Security

Security

Law firms trust Bionicly with the data that matters most - client relationships, matter activity, privileged communications. This page summarizes the security program we maintain to keep that trust. For the authoritative, live view of our controls, sub-processors, and audit evidence, see our Trust Center .

Compliance

Bionicly is SOC 2 Type II certified. Our live compliance posture, policies, control mappings, and attestation report are published on our Vanta Trust Center and updated automatically as controls run. Request the SOC 2 Type II report through the Trust Center under NDA.

Security program

The six pillars below are how we think about security internally. Each of them is backed by specific policies, controls, and monitoring that you can inspect on the Trust Center.

SOC 2 Type II

SOC 2 Type II certified. Enterprise-grade security controls for data protection and privacy.

Our audit covers the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. Evidence collection runs continuously through Vanta; exceptions are triaged within one business day.

Push-Based Architecture

Your data stays in your environment. Bionicly agents send data outward - nothing penetrates your firewall.

Bionicly connectors initiate every outbound call from your environment to ours. Our services never make inbound connections to your network or open inbound ports on your firewall. This eliminates the inbound attack surface that makes many integrations a liability for firms with strict perimeter controls.

Multi-Tenant Isolation

Complete data segregation with field-level security controls. No data commingling between tenants.

Each customer’s data is stored in a tenant-scoped partition with a unique scope hash baked into every DynamoDB and S3 key. Queries must carry a valid scope token or they return no rows - there is no code path that can read across tenants. Field-level visibility rules layer on top for role-based access control.

AWS Infrastructure

Built entirely on AWS with serverless architecture: Lambda, API Gateway, DynamoDB, S3, and EventBridge.

Bionicly is hosted entirely in AWS us-east-1 with Lambda, API Gateway, DynamoDB Global Tables, S3, Cognito, and EventBridge. No servers to patch, no persistent instances to compromise. Infrastructure is declared in CDK and versioned in source control.

Dedicated Deployment

For firms requiring isolated infrastructure, we offer dedicated AWS account deployments.

For firms that require fully isolated infrastructure, we offer a dedicated AWS account deployment - the entire Bionicly stack running in a customer-owned or customer-funded account, with networking, IAM, and data residency under your control. Contact security@bionicly.ai for details.

Encryption

Data encrypted at rest and in transit. No data commingling between tenants.

All data is encrypted in transit with TLS 1.2+ and at rest with AWS-managed KMS keys (AES-256). Sensitive fields (PII, credentials) use envelope encryption with customer-scoped data keys. Key rotation follows AWS managed-key defaults.

Sub-processors

We maintain the authoritative list of sub-processors on our Trust Center. Customers can subscribe there to receive notification of any additions. The current core set includes AWS (hosting), Cognito (identity), PostHog and Google Analytics (opt-in analytics), and the data sources you explicitly connect (Salesforce, Microsoft 365, Google Workspace, Dynamics 365, etc.).

Incident response

We maintain a documented incident response plan with defined severity tiers, notification timelines, and post-mortem requirements. For service availability and real-time incident updates, subscribe to our status page. Security incidents impacting customer data are communicated directly to affected customers in addition to status-page updates.

Vulnerability disclosure

If you believe you’ve found a security vulnerability in Bionicly, please email security@bionicly.ai. We commit to acknowledging reports within two business days and will keep you informed as we triage and remediate. Please do not publicly disclose vulnerabilities before we’ve had a chance to address them.

Security questionnaires

For standardized security questionnaires - SIG Lite, CAIQ, the ABA Model Cybersecurity Standards checklist, or your firm’s custom document - email security@bionicly.ai and we’ll turn it around quickly. Many common answers are also pre-populated on our Trust Center.

Data Processing Addendum

Our standard DPA is available on request - see the Data Processing Addendum page or email privacy@bionicly.ai. See our Privacy Policy for how we process personal data.