Security at Closeout

Your clients trust you with their settlements.

We protect that trust at every layer of the system. Here's what's in place today, and what we're building toward next.

Today

What's in place today.

Data protection

Identity & access

JWT-based authentication with short-lived access tokens and rotating refresh tokens.
Role-based access control: Firm Admin, Attorney, and Case Manager roles with distinct permissions.
Passwords hashed with bcrypt. Account lockout on repeated failed attempts.

Tenant isolation

Every query scoped by firmId. Enforced in application code on every read and write.
PostgreSQL Row-Level Security policies on every tenant-scoped table — enforced at the database layer, not just the app.
FORCE ROW LEVEL SECURITY enabled: even the database owner must obey the isolation policy.

Audit & compliance

Every mutation logged with actor, timestamp, IP, and full diff. Defensible record under ABA Rule 1.15.
Document handling and storage aligned with HIPAA controls for protected health information.
Signed Data Processing Agreements with every sub-processor.

Roadmap

We don't claim what we don't have. These are the controls actively in motion.

In progress

Built to SOC 2 standards from day one. Audit engagement underway. Status and current trust report available under NDA.

On the roadmap

SAML SSO and TOTP-based multi-factor authentication for firm users. Enterprise tier first; available across plans as the work lands.

Responsible disclosure

Email security@usecloseout.com with details. We acknowledge within one business day and keep you updated through resolution.