Skip to content

Security

Last updated: May 27, 2026

Roadmap handles sensitive legal documents, confidential business information, and privileged attorney‑client communications. This page describes our security posture in the specificity that a client’s IT or legal team would need for vendor due diligence. We commit only to controls we have actually implemented and note known gaps honestly. For our full data handling practices, see our Privacy Policy. For the engagement terms governing your data, see our Terms of Service.

1. Overview & Security Posture

Roadmap is a Slack‑first, cloud‑native legal services platform built on a small set of well‑audited sub‑processors. We do not operate our own data centers. Our security approach is: (a) choose sub‑processors with strong independent certifications, (b) enforce least‑privilege access within those systems, (c) segregate every client into their own Slack channel and Drive folder at the infrastructure level, and (d) route all AI processing through Perplexity’s Enterprise plan, which carries zero‑retention and no‑training commitments.

We are not currently SOC 2 certified. Vendor due diligence questionnaires are available on request. For enterprise security review or DPA, contact support@useroadmap.co.

1.1 At‑a‑glance

All client data in transit is encrypted with TLS 1.2 or higher; all client data at rest in Google Drive is encrypted with AES‑256; Stripe payment data is tokenized to PCI‑DSS Level 1; all production secrets are stored encrypted in Vercel environment variables; multi‑factor authentication is enforced on every Roadmap admin account. See §4 (Encryption) and §5 (Access Controls) for full detail.

2. Where Your Data Lives

All client data is stored in U.S. data centers operated by our named sub‑processors. No EU, APAC, or other‑region storage is used for client data today.

The complete, current sub‑processor list — with the name and legal entity of each sub‑processor, the purpose for which we use it, the data categories processed, the region, and key certifications and commitments — is maintained as the single source of truth in our Privacy Policy §7. We update that table whenever a sub‑processor is added, removed, or materially changed, and we notify clients of material new sub‑processors at least 30 days before activation.

This page describes the security architecture, encryption, and access controls applied across those sub‑processors. Security documentation for each named sub‑processor is linked in §11 below.

3. Data Segregation

Per‑client Slack channel. Each client is provisioned a dedicated, private Slack channel in our workspace. Channel membership is the access‑control boundary. Messages and files in your channel are visible only to explicitly invited members on both sides of the channel (Roadmap team members assigned to your engagement and client‑side participants you have invited). No client can access another client’s channel.

Per‑client Drive folder. Each client receives a dedicated Google Drive folder at the path Clients/<Tier>/<client‑slug>/. The folder is shared with the client as Commenter and is managed by our service account. No cross‑pollination between client folders occurs; the service account’s access is scoped to /Clients/ only (see §5 below).

Ava scope. Ava, our AI agent, is scoped to a single client’s Slack channel and Drive folder per invocation. She does not have access to other clients’ channels or folders and cannot be asked to retrieve or reference another client’s data.

Subscription separation. For clients holding both a legal subscription (Roadmap Counsel or Roadmap Personal) and an advisory subscription (Roadmap Operator), information generated under the legal subscription is segregated from advisory‑only information through the per‑engagement channel and folder structure. Attorney‑client privilege applies only to legal subscription communications. See our Attorney‑Client Privilege page.

4. Encryption

4.1 In Transit

TLS 1.2 or higher is enforced for all client‑facing surfaces — slack.com, drive.google.com, notion.so, useroadmap.co (Vercel), and billing.stripe.com. All inbound webhooks (Stripe, Slack) are received over HTTPS and signature‑verified before processing.

4.2 At Rest

  • Slack: Slack’s standard encryption at rest applies. Slack Enterprise Key Management (EKM) is not currently enabled on our workspace; this is a known gap.
  • Google Drive: Standard Google AES‑256 encryption at rest for all files in client Drive folders.
  • Stripe: Encrypted at rest per PCI‑DSS Level 1 requirements; card data is tokenized and never stored on Roadmap systems.
  • Vercel: Application data and function execution environments are encrypted at rest per Vercel’s SOC 2 Type II‑covered infrastructure. Secrets (environment variables) are stored encrypted in Vercel’s secrets management system.

5. Access Controls

5.1 Admin Accounts — MFA Enforced

All Roadmap admin accounts are protected by multi‑factor authentication: Google Workspace 2‑Step Verification (2SV) is required for all accounts in our Google Workspace domain; Slack 2FA is required for all Roadmap‑side Slack members. MFA cannot be bypassed for new logins to either system.

5.2 Google Drive — Service Account and Domain‑Wide Delegation

Drive folder provisioning and file management uses the GCP service account roadmap-app-drive@roadmap-app-497521.iam.gserviceaccount.com, which has domain‑wide delegation (DWD) scoped to impersonate support@useroadmap.co only. The service account’s Drive scopes are restricted to the /Clients/ folder hierarchy; it cannot access other Drive content in the domain. The GCP service account JSON key is stored encrypted; it is not committed to source control.

5.3 Stripe — Restricted Key Access

Our Stripe integration uses a restricted API key for the webhook handler, scoped to only the event types required for subscription provisioning. The full Stripe secret key is held only in Vercel production environment variables (encrypted at rest) and is not exposed to client‑side code or committed to source control.

5.4 Slack Bot — Scoped OAuth

The Roadmap Slack bot is installed via a per‑workspace OAuth flow with the minimum necessary scopes (including channels:read, chat:write, files:read, and others required for channel management and Ava invocations). The bot does not have workspace‑admin or DM‑read permissions. Bot tokens are stored as encrypted Vercel environment variables.

5.5 Principle of Least Privilege

Roadmap team members are added to a client’s Slack channel and given access to the corresponding Drive folder only when assigned to that engagement. Access is removed when the assignment ends. No team member has standing access to all client channels or all client Drive folders.

5.6 Personnel

Roadmap team members with access to client engagements are bound by written confidentiality obligations that survive termination of their engagement with Roadmap. Roadmap attorneys are additionally bound by applicable rules of professional conduct, including the duty of confidentiality under NY RPC 1.6 and the supervision duties under NY RPC 5.1 and 5.3. New team members complete an onboarding review of Roadmap’s security and confidentiality policies, including this Security page and the Privacy Policy, before being added to any client channel.

6. AI & Ava Security

Roadmap does not use Client Content to train, fine‑tune, or otherwise modify any AI model — whether operated by Roadmap, by Perplexity, or by any third‑party model provider — unless Client has expressly authorized that specific training activity in a signed writing referencing this commitment.

Ava’s scope. Ava operates within a single client’s Slack channel and Drive folder. She is invoked by @‑mention, the /ask command, or thread replies in the client’s private channel. She cannot access other clients’ channels or Drive folders.

What is sent to Perplexity. When Ava answers a question, the relevant Slack thread context and cited sources for that specific invocation are sent to Perplexity Sonar (Enterprise). No persistent client data is maintained at Perplexity.

Perplexity Enterprise plan — no‑training and zero‑retention commitment. Roadmap uses Perplexity’s Enterprise plan, which commits Perplexity to: (a) zero retention of customer inputs and outputs for model training purposes; (b) no use of customer data to train, fine‑tune, or improve models; and (c) only standard short‑window operational retention for abuse and safety review purposes. These commitments apply to all underlying model providers that Perplexity routes to.

No direct model provider accounts. Roadmap does not hold direct API accounts with OpenAI, Anthropic, or any other foundation model provider. All model access is mediated through Perplexity’s Enterprise plan. The no‑training and zero‑retention guarantees apply transitively through that routing.

Attorney supervision. Ava does not give legal advice. All legal work product is subject to attorney supervision per Terms of Service §3.4 and NY RPC. Ava cites sources for every answer. AI processing is integral and native to the Roadmap service; there is no AI‑free version (see Terms of Service §3.4). Clients who can no longer accept AI processing may cancel under Terms of Service §5 and Module M‑SUB.5; cancellation does not give rise to a refund or proration of fees already paid (Module M‑SUB.6) and does not excuse any unpaid installments or the cumulative discount clawback under an Annual Commitment Plan (Modules M‑SUB.4 and M‑SUB.6).

6A. Incident Response & Breach Notification

Roadmap maintains a written incident‑response runbook covering detection, triage, containment, eradication, recovery, and post‑incident review for security events affecting the Roadmap platform. Sub‑processor‑side incidents are handled in coordination with the affected sub‑processor under that sub‑processor’s own incident‑response program (Slack, Google Workspace, Notion, Stripe, Vercel, Perplexity, GitHub).

Notification. In the event of a confirmed security incident that compromises the confidentiality, integrity, or availability of Client personal data, Roadmap will notify affected Clients without unreasonable delay and within the timeframes required by applicable law, by email to the Client’s account contact and, where the incident affects a specific engagement, by message in the Client’s Slack channel. The notification will describe the nature of the incident, the categories of data affected (to the extent then known), the steps Roadmap is taking, and the recommended steps for the Client. Roadmap will continue to update affected Clients as material new facts become available. This commitment mirrors §12.1 of our Privacy Policy.

6B. Business Continuity

Roadmap’s continuity posture leans on its sub‑processors. The Roadmap application layer (Vercel) supports near‑instant deployment rollback. Client data lives in Slack, Google Drive, and Notion, each of which maintains its own backup, redundancy, and disaster‑recovery infrastructure documented in their respective trust pages. In the event Roadmap is unable to deliver services for an extended period, file‑retention and termination‑handoff obligations under Terms of Service §17 (including 30‑day post‑cancellation workspace access) remain in effect to the extent reasonably practicable.

7. Audit Logging

  • Google Workspace (Drive): Google Workspace Admin audit logs capture Drive activity (file create, share, edit, delete), login events, and security events across our domain. These logs are available in the Google Admin console and retained per Google Workspace’s standard policy.
  • Stripe: Full event log available in the Stripe dashboard. Every charge, subscription change, webhook delivery, and API call is logged and attributable.
  • Vercel: Vercel function logs capture request/response metadata and errors for all serverless function invocations, including webhook processing.
  • Slack Audit Logs API: The Slack Audit Logs API (available on Slack Enterprise Grid) is not currently enabled on our workspace. We have identified this as a roadmap item for enhanced audit coverage. Current audit visibility into Slack is limited to standard workspace admin logs.

8. Secrets Management

All production secrets — including the Stripe secret key, Slack bot token, GCP service account JSON, and session signing secret — are stored as encrypted environment variables in Vercel’s production environment. No secrets are committed to the GitHub repository; the repository is scanned for accidental secret commits via GitHub’s secret scanning feature. The GCP service account JSON key is stored in encrypted form and is not accessible in plain text outside of the production runtime. Secrets are rotated immediately upon suspected compromise.

9. Vulnerability Management

Application dependencies are tracked via GitHub Dependabot, which generates alerts for known CVEs across our dependency tree. Our SLA for patching:

  • Critical CVEs: patched within 7 calendar days of alert.
  • High CVEs: patched within 30 calendar days.
  • Medium / Low: addressed in the next regular release cycle.

We do not currently run a formal bug bounty program or conduct scheduled third‑party penetration tests. We will engage a third‑party pen test firm before any material expansion of our data processing scope. Vulnerability reports may be submitted to support@useroadmap.co (subject: “Security Vulnerability Report”).

10. Backups & Disaster Recovery

  • Slack: Native Slack message retention and export. In the event of data loss, Slack’s own backup and recovery infrastructure applies. We do not maintain a separate Slack backup.
  • Google Drive: Google Workspace native versioning (file version history) and Google’s own backup infrastructure. Deleted files are recoverable from Trash for 30 days; version history provides additional recovery points.
  • Vercel (application): Vercel’s deployment‑based rollback allows instant revert to any prior deployment. There is no stateful application database hosted on Vercel; all stateful client data is in Slack and Drive.
  • Stripe: Stripe’s own infrastructure handles payment record durability. Subscription and billing data is recoverable through the Stripe dashboard and API.

Recovery time objective (RTO) and recovery point objective (RPO) for the Roadmap application layer are governed primarily by Vercel’s deployment infrastructure, which targets near‑instant rollback. For client data (Slack and Drive), RTO/RPO are governed by those sub‑processors’ own SLAs.

11. Sub‑Processors

For the complete sub‑processor list with purpose, data processed, region, and key certifications, see our Privacy Policy §7. Security documentation for each sub‑processor:

Sub‑Processor Purpose Region Security Reference
Slack (Salesforce) Primary work surface; per‑client channel; Slack Connect U.S. slack.com/trust
Google Workspace (Drive & Gmail) Client Drive folders; file storage; service account impersonation U.S. workspace.google.com/security
Stripe Billing, Checkout, Customer Portal, subscription management U.S. stripe.com/docs/security
Vercel Application hosting (US‑East); webhook routing; portal U.S. (US‑East) vercel.com/security
Notion (Notion Labs) Matter management workspace; matter records and Client Content actively used by assigned attorney(s) U.S. notion.so/security
Perplexity AI (Enterprise) Ava AI agent inference layer U.S. docs.perplexity.ai/docs/resources/privacy-security
GitHub (Microsoft) Source code only — no client data U.S. github.com/security
Cal.com (Cal.com, Inc.) Paid‑subscriber and internal scheduling; no Client matter content U.S. cal.com/security

Clients will be notified of any material new sub‑processor at least 30 days before activation via email and an updated Privacy Policy version.

11.1 Accounts You Create With Sub‑Processors

Using the Roadmap platform requires accepting a Slack invitation (and signing in with your own Slack account), accessing the Google Drive folder we provision (signing in with a Google account or completing Google’s standard guest‑sharing flow), and paying through Stripe’s hosted Checkout; active Clients may also use a Cal.com booking link. Each of those relationships is governed by the sub‑processor’s own terms and privacy policy. Roadmap does not receive or store your passwords for those services and does not have access to any data you maintain with them outside the per‑engagement workspace we provision. You remain responsible for the security of those accounts (including MFA where supported). See Privacy Policy §4A.

12. Compliance Posture

SOC 2: Roadmap is not currently SOC 2 certified. Our core sub‑processors — Vercel, Google Workspace, Stripe, Slack, Notion, GitHub, and Cal.com — each hold independent SOC 2 Type II certifications covering the systems that handle client data. Vendor due diligence questionnaires are available on request. We will update this page if we obtain our own SOC 2 report.

ISO 27001: Roadmap does not currently hold ISO 27001 certification. Google Workspace, Stripe, Slack, Notion, and GitHub each hold ISO 27001 certification.

PCI‑DSS: Roadmap does not handle, transmit, or store payment card data. All card data flows through Stripe, which is PCI‑DSS Level 1 certified. Roadmap’s PCI‑DSS scope is limited to selecting a compliant payment processor.

HIPAA / BAA: Roadmap does not handle Protected Health Information (PHI) and does not offer HIPAA Business Associate Agreements.

GDPR / DPA: We are a U.S. law firm primarily serving U.S.‑based clients. We are not currently offering standard GDPR Data Processing Agreements. If your organization requires a DPA, contact support@useroadmap.co.

New York Rules of Professional Conduct. As a New York law firm, all technology decisions affecting legal engagements are assessed against NY RPC, including Rule 1.6 (confidentiality), Rule 1.15 (safekeeping of client property), and NYSBA guidance on attorney use of technology. Attorney supervision applies to all AI‑generated work product.

13. Contact for Security Review / DPA

For vendor due diligence questionnaires, enterprise security review, penetration test result sharing, or DPA inquiries:

Email: support@useroadmap.co
Subject for vulnerability reports: “Security Vulnerability Report”
Entity: Roadmap Law PLLC, New York, NY

We take all vulnerability reports seriously and commit to acknowledging receipt within 2 business days. Please do not publicly disclose a vulnerability before giving us a reasonable opportunity to investigate and remediate it.

Questions about our security practices? Contact us at support@useroadmap.co.

© 2026 Roadmap. All rights reserved. Roadmap is the brand of Roadmap Law PLLC, a New York law firm.