Everything you need to know about how Steadfast Practice stores, protects, and handles your firm's data — in plain English.
All data stored in our database is encrypted at rest using AES-256 encryption — the same standard used by financial institutions and government agencies. This is enforced at the infrastructure level by Neon (our database provider), meaning encryption is always on with no configuration required.
This covers all client records, case files, contact details, financial information, intake forms, documents, and any other data your firm stores in Steadfast Practice.
Every connection to and from Steadfast Practice is encrypted in transit using TLS 1.2 or higher. This means data cannot be intercepted between your browser, your clients' browsers, and our servers.
Your data is automatically backed up by Neon on a continuous basis. Backups are managed by our database provider and stored redundantly in US-based infrastructure.
Steadfast Practice is a multi-tenant platform — multiple law firms share the same infrastructure. Your firm's data is completely isolated from every other firm on the platform.
Every database table includes a tenant_id column. Every API query is scoped to your firm's tenant_id — pulled from your authenticated session, never from user-supplied input. It is architecturally impossible for one firm's users to retrieve, modify, or delete another firm's data.
We use a three-tier access model: platform admins, firm users (attorneys, staff, admins), and clients. Each tier is strictly isolated — a client cannot access attorney-only data, and firm users cannot access other firms.
All database queries use parameterized statements (prepared queries) — SQL injection is architecturally prevented. User-supplied data is never interpolated directly into SQL strings.
Security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and others) are applied to every HTTP response via Helmet.js. Public-facing endpoints (chat widget, intake forms, calculators) are rate-limited to prevent abuse.
You own your data. Full stop. Steadfast Practice is a tool you use — we have no claim to your client records, case files, or firm information.
On cancellation: You can export all your data at any time via the built-in export feature (Dashboard → Settings → Export). When your firm is deleted from the platform, all associated data is permanently deleted via cascading database deletion — contacts, cases, billing records, documents, messages, and all related records are removed. This is irreversible.
We use a small number of carefully selected service providers. Here is exactly what data flows to each, and why:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Neon (PostgreSQL) | Primary database | All firm & client data (encrypted at rest) | US East (AWS) |
| Render | Application hosting | Application code; request logs (no persistent client data) | US (Oregon) |
| Stripe | Payment processing | Invoice amounts, firm name — no card data ever touches our servers | US-based |
| Cloudflare R2 | File & document storage | Uploaded documents and images (encrypted in transit and at rest) | US-based |
| Polsia AI Proxy | AI chat widget responses | Chat message content — used only to generate responses, not retained for training | US-based |
We do not use Google Analytics, Facebook Pixel, or any other third-party behavioral tracking or advertising technology on any authenticated firm pages. No client data is ever sent to analytics services.
All data is stored and processed in the United States. We do not transfer client data to other countries or regions. Our infrastructure stack:
We're happy to provide additional documentation, answer specific compliance questions, or discuss your firm's particular requirements before you sign up.
Contact Us About SecurityLast updated: March 10, 2026