Security

Last updated: April 15, 2026

Law firms handle sensitive client information every day. Writ is built with security as a foundation, not an afterthought. This page describes how we protect your data and your clients' data.

Encryption

  • At rest. All form submission data is encrypted using AES-256 before storage. Encryption keys are managed through a dedicated key management service and rotated regularly.
  • In transit. All data transmitted between your browser and our servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints with HSTS headers.
  • Database. Our PostgreSQL database is hosted on Neon with encryption at rest enabled at the infrastructure level, providing an additional layer of protection.

Infrastructure

  • Hosting. The Service runs on Vercel's edge network with automatic DDoS protection, global CDN, and SOC 2 Type II certified infrastructure.
  • Database. Hosted on Neon, which provides automated backups, point-in-time recovery, and network isolation.
  • Authentication. Managed by Clerk, which provides enterprise-grade session management, multi-factor authentication support, and brute-force protection.
  • Payments. Processed by Stripe, a PCI DSS Level 1 certified payment processor. We never store credit card numbers.

Access controls

  • All API endpoints serving form data and submissions are authenticated and scoped to the form owner's organization.
  • Public endpoints (form hosting and submission collection) do not expose any data beyond the published form schema.
  • Internal access to production systems is restricted, logged, and requires multi-factor authentication.

Spam and bot protection

Every form published through Writ includes built-in protection against spam and bot submissions using a combination of CAPTCHA challenges and AI-powered filtering. This runs automatically on all plans, including free.

Data handling

  • Respondent data submitted through your forms is encrypted at rest and accessible only to you through the Writ dashboard.
  • AI processing. When you generate a form, your prompt is sent to our AI providers (Anthropic, OpenAI) for processing. These providers operate under data processing agreements that prohibit them from using your data for model training. Respondent submission data is never sent to AI providers.
  • No selling of data. We do not sell, rent, or share your data or your respondents' data with third parties for marketing or advertising purposes.

Compliance

  • SOC 2. We are pursuing SOC 2 Type II certification and implement controls aligned with the SOC 2 Trust Services Criteria.
  • HIPAA. While Writ is not currently HIPAA certified, we implement technical safeguards (encryption, access controls, audit logging) consistent with HIPAA requirements. If you handle protected health information, contact us to discuss a Business Associate Agreement.
  • State bar rules. Writ is designed to support compliance with attorney advertising and client communication rules. However, you are responsible for ensuring your forms comply with the specific rules in your jurisdiction.

Vulnerability reporting

If you discover a security vulnerability, please report it to security@trywrit.com. We take all reports seriously and will respond within 48 hours. We do not pursue legal action against good-faith security researchers.

Questions

For security-related questions, contact us at:

Writ security@trywrit.com