Privacy Policy
Effective: February 17, 2026 | Last updated: March 26, 2026
ForensicShield is committed to protecting the privacy and security of all data processed through our platform, including protected health information (PHI). This Privacy Policy describes how we collect, use, store, and safeguard your information.
1. Who We Are
ForensicShield LLC ("ForensicShield," "we," "us," or "our") is a HIPAA-compliant SaaS platform that uses AI to review forensic evaluation reports for courtroom vulnerabilities. We operate as a Business Associate under HIPAA, processing PHI on behalf of covered entities (forensic professionals and their organizations). Our platform is built on AWS infrastructure with a zero-exposure AI architecture.
2. Information We Collect
Account Information
Name, email address, organization name, and professional role. Collected during registration via Clerk (our authentication provider). Clerk receives your email and name only — no PHI.
Uploaded Reports
Forensic evaluation reports (PDF, DOCX, TXT) containing PHI including psychiatric diagnoses, psychological test scores, clinical observations, treatment history, and demographic information. These are encrypted at the application layer before storage.
Analysis Results
AI-generated vulnerability assessments, cross-examination questions, rebuttal suggestions, case law citations, and strength scores. These reference clinical content and are encrypted before storage.
Usage Data
Actions performed within the platform (pages visited, features used, analysis requests). This data is used for service improvement and is never combined with PHI. No report content, patient names, or clinical data appears in usage logs.
Security and Audit Data
IP addresses, user-agent strings, and timestamps are recorded in our audit logs for security monitoring, compliance, and incident investigation as required by HIPAA (45 CFR 164.312(b)). This data is associated with your account actions but is never combined with PHI and is excluded from data exports to protect other users' device fingerprints.
Feedback and Quality Data
If you provide feedback on analysis results (e.g., rating the accuracy of a vulnerability finding), that feedback is collected and aggregated in de-identified form to improve the platform's calibration and accuracy. Individual feedback is never shared with third parties or other users.
Payment Information
Billing is processed by Stripe. ForensicShield does not store credit card numbers, bank account details, or other payment credentials. Stripe receives no PHI.
3. How We Use Your Information
- Provide the Service — analyze reports, generate vulnerability assessments, produce cross-examination prep materials
- Process AI analysis via AWS Bedrock (PHI stays within the AWS boundary)
- Generate exports (PDF, DOCX court preparation packets)
- Process subscription billing via Stripe
- Maintain audit logs as required by HIPAA (45 CFR 164.312(b))
- Improve the platform using aggregate, de-identified analytics (never individual PHI), including calibrating AI accuracy based on aggregated user feedback patterns
- Communicate service updates, security notices, and billing information via transactional email
We do not sell, rent, or share your personal information or PHI with third parties for marketing purposes.
4. HIPAA Compliance
ForensicShield is a Business Associate under HIPAA. We maintain administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 CFR 164.312):
- A signed Business Associate Agreement (BAA) is required before any PHI processing
- All PHI is encrypted with AES-256-GCM using per-organization AWS KMS keys
- Every access to PHI is audit logged with 7-year retention
- PHI is never included in application logs, error messages, or monitoring systems
- Multi-factor authentication and 15-minute session timeouts are enforced
- Row-level security ensures strict organization-level data isolation
For full details on our security architecture, see our Security page and BAA page.
5. AI Data Processing
ForensicShield uses Claude AI for report analysis. In production, all AI inference runs exclusively through AWS Bedrock, which means:
- Your report data never leaves the AWS security boundary during AI processing
- Anthropic (Claude's creator) has zero access to your data — they licensed the model to AWS but cannot see inputs or outputs
- Each analysis is a stateless API call — the AI does not retain, memorize, or learn from your data between requests
- Your data is never used to train or improve AI models
- Anthropic is not a subprocessor — our only subprocessor for PHI is AWS
6. Data Storage and Security
Encryption at Rest: All PHI is encrypted at the application layer using AES-256-GCM before database storage. Each organization has its own AWS KMS customer-managed encryption key. Uploaded files are stored in AWS S3 with SSE-KMS encryption.
Encryption in Transit: All connections use TLS 1.2/1.3 (enforced at the infrastructure layer). Database connections require SSL — the server refuses to start without it in production.
Organization Isolation: Every database query is scoped to your organization. Row-level security policies prevent any cross-organization data access. Each organization's data is cryptographically separated by unique KMS keys.
Access Controls: Role-based access control, MFA required for all users, 15-minute idle session timeout enforced server-side, and API key authentication with timing-safe comparison.
7. Subprocessors
| Service | Purpose | PHI Access |
|---|---|---|
| Amazon Web Services | Infrastructure, storage, AI inference (Bedrock), encryption (KMS), email delivery (SES) | Yes — covered under AWS BAA |
| Clerk | Authentication and user management | No — receives email and name only |
| Stripe | Payment processing | No — no PHI in billing flow |
| Cloudflare | DNS, DDoS protection, CDN | No — routes traffic only, no PHI in transit headers |
| Sentry | Error monitoring and diagnostics | No — PHI scrubbed before transmission via custom middleware |
| CourtListener (Free Law Project) | Case law citation verification | No — receives only case names, citations, and legal references for verification. No PHI is included in lookup queries. |
Anthropic (Claude AI's creator) is not a subprocessor. Their model runs inside AWS Bedrock — Anthropic never receives, processes, or stores your data.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Reports and analyses | Retained until you delete them or request account deletion |
| Audit logs | 7 years (exceeds HIPAA's 6-year requirement) |
| Account data | 90 days after account deletion |
| Database backups | 35 days (point-in-time recovery) |
| AI request/response data | Not retained — stateless processing |
9. Data Deletion
You may request deletion of your data at any time by contacting support@forensicshield.net or through your account settings. You may also export your data at any time using the in-app data export feature. Upon deletion request, we delete all application data (database records, uploaded files in S3, and associated metadata), anonymize audit log entries, and cancel any active subscriptions. Because all PHI is encrypted with your organization's unique AWS KMS key, any residual encrypted data in backups is unreadable without that key and is permanently purged when backups expire (35 days).
Audit logs are retained for the minimum 7-year period as required for compliance, even after account deletion. These logs do not contain PHI (scrubbed by our log middleware).
10. Your Rights
You have the right to:
- Access — request a copy of the personal information we hold about you
- Correction — request correction of inaccurate personal information
- Deletion — request deletion of your data (subject to legal retention requirements)
- Portability — request export of your data in a standard format
- Restrict Processing — request that we limit how we use your data
For PHI-related requests, we will respond in accordance with HIPAA requirements. Contact our Privacy Officer at support@forensicshield.net to exercise any of these rights. We will respond within 30 days.
11. State Privacy Laws
California (CCPA/CPRA): If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act. You have the right to know what personal information we collect, to request its deletion, and to opt out of its sale. We do not sell personal information. To exercise your rights, contact support@forensicshield.net. We will not discriminate against you for exercising your privacy rights.
Other States: Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, and others) may have similar rights. Contact us to exercise any applicable rights under your state's law.
12. International Users
ForensicShield is operated from and hosted in the United States. All data is stored and processed within the AWS US-East-1 region. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.
European Users (GDPR): If you are located in the European Economic Area, United Kingdom, or Switzerland, please be aware that ForensicShield processes data under the lawful basis of contractual necessity (Article 6(1)(b) GDPR) and compliance with legal obligations (Article 6(1)(c) GDPR). You have the right to access, rectification, erasure, data portability, restriction of processing, and objection. To exercise these rights, contact our Privacy Officer at support@forensicshield.net. We will respond within 30 days.
13. Children's Privacy
ForensicShield is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information.
Note: Forensic reports uploaded to the Service may contain information about minors who are the subjects of forensic evaluations. This information is treated as PHI and protected under all safeguards described in this policy and the applicable BAA.
14. Cookies and Tracking
Essential Cookies: ForensicShield uses essential cookies required for authentication and session management. These are strictly necessary for the Service to function and cannot be disabled. Session cookies expire after 15 minutes of inactivity.
Functional Cookies: We use optional functional cookies to remember your preferences (such as theme selection and onboarding completion) via browser local storage. These do not track you across sites and contain no personal information or PHI.
We do not use third-party advertising cookies, cross-site tracking, or behavioral targeting. We do not share cookie data with third parties.
Do Not Track: Some browsers transmit a "Do Not Track" (DNT) signal. Because there is no industry-wide standard for how to respond to DNT signals, ForensicShield does not currently alter its data collection or use practices in response to DNT signals. However, because we do not use third-party advertising cookies or cross-site tracking of any kind, our practices are already consistent with the intent of DNT. You can manage your cookie preferences at any time using the "Manage Cookies" link in our footer.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will provide at least 30 days' notice of material changes via email to the address associated with your account. The "Effective" date at the top of this page indicates when the current version took effect. Continued use of the Service after the effective date of updated terms constitutes your acceptance of the changes.
16. Contact
For privacy-related questions, data rights requests, or to report a concern:
ForensicShield LLC — Privacy Officer
Dr. Aubree Harrington
Email: support@forensicshield.net
Security Officer
Steven Harrington
Email: support@forensicshield.net
Sales inquiries: salesteam@forensicshield.net
Related Documents