BIA Edge

Security and confidentiality

Security and Confidentiality

Last updated: June 28, 2026

BIA Edge is built for immigration-law research by attorneys and other legal professionals. That means privacy and security controls must fit professional use, not only ordinary website browsing.

BIA Edge is not currently SOC 2 certified. The security program is being formalized toward SOC 2 Type I readiness, starting with the Security and Confidentiality trust-services categories.

Current Commitments

  • BIA Edge does not sell user data.
  • BIA Edge does not use account data, saved searches, access-request messages, API requests, or MCP queries to train foundation models.
  • Marketing analytics are not loaded on privacy, security, terms, MCP access, MCP documentation, API, or authenticated/private-account surfaces.
  • Operational logs are minimized and ordinarily retained for no more than 90 days unless needed for security, abuse, reliability, access-dispute, or legal reasons.
  • Existing MCP/API users will not be cut off by a security migration without a compatibility period and explicit cutoff approval.

Access Controls

Browser access uses account authentication with secure, HTTP-only cookies where configured. Public registration is closed. Optional TOTP multi-factor authentication is available for user accounts. Browser-cookie authenticated mutation requests are protected by a same-origin check.

MCP access is authenticated by sign-in/OAuth where configured or by issued API key. Per-user API and MCP keys are stored as hashes, can be scoped, expire, and can be revoked without changing another user's access. Existing static keys remain during migration. API keys and MCP credentials should be treated like passwords and kept out of source code, chat logs, screenshots, and shared documents.

MFA is optional for ordinary users at launch. Admin and production access will move toward stronger requirements, including MFA or SSO where supported.

Private Attorney Use

Attorney-private use should avoid unnecessary client identifiers. BIA Edge is a legal-source retrieval layer: it returns cases, statutes, agency guidance, public legal records, and citation information. It is not a secure client file system, case-management system, or law-firm document repository.

For confidential client work through MCP, use an AI client account whose terms support professional confidential use, such as an enterprise or no-training plan. Your AI client may process prompts, tool calls, and tool results under that client's own terms and privacy policy.

Data Minimization

BIA Edge keeps operational metadata needed to authenticate access, prevent abuse, debug failures, and understand reliability. Sensitive attorney research text should not be stored in internal diagnostic logs unless a specific feature requires it and the retention basis is clear. Private-library search logs use non-reversible query fingerprints, and structured operational logs pass through a redaction processor for common secrets and client identifiers.

Public Legal Records

The BIA Edge library is built from public legal materials. Public records may contain names, docket facts, and agency or court details because the source published them. If you believe a record should be restricted or reviewed, email the source URL, BIA Edge document identifier, and concern to chris@chrishammondlaw.com.

Subprocessors

BIA Edge uses service providers for hosting, managed databases, identity, email delivery, source hosting, software development, and public-page analytics. The current subprocessor register is maintained internally as part of the SOC 2 readiness package and will be published before paid firm-wide access is generally available.

Security Reports

To report a vulnerability or security concern, email chris@chrishammondlaw.com with "BIA Edge security report" in the subject line. Do not include exploit details or confidential client information in a public forum.

Related Policies

See the Privacy Policy, Terms of Service, and AI Disclaimer for the broader product terms and AI-use boundary.