Security & data handling
Answers to your vendor security review.
These are your prospective clients' confidential communications. Here is what a 2026 law-firm security review usually asks, answered in order.
Who is accountable
Your calls are handled by Intake QA, and we're the single party accountable for them. Your recordings run through our own analysis and transcription models, encrypted in transit and at rest, and are never used to train our models. One person owns your data and your audit: Ali, the founder, ali@plaintiffops.com.
What we need
Recorded intake calls only. Redact names first if you want to.
What we don't need
No signed-client files. No matter documents. No case-management access.
Encryption
Data is encrypted in transit (TLS) and at rest (AES-256). Nothing about your calls travels or sits unencrypted.
Access controls
Firm data is isolated per firm. Access is limited to what's needed to run the service; your confidential audio and transcripts stay inside our systems and are never handed to anyone else.
Retention & deletion
Your audio is deleted the moment it is transcribed, and transcripts and reports are purged within 72 hours of your readout, or immediately if you ask in writing. If you move to a pilot, your data carries over under the pilot agreement, and the same 72-hour purge applies. Your calls are never used to train our models.
Our models
We analyze and transcribe your calls with our own models, over encrypted connections. We do not use your calls, transcripts, or the results to train our models, and we do not sell or share your data. Intake QA does not claim to be SOC 2 certified or HIPAA compliant as a company. We make plain-English commitments and put them in writing.
DPA & NDA
A data-processing agreement (DPA) is available on request, and we'll sign your NDA, or work from your firm's own paper.
Breach notification
If we become aware of a breach affecting your data, we will notify you within 72hours of becoming aware, with what we know and what we're doing about it.
Call recording & consent
Intake QA processes calls your firm already recorded. California is an all-party-consent state (Penal Code §632); your firm is responsible for its consent posture. The compliance page covers the recording and disclosure detail.
This is not legal advice. Your firm and its counsel make the final call on ethics and consent.