Legal

Security

Draft · June 2026 · pending legal review

This is a working draft prepared as a starting point. It describes our intended practices and is not a binding commitment or a certification. Specifics will be reviewed and confirmed by counsel and our security team before publication.

11River handles sensitive material: court documents, claimant records, settlement data, and privileged work. Security is built into how the suite is designed and operated. This page summarizes our approach.

Hosting and infrastructure

The suite runs on established cloud platforms with their own strong physical and network security. Production systems are separated from development and testing, and access to infrastructure is limited to authorized personnel.

Encryption

In transit. Traffic between you and the service is encrypted using current TLS standards.
At rest. Stored data and file uploads are encrypted at rest by our infrastructure providers.

Access control and tenant separation

Each organization's data is logically separated, and the application enforces that one organization cannot read or write another organization's data.
Within an organization, administrators assign roles that control who can view or change what.
Internal access to customer data is restricted to staff who need it to operate or support the service, on a least privilege basis.

Authentication

Sign in is handled through a modern identity provider that supports single sign on and multi factor authentication. Credentials are not stored in plain text, and session handling follows current best practices.

Artificial intelligence and data handling

When AI features process content, that content is sent to trusted model providers under agreements that restrict how it may be used. We do not permit customer content to be used to train third party public models. Sensitive workflows are designed so that only the content needed for a given task is shared.

Audit trails and monitoring

Key actions, such as administrative changes and access events, are recorded so they can be reviewed. We monitor systems for errors, unusual activity, and availability, and we maintain logging to support investigation when needed.

Vulnerability management and testing

We keep dependencies and systems updated and review code for security issues before release.
We plan for periodic security testing, including third party assessment, as the program matures.

Compliance posture

We design controls in line with widely recognized frameworks for handling sensitive data, including the principles behind SOC 2, and align with privacy laws such as the GDPR, CCPA, and CPRA where they apply. Formal certifications and attestations are part of our roadmap. This section will be updated as milestones are reached.

Data retention and deletion

Customers control their workspace data and can request export or deletion, subject to legal holds and record keeping obligations that often apply to litigation and settlement matters. See our Privacy Policy for details.

Business continuity

We rely on managed infrastructure with redundancy and backups to support recovery in the event of disruption. Recovery objectives will be documented as the program matures.

Incident response

We maintain an internal process to detect, investigate, and respond to security incidents, and we will notify affected customers consistent with applicable law and our agreements.

Responsible disclosure

If you believe you have found a security issue, please contact us before disclosing it publicly so we can investigate and respond. We appreciate good faith research and will work with you in good faith.

Contact

11River, an 11Insight company. Las Vegas, Nevada and Huntington Beach, California.
Security contact: security@11river.app