1.Overview
Sque complies with major regulatory frameworks and provides governance features for data management—including retention policies, secure deletion, litigation holds, and break-glass emergency access procedures.
2.Regulatory Compliance Standards
Sque meets standards for:
1. SOC 2 Type II Compliance
- Third-party audit of security controls
- Annual audit and continuous monitoring
- Controls addressing access control, encryption, audit trails
2. GDPR Compliance (European Firms)
- Data Processor Agreements in place
- Data residency options (EU GCP regions)
- GDPR rights implementation (data access, deletion, portability)
- Privacy by design principles in system architecture
3. HIPAA-Ready Architecture
- For firms handling health information
- Encryption and access controls meet HIPAA standards
- Business Associate Agreements available
4. Professional Liability Insurance Support
- Security architecture meets insurance carrier requirements
- Audit logs support professional responsibility compliance
- Breach notification procedures documented
3.Data Retention and Lifecycle Management
1. Retention Policy Definition
- Specify retention periods by document type (e.g., keep contracts for 7 years after termination)
- Specify retention periods by matter type (litigation matters retained 5 years after closure)
- Specify default retention periods for documents without specific policies
2. Automatic Retention Tracking
- System tracks document creation date and matter closure date
- System automatically identifies documents approaching retention expiration
- System alerts administrators to upcoming deletions
3. Secure Deletion
- Upon retention expiration, documents are securely deleted (not just marked as deleted)
- Deleted data cannot be recovered
- Deletion is logged and audited
4. Litigation Hold
- When litigation is anticipated or pending, documents can be placed on litigation hold
- Documents on litigation hold are not automatically deleted despite retention period expiration
- Hold can be released after litigation concludes
4.Emergency Access (Break-Glass Procedures)
In emergency situations where immediate access to locked information is required:
1. Emergency Access Request
- Employee requests emergency access through designated process
- Request specifies reason for emergency access
- Request is evaluated by authorized approver
2. Approval Process
- Approver (typically managing partner) evaluates legitimacy of emergency
- Approval grants temporary access to specified documents
- Access is immediately logged with emergency designation
3. Post-Access Accountability
- Emergency access is reviewed within specified period (e.g., 48 hours)
- Proper authorization for access is validated
- Unnecessary emergency access is investigated
- All emergency accesses are reported to firm leadership
5.Example Emergency Access Scenario
An attorney becomes incapacitated and a client has urgent court deadline. The client matter is assigned to different attorney but the original attorney's notes are marked as confidential (personal attorney work). Emergency access request:
- Managing partner receives emergency access request from client
- Evaluates legitimacy (client has genuine urgent need)
- Grants temporary access to original attorney's confidential notes
- Documents access in audit log with "emergency access - incapacitation" designation
- Within 48 hours, reviews whether emergency access was appropriate
Frequently asked questions
Each firm operates in an isolated tenant environment with tenant-specific encryption keys. Firm databases are completely separate with no shared tables or cross-firm data access—even through system error or vulnerability.
All data is encrypted in transit using TLS 1.2+ and at rest in databases and Briefcase. Encryption keys are stored in a separate key management system, never alongside encrypted data, with access restricted to authorized personnel.
Sque meets SOC 2 Type II compliance with annual third-party audits, GDPR compliance for European firms with data residency options, HIPAA-ready architecture for health information, and security architecture supporting professional liability insurance requirements.
When conflicts are identified, conflicted attorneys are automatically prevented from accessing adverse matters. The system screens email and chat communications, removes conflicted attorneys from adverse matter distributions, and logs and reports any wall violation attempts.