Enterprise by default.

There is no enterprise tier. Every firm gets the architecture the most demanding firm would insist on, because it is the only way Hourglass runs.

  • SOC 2 Type 2

    Independently audited controls for security, availability, and confidentiality. The full report is available on request.

  • CCPA

    California's consumer-privacy law, governing the personal information of the people in your matters.

  • GDPR

    The EU's data-protection regulation, governing how personal data is collected, processed, and stored.

  • HIPAA

    The US health-privacy rule, for matters that carry protected health information.

Your firm's own deployment.

Hourglass runs as a complete, separate installation for each firm: its own application, its own database, its own audit record. This is the only path a request can take through yours.

Another firm

Your firm
  1. Your identity provider

    The only door in. There are no Hourglass passwords to phish or reuse.

  2. A dedicated deployment

    Reached over TLS, running for your firm and no one else.

  3. Your own database

    Encrypted at rest with AES-256. Nothing pooled, nothing shared.

  4. The audit record

    Every access and change, written down where your firm can read it.

Another firm

The wall between firms is not a policy. Every firm runs in its own deployment against its own database, so no query, and no mistake, can cross from one firm into another.

Hosted where your firm chooses

Every deployment is placed for the firm it serves. Your data lives and is processed in the region your firm selects, and nowhere else.

Encrypted throughout

Data is encrypted in transit with TLS and at rest with AES-256, everywhere it moves and everywhere it sits.

SSO, and only SSO

There are no Hourglass passwords to phish or reuse. Access is governed entirely by your firm's own identity provider.

Asked and answered.

Where is our data hosted?

Where your firm chooses. Each firm’s deployment and database are placed in the region the firm selects, and its data is stored and processed there. It is never anywhere else, and never in a database shared with another firm.

How is our firm's data kept separate from other firms'?

Every firm runs in its own deployment with its own database. Nothing is pooled and nothing is shared, so no query, and no mistake, can cross from one firm into another. This is not an enterprise tier; it is the only way Hourglass runs.

How is our data encrypted?

In transit with TLS and at rest with AES-256, everywhere it moves and everywhere it sits.

Who controls access to Hourglass at our firm?

Your identity provider does. Hourglass has no passwords of its own to phish or reuse: access is governed entirely by your firm's SSO, and every access and change leaves a record your firm can inspect.

How long is our data retained?

For as long as your firm wants it. Retention follows your firm's policies, and when the relationship ends, your firm takes a full export and everything is deleted within thirty days.

How do you test your defenses?

Automated vulnerability scanning runs continuously across our infrastructure and dependencies.

What happens if there is a security incident?

Affected firms are notified within 72 hours.

Security questionnaires, documentation requests, and vulnerability reports all reach a person at security@hourglass.law.