Your data is your data
When you submit a case, the text goes through our matching pipeline and the results are stored so you can review them later. That's it.
We don't sell your data. We don't share it. We don't use your case details for anything other than matching. Your cases are completely isolated to your firm — no one else can see them.
Integrations (Clio, etc.)
When you connect a platform like Clio, you're authorizing MDL Match to read your matters. We never see your Clio password — the connection uses industry-standard OAuth 2.0. You click "authorize" on Clio's own page, and they give us a token.
That token is encrypted before it's stored in our database. Even if someone accessed the database directly, the tokens are unreadable without the encryption key (which lives exclusively on our servers, never in the database).
You can disconnect at any time. When you do, the token is revoked immediately — we lose access to your Clio account in the same second.
What's encrypted
All sensitive credentials — access tokens, refresh tokens, and webhook signing keys — are encrypted using AES-256-GCM, the same encryption standard used by banks and government agencies.
Each value gets its own unique encryption key component, making it impossible to decrypt one value even if another were somehow compromised.
Webhooks
When Clio sends us updates about your matters, those messages are signed — we verify every single one to make sure it actually came from Clio. Forged messages are rejected automatically.
API keys
If you use our API, your keys are managed through Clerk (our authentication provider). The full secret is shown once when you create it — we don't store the plaintext. You can revoke any key instantly from the dashboard.
Data hosting
Your data is stored in a PostgreSQL database on AWS (us-east-1, Northern Virginia). All connections use encrypted transport. The database provider (Neon) handles backups and disaster recovery.
Questions?
If you have security questions or need to report a vulnerability, email security@mdlmatch.ai. We respond to all security reports within 24 hours.
For a deeper technical overview, see our Privacy Policy.