Security & Confidentiality
Built for legal workflows. Designed with firm trust in mind.
Plain-English answers on how CaseClock handles voice data, time entries, and client information — for lawyers, billing admins, and firm decision-makers.
- ✓Intentional capture — nothing recorded without your action
- ✓Audio retained for accuracy — you control deletion
- ✓No AI training on your voice or client data
- ✓Lawyer review before anything syncs or exports
- ✓Encrypted in transit and at rest
Voice and AI handling
How your voice recordings are processed
When you speak a time entry, CaseClock securely transmits your audio to Microsoft Azure for transcription. Recordings are retained within your account so you can refer back to them — and deleted on your request. Audio is never used to train AI.
Audio retained — you control deletion
Your voice recordings are retained permanently by default, so you can refer back to them for context or accuracy. You can delete any recording at any time from within the app.
Never used to train AI models
Audio is never used to train AI models — by CaseClock or by any third party. Data processed via Azure OpenAI is not shared with OpenAI and is processed solely to produce your draft time entry.
Client data is yours alone
Your client names, matter details, billing descriptions, and time entries are never used to train AI models. This data is used only to provide you with CaseClock's service.
Intentional capture
CaseClock records only when you choose to record
CaseClock is not always-on monitoring software. It does not run in the background, read your documents, observe your browser activity, or infer billing entries from ambient device usage. Recording starts when the lawyer taps record. It stops when the lawyer taps stop.
Starts when you record
The lawyer initiates every capture. Nothing is recorded until the lawyer chooses to record.
Stops when you stop
Recording ends when the lawyer taps stop. There is no continuous background audio capture.
No background monitoring
CaseClock does not read emails, documents, browser tabs, or application usage. Only what the lawyer explicitly records is captured.
This is a design choice, not a limitation. Intentional capture means every entry reflects a professional judgment made at the time of capture — not an inference from observed activity. Nothing needs to be filtered out, because only what the lawyer chose to record was ever captured.
Lawyer controls
Nothing is billed until you approve it
Lawyer review is built into the core workflow — not an optional step. Every entry CaseClock produces is a draft. You decide what goes out.
Nothing enters your billing system until you approve
Nothing enters your billing system — not Clio, not any CSV export — until you have reviewed and approved the draft entry. CaseClock does not have a mode that automatically posts billable time.
Encrypted in transit and at rest
Your data is encrypted during transfer and in storage. All connections use TLS. Audio is transmitted over an encrypted connection to Azure OpenAI Services.
Actions logged for accountability
Key events are recorded for accountability, supporting your firm's audit and oversight requirements. Access to firm data is limited to personnel who need it to provide the service.
Infrastructure and data handling
Where your data lives
CaseClock is built on Microsoft Azure infrastructure. Below are the subprocessors we use and our current certification status.
Data Residency
CaseClock stores billing data in the region that matches your account. Canadian client data is stored in Azure — Central Canada. US client data is stored in Azure — Central US.
Voice audio is processed for transcription through Microsoft Azure OpenAI Services (East US 2). Audio is transmitted over an encrypted connection and is retained within your CaseClock account for your reference. You can delete any recording at any time. This applies to all users regardless of account region.
Contact us at legal@caseclock.ai if your firm has specific data residency requirements.
Subprocessors
| Service | Purpose | Location |
|---|---|---|
| Microsoft Azure | Application servers, database (PostgreSQL), and file storage | Central Canada (Canadian accounts) / Central US (US accounts) |
| Microsoft Azure OpenAI | Voice transcription — audio transmitted over encrypted connection, retained for user reference, not used to train AI models | Azure — East US 2 |
| Vercel | Application hosting and edge delivery | Global CDN with regional controls |
| Resend | Transactional email delivery (account confirmations, notifications) | United States |
Certification Transparency
CaseClock has not completed SOC 2 Type II, HIPAA, or GDPR certification as of this writing. We are committed to implementing and documenting the security controls that matter most to legal practices.
If your firm requires specific certifications, please contact us to discuss your requirements and our roadmap.
Security Questions
Yes. CaseClock retains your audio recordings permanently by default, so you can refer back to them for context or accuracy. You can delete any recording at any time from within the app. Audio is never used to train AI models — by CaseClock or by any third party.
No. Your client names, matter details, billing descriptions, and time entries are never used to train AI models. This data is used only to provide you with CaseClock's service.
No. Nothing enters your billing system — not Clio, not any CSV export — until you have reviewed and approved the draft entry. CaseClock does not have a mode that automatically posts billable time.
If you cancel your CaseClock account, you can request deletion of your data by contacting legal@caseclock.ai. We will process your deletion request in accordance with our privacy policy.
Access to firm data is limited to CaseClock employees and contractors who need it to provide the service. Access controls and audit logging are in place. We do not sell or share your data with third parties outside of the subprocessors listed on this page.
CaseClock encrypts data in transit and at rest, stores client data in your jurisdiction (Canada or US), requires lawyer review before any entry syncs or exports, and does not use client data to train AI models. These are product behaviors — whether they satisfy your jurisdiction's specific professional responsibility requirements is a legal question you should evaluate with reference to your state bar or law society guidance.
Ethics & Jurisdiction
How CaseClock handles lawyer oversight
CaseClock is a tool lawyers use to capture and review time entries. The workflow is built around intentional, lawyer-controlled actions at every step — from recording to review to export. No entry leaves a draft state without explicit lawyer approval.
US Lawyers
US lawyers using cloud-based tools are required to understand and apply reasonable security measures for client data. CaseClock encrypts data in transit and at rest, stores US client data in US Azure regions, and requires lawyer review before any entry syncs or exports. Consult your state bar association’s guidance on cloud services and AI for requirements specific to your jurisdiction.
Canadian Lawyers
Canadian lawyers using cloud-based tools must take reasonable steps to protect client confidentiality. CaseClock stores Canadian client data in Canadian Azure regions, encrypts data in transit and at rest, and does not use client data to train AI models. Consult your provincial law society for guidance on technology use and client confidentiality requirements in your jurisdiction.
This section describes product behavior and is informational only. It does not constitute legal advice. Lawyers are responsible for evaluating whether any tool meets their professional obligations in their jurisdiction.
Responsible Disclosure
Found a potential security issue? We take responsible disclosure seriously.
View our Security Policy and Responsible Disclosure program →Ready to see how CaseClock works for your firm?
Start a free 45-day trial, or contact us with specific security or compliance questions.