Security & Compliance

Security Overview

Security is paramount at Narrative AI. Our platform is designed with security as a core priority to protect the sensitive legal data our customers entrust to us. This document provides a comprehensive overview of our security practices, detailing how we safeguard data, ensure regulatory compliance, and mitigate evolving cyber threats.

People & Culture

At Narrative AI, we foster a strong security-first culture that permeates every aspect of our organization. As a remote-first engineering culture, we secure our perimeter through rigorous device management and training.

Security Training

All employees undergo security training as part of their onboarding process. Employees must agree to our internal Code of Conduct and relevant security policies. Depending on the employee's role, additional security training is required. For instance, our engineers are required to undergo training in Secure Coding Practices (OWASP Top 10).

The Security Team

The Narrative AI engineering team embeds security practices into every stage of the software development lifecycle, ensuring a secure product by design. Our team is committed to maintaining a robust security posture, which is further strengthened by regular engagement with external security experts for independent validation and continuous improvement.

Processes

We prioritize excellence in process management and data security, ensuring the highest standards across our SaaS platform, infrastructure, personnel, and supporting technologies.

Certifications & Compliance

ISO 27001:2022 Certified

Narrative AI is ISO 27001:2022 Certified. We actively monitor and enforce 28 specific security controls across our organization, covering access control, encryption, business continuity, and incident response.

SOC 2 Type II

Narrative AI is actively working towards SOC 2 Type II certification (Target: H1 2026). This certification will further validate that our systems and processes are designed to consistently meet the highest operational and regulatory standards.

Risk Management & Insurance

We maintain ongoing risk mitigation practices to identify, assess, and control financial, legal, strategic, and security risks.

Incident Response

We maintain a comprehensive Incident Response Plan (IRP) with strict SLAs for response times. Our process follows a 5-phase approach: Identification, Containment, Eradication, Recovery, and Lessons Learned.

Contact: [email protected] (Monitored 24/7)

Business Continuity and Disaster Recovery (BCDR)

We maintain a DR plan with an RTO (Recovery Time Objective) of 4 hours and RPO (Recovery Point Objective) of 1 hour.

Validated Resilience (Nov 2025 Test): Our most recent annual backup restoration test (November 20, 2025) verified our recovery capabilities, significantly outperforming our SLAs:

• Database RTO: 6 minutes 9 seconds (Target: <10 mins)

• VM RTO: 26 minutes 45 seconds (Target: <30 mins)

• Data Integrity: 100% of 1,688 records validated post-restore with zero data loss.

Change Management

We implement a rigorous change management process to ensure reliability and security:

• Infrastructure as Code (IaC): All infrastructure is defined and managed through code (Terraform), enabling version control, peer review, and audit trails for infrastructure changes.

• Two-Person Approval: Production changes require approval from at least two engineers before deployment.

• Automated Testing: Changes must pass CI/CD pipelines (unit, integration, and security tests) before merging.

• Client Notification: For changes that significantly impact operations or security, Narrative AI provides advance notice to client stakeholders.

Developer Responsibilities (Secure Coding)

Every developer is responsible for security. We enforce a "Secure by Design" philosophy, requiring adherence to our internal coding standards:

• Dependencies: Automated scanning for vulnerable libraries (SCA).

• Authentication: Never implementing custom crypto; utilizing standard libraries.

• Input Sanitization & Validation: All user inputs are rigorously validated and sanitized directly within the application code. We enforce strict type checking and utilize parameterized queries and ORMs to neutralize SQL injection risks, ensuring security is built into the logic rather than relying solely on external firewalls.

• Secrets: No hardcoded secrets; use of Azure Key Vault.

Vulnerability Management

• Continuous Scanning: Automated container and dependency scanning (GitHub Advanced Security, Dependabot) runs on every commit.

• Penetration Testing: Annual third-party penetration testing is conducted.

  • Latest Test: November 27, 2025 by Bubba AI, Inc.

  • Result: STRONG (Low Risk). No Critical, High, or Medium severity vulnerabilities were identified.

Technology

Architecture

Narrative AI is a cloud-native SaaS platform hosted primarily on Microsoft Azure. We implement a zero trust strategy with network segmentation.

Network Security:

• DDoS Protection: Azure DDoS Protection is enabled to mitigate volumetric attacks.

• Private Connectivity: Application services communicate via Azure Private Link within a secure Virtual Network (VNet), ensuring backend traffic never traverses the public internet.

Encryption:

• In Transit: TLS 1.3 for all data in motion.

• At Rest: AES-256 (Azure Storage Service Encryption) for all data at rest.

Secure Data Ingestion (Integration Security)

Unlike client-side add-ins, Narrative AI primarily integrates directly with firm Data Lakes and Practice Management Systems (PMS). This architecture minimizes endpoint risk.

• Authentication: We utilize OAuth 2.0 and Service Principal authentication for all API connections.

• Least Privilege: Integration accounts are configured with Read-Only permissions, scoped strictly to the data sets required.

• Auditability: All data ingestion activities are logged and auditable within the client's own system logs.

Tenancy & Data Residency

To comply with data protection regulations, Narrative AI provides region-specific instances. We guarantee that customer data does not leave the geographical region chosen by the customer.

Supported Regions:

Isolation: Client data is logically separated using unique Tenant IDs. We also offer Private Tenant options for clients requiring dedicated infrastructure.

AI & Data Management

We prioritize the security and confidentiality of client data when leveraging Large Language Models (LLMs). We utilize region-specific AI providers:

• UK/EU customers: Azure OpenAI Service (default) or AWS Bedrock (optional), region-matched to EU/UK

• US customers: Azure OpenAI Service (default), AWS Bedrock (optional), Anthropic direct API (optional), or OpenAI, Inc. API (optional for US customers only), region-matched to US

• Canada customers: Azure OpenAI Service (default, Canada East with US-region fallback for models not available in-region), AWS Bedrock (optional), or Anthropic direct API (optional). Bedrock ca-central-1 is region-matched to Canada. Direct API routes via US-region endpoints

Strict AI Safety Controls:

1. Stateless Processing: Our AI models process data statelessly. Inputs (prompts) and outputs (completions) are not stored by Narrative AI or our model providers for training.

2. No Training: We have a contractual guarantee that Client Data is not used to train, retrain, or improve the foundational models used by Azure OpenAI Service, Anthropic, or OpenAI, Inc.

3. Data Minimization (Contextual Inference): Our system extracts structured metadata (safe, analytical) from narrative text. Once extraction is complete, the raw narrative context is discarded from the AI processing memory.

4. PII Redaction (Optional): We can utilize automated PII detection tools to automatically detect and redact/tokenize Personally Identifiable Information (PII) before processing.

Application Security (RBAC)

Because our data model is granular (40+ data points per matter), we implement Field-Level Security:

• Role-Based Access Control (RBAC): Clients can restrict access to sensitive financial metrics (e.g., profitability, realization_rate) based on user roles (e.g., Associates see hours/phases, Partners see margins/fees).

• Row-Level Security (RLS): For multi-office firms, we can enforce RLS to ensure partners only see matters relevant to their office or practice group.

Backups

• Frequency: Automated daily backups with Point-in-Time Restore (PITR).

• Retention: 30 days standard retention.

• Redundancy: Databases are configured with Zone Redundancy to survive data center failures.

• Protection: Backups are encrypted with the same AES-256 standards as live data.

Data Deletion & Offboarding

Upon contract termination, Narrative AI follows a formal data deletion process:

• Customer Choice: Customers may request data return or deletion within 30 days of termination.

• Secure Deletion: All customer data is securely deleted from production systems within 30 days of termination.

• Backup Purge: Backups containing customer data are automatically purged through the 30-day rolling retention cycle.

• Written Certification: Customers receive written certification documenting the deletion date and scope.

Appendix A - Data Residency & Subprocessors

Narrative AI engages the following subprocessors to deliver our service. All subprocessors are subject to rigorous security reviews and Data Processing Agreements (DPAs).

Region-Specific Sub-processors

For UK/EU Customers:

For US Customers:

For Canada Customers:

Global Sub-processors (All Regions)

Appendix B - Feature Specific Security

Secure RFP Ingestion

When users upload RFPs for processing:

• Files are scanned for malware immediately upon upload.

• Files are parsed in a sandboxed environment.

• Original files are deleted according to the client's retention policy.