Security & privilege

Where we are. Where we're going. Straight.

Matterfile is in private beta, with one matter live. We're going to be candid about what's on the partner's desk today — and what's on the roadmap before this is a tool a procurement office would sign off on.

The shape of the system today

Matterfile runs as a native desktop app on the client's machine, beside the matter folder. The folder itself stays where it is — we don't upload it to a Matterfile server, and we don't ask you to re-host your files anywhere. The corpus is the source of truth; we read from it.

What does flow off the machine, in this version, is a small operational record — the chronology entries, the audit log, the wargame results — into a managed Postgres we operate, so the firm and the client can read the same state from different seats. That's the part that gets the SOC-2 work next. We'll come back to it below.

What does not happen

  • We never upload the raw matter folder.
  • We don't train, fine-tune, or backtest on your matter.
  • We don't sell, share, or commercialize anything you put into the system.
  • We don't run analytics on what's in your corpus.

Model usage

Matterfile uses Anthropic's API for classification (the corpus map) and extraction (the chronology). At install time you paste in your firm's API key — configured with retention off — and the bytes of your corpus travel as encrypted-in-transit prompts to Anthropic. They don't store the prompts; we don't see them server-side at all.

For extra-sensitive matters we can plug Matterfile into a VPC- or on-prem-hosted model instead of the public API. The shape of the chronology and wargames doesn't change; the inference moves.

Privilege

Nothing in how Matterfile handles a document changes its privileged status. The client invitation is scoped to a single matter; the client sees exactly what the partner has marked SHARED and nothing else. Privileged and partner-only material is filtered at the source.

Every contribution — partner or client — is logged with author, timestamp, and the prior value. If the chronology ever needs to be admitted, the receipts are in order.

This is the early version

A grown-up legaltech vendor would tell you about their SOC 2 Type II report on this page. We're going to tell you we don't have one yet, because it'd be silly to claim otherwise. Here's the honest accounting of where security stands:

What's already true

  • The matter folder stays on the client's machine. Never uploaded.
  • Inference uses your firm's Anthropic API key with retention off.
  • We don't and won't train on your matter.
  • Chain-of-custody log on every chronology entry, exportable as JSON.

What's in flight

  • SOC 2 Type II — we'll start the audit when the second firm comes on.
  • HIPAA / BAA — if your matter carries PHI, we'll get the BAA in place before the demo, not after.
  • VPC / on-prem inference path — designed; will be deployed on first request.
  • SSO (Okta / Azure AD) — on the list; manual provisioning for now.
  • Third-party penetration test — commissioned for Q3.

What's true and we'd rather you hear from us

  • The managed Postgres we run is operated by a small team. It's well-configured but it's not yet audited.
  • The chronology and wargame data flow off the client's machine into that database. We never see the raw matter folder; we do see the structured output.
  • Backups are encrypted at rest. Access is scoped to the operator (one person) and audited.

If any of that is a blocker for your firm's current procurement bar, we hear you — and the beta is probably not the right shape for you yet. If you'd be willing to be the firm whose matter unlocks the SOC-2 work, even better.

Your IP

The chronology, the corpus map, the wargame outputs — all of it is yours. Matterfile claims no license over your data. There are no “training data” or “improvement” clauses in any contract we'd ever sign. If you cancel, your local data stays local; we delete the managed copy on request.

What we ask of you

  • Run Matterfile on a managed machine with full-disk encryption.
  • Don't share client-invite links over insecure channels.
  • Tell us when you find something we got wrong.
We'd rather lose a customer to a security review we passed too quickly than win one through a security review we passed too slowly.

Questions a security policy didn't answer? Email hello@matterfile.cc — a real person responds, usually same day.

Beta · By invitation · No procurement cycle

If you want to be part of this, get in touch.

Talk to us Or email hello@matterfile.cc