Proof Brief

Security

Proof Brief is built so that no one — including us — can access your document text without scanning for citations explicitly.

What leaves your machine

When you click "Scan citations", the visible text of your document is sent to api.getproofbrief.com. We forward citation candidates to CourtListener for verification. We do not store the document text. The text exists in memory only for the duration of the request.

The Proof Brief API runs on Cloudflare Workers. Logs are retained for 7 days for debugging; logs do not contain document text.

What we store about you

We do not store: case names you searched, citation text, document content, IP addresses (beyond rate-limiting purposes for trial signups), or any usage telemetry.

License-cache architecture

Your license is cached on each device for up to 24 hours via the Word add-in's local storage. License changes (cancellation, ban) take effect within 24 hours; this is the offline-tolerance design tradeoff. If immediate revocation is required, contact support.

The cache is per-device — using Proof Brief on a Mac and an iPad means pasting the same key on each device's first launch.

Worker proxy architecture

The CourtListener API token lives in our Worker only. The Word add-in bundle never contains a third-party API token. Authentication from the add-in to our API is via a per-customer license key, which is rate- limited and revocable.

Transport

All connections use TLS 1.2+. Our domains run on Cloudflare's edge network with Universal SSL.

Data residency

The D1 database storing license keys runs in Cloudflare's global network. For customers requiring a specific data residency region, contact us before subscribing — current default is US/EU mixed.

Reporting a vulnerability

Email security@getproofbrief.com or support@getproofbrief.com if you discover a vulnerability. We respond within 2 business days during beta.