← Home Pre-Demo READ ME Enhanced Glossary Pre-Flight Demo

Security & HIPAA Architecture

Signal Loom Legal Pre-Flight™ · Version 1.0 · 2026-04-16
Classification: Confidential · Attorney-Client Privilege · Work Product

Purpose: Defines security architecture for Signal Loom Legal Pre-Flight. Maps HIPAA compliance requirements layer by layer. Defines data isolation model, access controls, and deployment posture for WA State law offices.
Status: Pre-production · Pilot deployment pending · Full production hardening roadmap defined

§1 — Overview: Three Deployment Models

This document defines three deployment models for Signal Loom Legal Pre-Flight. Each model represents a different trade-off between HIPAA compliance obligations, infrastructure complexity, and security posture. The model selected depends on the firm's existing infrastructure and risk tolerance.

Model A — Attorney-Local

Data never leaves the attorney's infrastructure. No PHI on Signal Loom systems.

No BAA Required

Best for: Firms with existing HIPAA-compliant infrastructure

Model B — HIPAA Cloud + BAA

Signal Loom's HIPAA-configured cloud. Full SaaS. BAA required and provided.

BAA Required

Best for: Firms wanting managed infrastructure with HIPAA compliance

Model C — Zero-Knowledge

Client-side encryption. Signal Loom cannot read data in any form.

No BAA Required

Best for: Highest security requirements, government-adjacent clients

§2 — Authentication & Access Control

Current State

MFA (Multi-Factor Authentication): TOTP-based MFA required for all user accounts. Second factor via authenticator app or hardware token.
JWT Tokens: Bearer token authentication with 24-hour expiry. Refresh token rotation with 7-day absolute lifetime.
Role-Based Access: Role model implemented with role_id and permissions JSON. Roles: attorney (full), paralegal (read/write on assigned cases), readonly (audit only).
API Key Auth: For programmatic access. SHA256-hashed key IDs. Keys stored hashed in database.

Production Target

Hardware MFA (YubiKey): FIDO2/WebAuthn hardware security keys as primary MFA. Phishing-resistant. Required for admin access; strongly recommended for all users.
RBAC Enforcement: Role-based access control enforced at every API endpoint. No endpoint bypasses auth middleware. Attribute-based access control (ABAC) for fine-grained case-level permissions.
Session Management: Concurrent session limits per role. Automatic session termination on suspicious activity. Full session audit trail.

§3 — Encryption

Encryption at Rest

Current: AES-256 field-level encryption. Specific PHI fields encrypted individually. Field-level approach protects data if other fields are compromised.

Production Target: Per-tenant encryption keys. Each law firm has its own unique encryption key. Key held in attorney-controlled KMS (Model C) or Signal Loom-managed HSM (Model B). No cross-tenant key sharing possible.

Algorithm: AES-256-GCM with random IV per encryption operation. Key derivation: HKDF with per-record salt. Key rotation: annual mandatory rotation with 90-day re-encryption window.

Encryption in Transit

Current: TLS 1.3 enforced on all connections. Certificate pinning for mobile clients. HSTS (HTTP Strict Transport Security) with 1-year max-age.

Production Target: TLS 1.3 with certificate pinning on all clients. Certificate Transparency logs monitored. Post-quantum key exchange consideration for long-term secret protection.

§4 — PHI Scope & Data Minimization

PHI Minimization Strategy

Signal Loom Legal Pre-Flight does NOT store raw medical records. The system stores a structured digest — a summary of clinical facts extracted from the records.

Stored (digest only): Case type, jurisdiction, injury descriptions, provider names (not full addresses), treatment dates (not times), diagnoses (coded), deviation flags, attorney work product notes.

NOT stored: Full medical records, imaging files, audio files (transcribed and discarded), Social Security numbers, driver's license numbers.

De-identified analytics: Usage analytics are maintained separately from case data. Analytics contain no PHI. Used for product improvement only.

§5 — Audit Logging

Requirement	Current State	Production Target
Log scope	Per-action logging with user ID, timestamp, IP, action type, data accessed	Immutable append-only logs. No delete or modify operations permitted on log entries.
Log integrity	Logs stored in append-only database table	Cryptographic integrity hash per log entry (SHA-256). Tampering detectable via hash chain verification.
Retention	Duration not formally defined	6-year minimum retention (HIPAA minimum). Logs retained in geographically separate storage with 30-day hot cache.
Access	Attorney-owned data: attorney has read access to their own case audit logs	Attorney-owned audit trail. Signal Loom staff access requires explicit written authorization from attorney. All access logged.
Alerting	Basic error logging for system health	Real-time alerting on anomalous access patterns (multiple failed auth, access outside business hours, bulk data export).

§6 — Data Portability & Deletion

Attorney-Controlled Export

Current: Attorney can export their case data in structured JSON format. Export requires active MFA session.

Production Target: One-click full case export including all Pre-Flight analysis output, flag history, and audit log entries. Format: portable JSON + PDF report bundle. Export is attorney-initiated, self-served, no Signal Loom staff involvement required.

Cryptographic Erasure on Attorney Deletion

When an attorney deletes their account or a specific case:

Attorney initiates deletion via authenticated request
System marks all associated records as deleted (soft delete in primary DB)
Encryption key for that tenant/case is scheduled for destruction
Key destroyed within 24 hours (cryptographic erasure)
All backups containing associated data scheduled for key destruction at next backup rotation
Hard delete from primary storage after backup rotation cycle
Audit log entry created documenting deletion with timestamp and actor

No soft delete recovery: After cryptographic erasure, there is no recovery path. This is intentional — it protects the attorney from both accidental and coerced data recovery.

§7 — Breach Notification

SLA commitment: Signal Loom will notify affected attorneys within 24 hours of confirmed breach of unsecured PHI. Notification includes: nature of breach, types of PHI involved, steps taken to contain breach, remedial measures recommended.

Attorney's obligation: The attorney, as a business associate or covered entity depending on deployment model, has independent breach notification obligations to HHS and affected individuals. Signal Loom's 24-hour notification gives the attorney time to fulfill their regulatory obligations.

Incident response plan: A documented incident response plan is maintained and tested annually. Includes: breach confirmation criteria, containment procedures, forensics protocol, notification procedures, post-incident review.

§8 — HIPAA Mapping

HIPAA Requirement	Implementation	Model A	Model B	Model C
§164.308(a)(1) Security Management Process	Risk analysis + risk management plan. Annual review.	✓	✓	✓
§164.308(a)(3) Workforce Security	Role assignment, access authorization, termination procedures.	✓	✓	✓
§164.308(a)(5) Security Awareness Training	Annual training required for all staff with PHI access.	✓	✓	✓
§164.312(a)(1) Access Control	Unique user IDs, automatic logoff, encryption/decryption.	✓	✓	✓
§164.312(b) Audit Controls	Hardware, software, procedural mechanisms to record access.	✓	✓	Limited
§164.312(c)(1) Integrity	Authenticate ePHI. Mechanism to authenticate data.	✓	✓	✓
§164.312(e)(1) Transmission Security	TLS 1.3. Encryption in transit.	✓	✓	✓
§164.400 HIPAA Breach Notification Rule	24-hour notification SLA to downstream covered entities.	N/A (no PHI)	✓	N/A (no PHI)

§9 — Production Hardening Roadmap

Phase 1 — Pre-Pilot (Current)

MFA enforced on all accounts
TLS 1.3 on all connections
Field-level AES-256 encryption
Audit logging implemented
Attorneys can export and delete their data

Phase 2 — Pilot (90 days post-signing)

YubiKey MFA enrollment for pilot attorneys
Per-tenant encryption key implementation
Immutable audit log with hash chain verification
Hardware security module (HSM) key storage (Model B)
Zero-knowledge encryption client (Model C)
Attorney-controlled key export/storage (Model C)

Phase 3 — Production (Post-Pilot)

Annual third-party penetration testing (accredited firm)
SOC 2 Type II certification
Real-time anomalous access alerting
Automated key rotation with zero downtime
Cross-region backup with cryptographic verification
Post-quantum cryptography readiness review

§10 — Limitations & Known Gaps

PHI minimization is architectural, not absolute: The digest contains some PHI (name, injury description, provider names). The attorney must treat this as PHI in all handling.
No PHI on Signal Loom is Model C only: Models A and B involve PHI on Signal Loom systems. The BAA (Model B) addresses this. Model A relies on the attorney's infrastructure controls.
No HIPAA certification: Signal Loom is not HIPAA-certified. HIPAA compliance is the attorney's obligation as a covered entity or business associate. Signal Loom provides the tools and architecture; compliance is determined by use.
Audit log access by Signal Loom staff: In Models A and B, Signal Loom engineering staff theoretically have access to encrypted PHI for debugging and support. Model C eliminates this by design. Model B uses formal access control + audit logging to limit this exposure.
No formal BAA with cloud provider in Model A: Model A relies on the attorney's BAA with their cloud provider. Signal Loom has no visibility into whether this BAA is in place.
No automated compliance reporting: Production target includes annual SOC 2 Type II; currently no third-party compliance attestation.

⚠️ Important: This document describes a pre-production security architecture. Actual compliance depends on deployment model, configuration, and ongoing security maintenance. This document does not constitute legal advice and does not create an attorney-client relationship. Consult qualified HIPAA counsel before deploying any system that handles Protected Health Information.