For Law Firms: Confidentiality

What leaves the device

Sortio is a matter-centric file organizer that runs on the lawyer's or paralegal's Mac. When a sort is run with the default cloud AI provider selected, the following information is transmitted to Sortio's classifier service and forwarded to OpenAI for inference:

• Filenames of the files being sorted.
• Source and candidate destination folder paths.
• The user's prompt and our system prompt.
• For the Clio integration, matter metadata: display number, description, client and party names, and assigned attorney.

What does not leave the device

• File contents, by default. Content-based sorting and entity extraction are off until explicitly enabled.
• The full matter list. Only the metadata fields above are sent, not custom fields, billing entries, or related documents.
• Long-lived Clio access tokens. They are stored on the user's machine and only seen by our servers at the moment of OAuth callback and during token refresh; they are never used by Sortio's servers to read documents autonomously.
• Anything at all, if the user chooses a local LLM (Ollama). In local mode, no matter metadata or filenames transit Sortio's servers.

Where the data goes

• Sortio's classifier service: Google Cloud Run, us-east1 (United States), Neon Postgres (United States).
• OpenAI: United States. API content is not used to train OpenAI models per their API terms. Retention at OpenAI is short term for abuse prevention.
• Sortio retains classifier prompts for up to 30 days for service operation and debugging. After that window, client names and matter party names are redacted before any longer-term retention.
• Anthropic: only if the firm supplies its own API key via BYOK; data is then processed under the firm's contract with Anthropic.

Confidentiality controls

• Encryption in transit. TLS 1.2 or higher between the desktop app, Sortio's API, and OpenAI.
• Encryption at rest. Neon Postgres and Google Cloud Storage default encryption.
• Access control. Least-privilege production access; reviewed quarterly.
• Local-first defaults. File contents are not transmitted unless the firm explicitly enables a content-based feature.
• Audit trail. Every sort produces a preview that the user must approve, plus an in-app history record that the user can review and revert.

Opt-out paths

• Local LLM (Ollama). Switch the provider in Settings, AI to Ollama. Filenames, paths, and prompts then stay on the machine.
• Bring Your Own Key. Use the firm's Anthropic or OpenAI API key so inference happens under the firm's contract.
• Rule Builder. Use deterministic, AI-free rules for matter folder routing.
• Content sorting off. Keep AI sort to filenames and folder paths only.

Deletion

On account deletion or DPA request, Sortio deletes classifier prompts, account records, and Clio tokens within 30 days. Documents previously uploaded into Clio remain in Clio under the firm's account; they are not stored by Sortio.

What we cannot offer

• HIPAA Business Associate Agreements. Sortio is not HIPAA-compliant. Files containing protected health information should not be processed.
• SOC 2 attestation today. A SOC 2 Type 1 audit is on our 2026 roadmap. Until it completes, our controls are documented in the Security and DPA pages.

Procurement contacts

For procurement, security questionnaires, signed DPAs, and technical security questions: marcus@getsortio.com.