Encryption
AES-256 at rest, TLS 1.3 in transit. Backups under separate keys.
Security and data handling.
The plaintiff-only data contract is load-bearing. This page documents how we treat customer data, the certifications we hold, and the contractual commitments that back the brand promise.
Access controls
Named on-call rotation; every prod-data access logged and audited.
Retention
Subscription + 90-day grace window. Deletion completed within 30 days.
Export on request
Machine-readable export (JSON + CSV) of every record and every prediction.
Sub-processors
Full list on request. No AI vendors that train on customer data.
Plaintiff-only
Contractually. No carrier-side sales. No carrier-side data ingestion.
Load-bearing trust contract
The plaintiff-only data contract
Predict will never sell to insurance carriers, defense firms, or any defense-side claims operation. This is the load-bearing trust contract of the brand, not a marketing line. It is enforced contractually in every customer agreement and operationally in every data pipeline:
- No carrier-side sales. Period. Predict has no defense-side product roadmap and no defense-side go-to-market motion. The dataset, the model, and the platform exist for plaintiff PI counsel only.
- No commingling. Customer case data is segmented per-firm. We do not aggregate one firm's case data into another firm's predictions, and we do not surface one firm's data in any other firm's view.
- No carrier data ingestion. The training set is plaintiff-side sourced — verdict-and-settlement filings, plaintiff-reported case data, and public PACER records. We will not accept carrier-side data feeds even if offered; the plaintiff-only positioning is asymmetric on the data side as well as the sales side.
Certifications
SOC-2 Type II
Type I available under NDA · Type II report Q4 2026
GDPR-aware
US data residency default · EU residency on request
Predict is preparing for SOC-2 Type II certification through a Big 4 audit partner, with the report expected in calendar Q4 2026. Where applicable for procurement reviews ahead of that timeline, we share the Type I report under NDA. For partners and customers in the EU, we are GDPR-aware — data residency is US-default with EU-residency on request.
How customer case data is handled
- Encryption. Customer case data is encrypted at rest (AES-256) and in transit (TLS 1.3). Backups are encrypted under separate keys.
- Access. Production case data is accessible only to a named on-call engineering rotation. Customer support staff see metadata only — never the underlying case content. Every production-data access event is logged and audited.
- Retention. Customer case data is retained for the duration of the subscription plus a 90-day grace window after cancellation, after which it is deleted from primary systems within 30 days and from backups within the next backup rotation.
- Export. Customer data is exportable on request. The export is in machine-readable formats (JSON + CSV) and includes the full case record plus every prediction the model has produced against the case.
- Sub-processors. A full list of sub-processors is available on request. Predict does not use AI vendors that train on customer data — model fine-tunes happen against the proprietary dataset only, never on customer inputs.
For your IT / admin review
If your firm requires a security review before enabling Predict, we provide:
- The current SOC-2 Type I report (NDA required) — current Type II in progress, expected Q4 2026.
- A signed Data Processing Agreement (DPA), tailored for EU / California / Texas privacy regimes.
- A questionnaire-ready security summary covering the SIG, CAIQ, and Vanta-aligned controls.
- Direct access to a named security contact during the procurement review.
For small firms without a dedicated IT review process, the public information on this page typically suffices for the admin-side go-ahead. For mid-size and large firms, the materials above are designed to clear the security review without requiring a sales conversation — the same way the rest of the product is.
Incident response
Predict commits to disclosure of any security incident affecting customer data within 72 hours of confirmed detection, with the substantive analysis published within 30 days. Every incident is reviewed publicly on the methodology page's changelog — security incidents are treated with the same "in the open" methodology disclosure as model recalibrations.
Reporting a security issue
Security researchers and customers can report suspected vulnerabilities to security@predict.law. We commit to acknowledging within one business day and providing a substantive response within 14 days. Good-faith research conducted under our responsible-disclosure terms (full text available on request) is treated as a partnership, not as an adversary.
Questions about a specific control or certification?
The fastest path is the 14-day free trial — you can run real cases through the model immediately, and we can walk through any specific security concern on a follow-up call if needed.