Security

Data in transit is served over HTTPS through Cloudflare. Application records live in Cloudflare D1 and generated files may live in Cloudflare R2. Application secrets and integration tokens are stored as Cloudflare Worker secrets, not committed to source control. We avoid logging secrets, access tokens, and full intake payloads.

Production runs on Cloudflare Workers with D1 for relational data, R2 for object storage, and Workers KV for edge configuration. The D1 database uses a primary database instance unless read replication is explicitly enabled. Cloudflare's edge network may process requests globally; jurisdiction-specific residency requirements should be handled in the statement of work before onboarding.

We export database snapshots before production schema changes and keep a restore path for operational mistakes. Generated Practice Audit PDFs and public assets may be stored in R2. If a client needs a separate retention, backup, or deletion policy, it should be listed in the engagement terms.

We use the following subprocessors to deliver our service:

Cloudflare — application hosting, edge cache, D1 database, R2 object storage, KV, Turnstile bot protection, Access SSOStripe — payment processing for Practice Audit and PreviewResend — transactional email (intake confirmations, audit delivery, receipts)HubSpot — CRM for inquiry tracking and pipeline managementAnthropic — model API used in the audit-generation pipeline when automation is enabled; prompts should exclude privileged communications and matter strategy

Production access is limited to authorized operators. Application changes ship through version-controlled deploys. Third-party integration tokens are rotated on offboarding and on any suspected exposure. If additional client-side approval, named-user access, or audit-log export is required, we document that during onboarding.

In the event of a confirmed incident affecting a firm's data, we will notify the firm's primary contact in writing without undue delay. The notice will describe what data was accessed, the time window of exposure, what is known about the actor, and the remediation steps underway. Engagement-specific notification timelines can be added to the contract when required.

We collect only what we need to operate the firm's website and intake stack. Public intake forms should avoid requesting privileged communications or legal strategy. See /malpractice for the data-boundary detail.

Email security@peakleverage.com with details. We acknowledge within one business day and patch confirmed issues on a severity-weighted timeline (critical: 24 hours; high: 7 days; medium: 30 days).