Security at CabRank Legal
CabRank operates a referral marketplace and intake handoff platform for Australian lawyers. Where enabled, it can pass structured intake information to the systems a firm already uses. Security is treated as a structural commitment, not an afterthought. This page documents how we protect data, what infrastructure we depend on, and how we respond when something goes wrong.
Where your data lives
CabRank’s primary database, file storage, authentication, and serverless functions run on a Sydney-region (ap-southeast-2) Supabase instance. Referral, intake and client information is hosted in Australia by default.
The platform is fronted by Vercel for static hosting and edge routing. Connections use HTTPS only, enforced at the platform level, with TLS 1.2 or higher required. The cabrank.legal and app.cabrank.legal certificates are issued by Let’s Encrypt.
Sub-processors
Sub-processors are third-party services that may process CabRank data in the course of providing the platform. We disclose all of them. Sub-processor changes will be notified to firm administrators by email at least 14 days before taking effect.
| Sub-processor | Purpose | Hosting region | Data handled |
|---|---|---|---|
| Supabase | Primary database, authentication, file storage, Edge Functions | Sydney, Australia (ap-southeast-2) | Referral records, intake profiles, OAuth tokens, engagement-document drafts |
| Vercel | Static hosting, edge routing, build pipeline | Global edge; Sydney primary | Public marketing pages and signed-in app shell |
| Stripe | Payment processing for consumer bookings and firm subscriptions | Australia + United States | Customer billing metadata. Card details are handled exclusively by Stripe and never reach CabRank. |
| Anthropic | AI enquiry summarisation, redaction, and (for AI Partner subscribers) pathway intelligence | United States | Call transcripts during the redaction step. Not used for AI training. |
| Bland AI | Voice receptionist (AI Partner subscribers only) | United States | Inbound voice audio and transcripts for AI Partner phone numbers |
| Resend | Transactional email (bookings, lawyer digests, magic links) | United States | Recipient email address and message body |
| Twilio | SMS notifications | United States | Recipient mobile number and message body |
| Microsoft (Graph API) | Calendar integration (Bookings mailbox) | Multiple regions; tenant-determined | Calendar event metadata for consultation scheduling |
| Clio | Firm-chosen handoff destination (per-firm OAuth) | Australia (au.app.clio.com) for AU firms | Confirmed intake information and engagement-document data passed to the firm’s chosen system, where enabled |
| Actionstep (planned) | Firm-chosen handoff destination (per-firm OAuth) | Sydney (ap-southeast-2.actionstep.com) for AU firms | Same as Clio |
| Google (Drive API) | Bring-your-own storage (per-firm OAuth, alternative to PMS) | Per-firm Google account region | Files written to the firm’s own Drive |
Encryption
- In transit: TLS 1.2 or higher required by the edge proxy. HTTP requests are 308-redirected to HTTPS.
- At rest: Supabase Postgres data and storage are encrypted with AES-256 (managed by Supabase).
- Passwords: stored as bcrypt hashes by Supabase Auth. CabRank’s application code never sees raw passwords.
- OAuth tokens: stored in Supabase, encrypted at rest, never logged, never exposed to client-side code.
- Edge function secrets: stored in Supabase’s secrets manager and injected into Edge Functions at runtime. Never committed to source.
Access controls
- Row-level security (RLS) is enforced at the Postgres layer for every multi-tenant table. Firms cannot read or write each other’s data even if a bug in the application code attempts it.
- Two-factor authentication is required on all CabRank administrative accounts.
- Least-privilege roles govern staff and service access. Service-role credentials are scoped to specific Edge Functions, not granted at large.
- No shared credentials across systems. Every integration uses its own scoped credentials.
- OAuth 2.0 for all PMS and storage integrations — CabRank never stores customer PMS passwords.
Data handling principles
CabRank stores referral and intake information for routing, claiming and handoff purposes. It does not maintain the legal file of record.
Pre-claim: CabRank temporarily holds minimal PII for referral routing — name, phone, area of law, jurisdiction, and an AI-generated summary. AI-redacted summaries are shown to claiming lawyers; commercial framing of the intake call is stripped before any lawyer sees the referral.
Post-claim: confirmed intake details are passed to the firm’s own PMS, calendar, document store or BYO Google Drive. CabRank retains only the minimum metadata needed for analytics, billing, and audit (referral ID, area of law, state, claim event, paid status) — no client-identifying detail.
This handoff architecture means CabRank does not maintain a parallel file once a firm claims a referral. The file of record lives in the firm’s own system. CabRank is not a practice management system, case management system or system of record for legal matters.
Data deletion
CabRank supports data deletion on request:
- Firm-level deletion: a firm administrator can request deletion of the firm’s CabRank account and all associated tokens, profiles, and post-claim metadata. We commit to completing deletion within 30 days of a verified request.
- Per-referral deletion: a firm can request deletion of any specific referral’s CabRank-side metadata. The firm’s own file of record in their PMS or Drive is outside CabRank’s deletion scope.
- Client-initiated deletion: clients who interacted with the intake channels can request deletion of their personal information via the contact channel below.
- OAuth disconnection: when a firm disconnects from a PMS or storage integration, all OAuth tokens are immediately revoked and the corresponding row removed from CabRank’s database.
Deletion requests are made to support@platfirm.ai.
Incident response
CabRank maintains an internal incident response procedure covering detection, containment, communication, and post-incident review.
- Notification commitment: material security incidents affecting customer data are notified to affected firm administrators within 72 hours of CabRank becoming aware.
- Notification channel: primary firm-administrator email; for severe or platform-wide incidents, a public status update at
cabrank.legal/security. - Post-incident: a written post-mortem is provided to affected firms covering root cause, remediation, and preventive measures.
This commitment is consistent with the notifiable-data-breach scheme under the Privacy Act 1988 (Cth).
Vulnerability disclosure
Security researchers and customer security teams are encouraged to report vulnerabilities to:
We commit to:
- Acknowledging receipt within two business days.
- Triaging the report within five business days.
- Patching according to the SLAs below.
CabRank does not currently operate a paid bug bounty program. We will publicly acknowledge researchers who report material vulnerabilities responsibly, with their consent.
Patching SLAs
| Severity | Patch SLA | Examples |
|---|---|---|
| Critical | 72 hours | Active exploitation; broad customer-data exposure |
| High | 7 days | Narrow customer-data exposure; no active exploitation observed |
| Medium | 30 days | Requires authentication or specific conditions to exploit |
| Low | Next scheduled release | Cosmetic, no customer-data exposure |
Australian regulatory framework
CabRank’s privacy practices are governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The complete framework is detailed in our Privacy Policy.
Cross-border disclosure of personal information (APP 8) is addressed in the privacy policy. The sub-processors listed above include several US-based services; the contractual safeguards under which CabRank shares data with these sub-processors are equivalent to those required by APP 8.
Compliance posture
- Aligned with the Minimum Viable Security Product (MVSP) standard.
- Australian Privacy Principles applied to all personal information processed.
- SOC 2 and ISO 27001 certifications are on the compliance roadmap; not yet in scope.
Contact
- Security reports and vulnerability disclosures: security@platfirm.ai
- General security questions and compliance questionnaires: contact@platfirm.ai
- Customer data deletion requests: support@platfirm.ai
Platfirm AI Pty Ltd · ACN 679 859 744 · PO Box 965, Capalaba QLD 4157, Australia