Security

Per Stirpes is multi-tenant software for law firms, so the first question is the right one: what keeps one firm’s matters away from another’s? The answer is the database itself. Every row of firm data carries its firm’s identity, and Postgres row-level security policies — enforced by the database engine, not by application code — refuse to return rows across that boundary. A bug in our application cannot read another firm’s data, because the database will not hand it over.

Client access is scoped the same way: a client signing into a firm’s portal can reach their own engagement and nothing else — not other clients, not the firm’s other matters.

Every connection is encrypted in transit with TLS, and our domains instruct browsers to never connect over plain HTTP. Data is encrypted at rest in managed Postgres. Documents and uploads live in private object storage and are served only through signed, time-limited links — there are no public file URLs to guess or share.

Firm staff sign in through WorkOS, the same authentication infrastructure that powers enterprise single sign-on. Clients sign in with one-time email links — there are no client passwords to reuse, phish, or breach. Staff access is role-based, and a firm’s administrators control who is on the team and what each client can see. The platform sets only the cookies it needs to keep you signed in; there are no advertising or analytics cookies.

Payment processing is handled by Stripe, a PCI DSS Level 1 service provider — the most stringent level of payment-industry certification. Card details travel from the client’s browser to Stripe directly and never touch our servers. When a client pays a firm’s invoice, the payment runs on the firm’s own Stripe account.

Estate planning runs on evidence, and so does the platform. Every matter keeps an audit trail of activity — who did what, and when. Electronic signatures carry their own signing audit trail from our e-signature provider. Internally, every request carries a correlation identifier, so when something goes wrong we can trace exactly what happened, end to end.

Public surfaces — intake forms, the contact form, sign-in endpoints — are rate-limited and protected by bot detection, and email delivery failures are tracked so a firm knows when a message did not arrive. The platform exposes a health check we monitor, and degraded dependencies fail loudly rather than silently.

We build on a small set of managed providers rather than running our own metal: Vercel for hosting and delivery, Supabase (on AWS, in the us-east-1 region) for the database and file storage, WorkOS for staff authentication, Stripe for payments, SignNow for e-signatures, Nylas for scheduling, and Postmark for email. Each runs its own independently audited security program. The full list, and what each one does for us, is in our privacy policy. All data is processed in the United States.

We are a small team, and we will not dress that up. We do not yet hold a SOC 2 attestation of our own — the providers above do, and as Per Stirpes grows, formal certification is on our roadmap. In the meantime, the protections doing the real work are structural: tenant isolation enforced in the database, no client passwords to steal, no card numbers on our servers, and no more data collected than an engagement actually requires. We would rather tell you exactly how the system works than hand you a badge — and if you are evaluating Per Stirpes for your firm and want to go deeper, write to support@perstirpes.co and ask.

If you believe you have found a security issue, write to security@perstirpes.co. We acknowledge reports within 72 hours, and we are grateful for them. Good-faith research is welcome: give us reasonable time to fix what you find, do not access or alter data that is not yours, and we will not pursue action against you for it. We do not currently run a paid bounty program. Machine-readable disclosure details live at /.well-known/security.txt.

How we handle information generally is in our privacy policy; the terms that govern the platform are here.