Security

Your clients' data lives in your cloud — not on our servers.

This page lays out exactly what IntakeIQ stores, what it never touches, which storage providers are supported, and how account security works. No marketing language — just the architecture.

What IntakeIQ stores — and what it doesn't

STORED

  • Prospect name, contact info, and matter type
  • A 2-3 sentence AI-generated summary
  • Workflow status (pending, approved, signed)
  • File name and storage location pointers — not the files themselves
  • Billing and account information

NEVER STORED

  • Full conversation transcripts (saved to your own storage)
  • Detailed intake summaries with case specifics (saved to your own storage)
  • Signed engagement letters (saved to your own storage)
  • Any client-uploaded document (streamed directly, never written to IntakeIQ's disk)

How your data travels

When a client submits a document or IntakeIQ generates a file (an intake summary, a transcript, a signed engagement letter), it passes through IntakeIQ's servers in transit only. The file is held in memory for the duration of that single request, then uploaded directly to your connected storage provider. Nothing is written to disk on IntakeIQ's infrastructure at any point.

Client device  →  IntakeIQ (in transit only)  →  Your storage

Connected storage providers

IntakeIQ requests the minimum OAuth scope each provider allows — enough to create and manage files it created, never broad access to your existing files.

Google Drivedrive.file — can only see files it created
Microsoft OneDriveFiles.ReadWrite
Dropboxfiles.content.write, files.content.read
Cliocontacts, matters, documents

Encryption

TOKEN STORAGE

AES-256-GCM

IN TRANSIT

TLS in transit (enforced by Vercel's edge network)

AT REST

AES-256, managed by your storage provider's own infrastructure

Subprocessors

Vendors who may process data as part of delivering IntakeIQ. None of them receive client documents — those go directly to your own storage.

AnthropicAI intake conversation processing
SupabaseDatabase, authentication, metadata storage
ResendTransactional email delivery
VercelApplication hosting
StripePayment processing
SentryError monitoring (PII stripped before transmission)
UpstashMessage queue for email delivery retries

Account security

  • Two-factor authentication (TOTP) — required for Firm plan, available to all
  • Row-level security on every database table
  • OAuth tokens encrypted at rest with AES-256-GCM, never stored in plaintext

Compliance roadmap

We don't claim certifications we don't hold. Here's where things stand honestly.

SOC 2 Type Iplanned

Targeted as the customer base grows

HIPAA-eligible storageplanned

Box offers a HIPAA BAA on its Business+ plan — IntakeIQ's Box integration is planned but not yet built

Responsible disclosure

If you believe you've found a security vulnerability in IntakeIQ, please report it to security@useintakeiq.com. We ask that you give us a reasonable window to investigate and address the issue before any public disclosure. We will acknowledge your report and keep you updated as we work on a fix.