Data Commitments
- Zero model training on your dataHarlan does not use your case details, evaluation inputs, or results to train, fine-tune, or improve any AI model. This is a contractual commitment, not just a policy preference. Your data is used solely to generate your evaluation.
- User-controlled data deletionDelete any evaluation or your entire account at any time. Deletion is permanent and irreversible. No data is retained after deletion except anonymized, aggregated usage metrics.
- No third-party data sharingYour case inputs and evaluation results are never shared with, sold to, or made accessible to any third party. Only essential subprocessors (listed below) interact with data as required to deliver the service.
- Evaluation data is private to your accountEvaluations are scoped to your authenticated session. No other user can access your case inputs or results. No shared workspace, no cross-user data leakage, no public exposure.
- Attorney-client privilege protectionHarlan is designed to be used as an attorney work product tool. Case evaluations are generated for the attorney's use in formulating legal strategy. We provide technical safeguards and data isolation that support privilege claims.
Encryption and Infrastructure
TLS 1.3 in Transit
All data between your browser and Harlan's servers is encrypted with TLS 1.3. This includes case inputs, evaluation results, authentication tokens, and payment data. Let's Encrypt certificate with automatic renewal.
AES-256 at Rest
All stored data is encrypted at rest using AES-256. Database files, evaluation records, and user credentials are protected even in the event of physical storage compromise.
Isolated Compute
Each evaluation runs in an isolated server-side process. No shared memory between user sessions. Evaluation inputs are processed and discarded from working memory after report generation.
24/7 Automated Monitoring
Automated QA checks run every hour verifying page load, API health, interactive elements, console errors, and data integrity. Issues are detected and resolved within the hour.
CSP and Security Headers
Content Security Policy, HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers enforced via Nginx. Inline script handlers blocked by CSP.
Secure Authentication
Session-based auth with bcrypt-hashed passwords. Google OAuth available. No plaintext credential storage. Rate limiting on login endpoints prevents brute-force attacks.
Infrastructure Details
| Component | Detail |
|---|---|
| Hosting | Dedicated VPS (not shared hosting). US-based data center. |
| Application Server | Node.js with Express, managed via PM2 process manager with automatic restart on failure. |
| Reverse Proxy | Nginx with TLS termination, rate limiting, and security headers (CSP, HSTS, X-Frame-Options). |
| Database | SQLite (server-local, not cloud-hosted). No external database connections. 439+ verified court verdicts. |
| Authentication | Session-based with bcrypt-hashed passwords. Google OAuth supported. No plaintext credential storage. |
| Payments | Stripe (PCI DSS Level 1). Harlan never stores card numbers, CVVs, or full payment details. |
| AI Provider | Anthropic (Claude). Zero data retention policy on API calls. No training on your inputs. |
| Analytics | Plausible Analytics (privacy-focused, no cookies, GDPR-compliant, EU-hosted). |
| SSL Certificate | Let's Encrypt with automatic renewal. TLS 1.3 enforced. |
Data Retention Policy
| Data Type | Retention | Deletion |
|---|---|---|
| Case evaluation inputs | Stored while account is active | Deleted on user request or account deletion |
| Evaluation reports | Stored while account is active | Deleted on user request or account deletion |
| Account credentials | While account is active | Permanently deleted on account deletion |
| Payment records | Managed by Stripe | Subject to Stripe retention + tax law requirements |
| AI API call logs | Not retained by Anthropic | Inputs discarded after response generation |
| Web analytics | Plausible (aggregated, no PII) | No personal data to delete |
| Uploaded files | Stored while account is active | Permanently deleted on user request |
Subprocessor List
Third-party services that may process data as part of delivering Harlan's service.
Access Controls
- Account-scoped evaluationsEvery evaluation is tied to a single authenticated account. No cross-account access. No shared evaluation pools.
- Secure password storagePasswords are hashed with bcrypt (adaptive cost factor). Harlan staff cannot view or recover your password. Reset is available via authenticated email.
- Rate limiting and abuse protectionAPI endpoints are rate-limited to prevent brute-force attacks, credential stuffing, and abuse. Nginx and application-level protections are active on all endpoints.
- Google OAuth optionSign in with your Google Workspace account for seamless, password-free access. OAuth tokens are scoped to the minimum required permissions.
Security Roadmap
Planned security enhancements for enterprise and firm clients.
SAML SSO
Single Sign-On integration for firms using Okta, Azure AD, or Google Workspace. Planned for enterprise tier.
Audit Logs
Detailed activity logs showing who accessed what, when. Export-ready for compliance reviews. Coming to Pro and Enterprise tiers.
SOC 2 Type II
Formal SOC 2 Type II audit and certification. In progress. Target completion for enterprise launch.
IP Allow-Listing
Restrict account access to approved IP ranges. Designed for firms with strict network policies. Enterprise tier.