy statement.
Incident Response
Agencies can lock suspected compromised accounts, review audit history, preserve evidence, and document containment from the Security Center.
Responsible Scope
CaseCore is currently scoped for United States users unless country-specific legal, privacy, and data protection requirements are approved in writing.
Need a security answer for a customer?
Use the honest line.
CaseCore is not yet SOC 2 certified, but the platform is being built and operated with SOC 2-aligned security controls now: audit logging, recovery workflows, incident response records, access restrictions, billing privacy, and data protection practices designed to meet or exceed the expectations customers associate with SOC 2.