Legal Notices

This page consolidates supplemental legal disclosures applicable to your use of UIP: our compliance roadmap, what is implemented today, cookie practices, accessibility commitments, AI governance, open-source attribution, and other notices. These notices supplement — they do not replace — our Privacy Policy and Terms of Service.

1. Compliance Roadmap

UIP is being designed with the long-term goal of meeting the security and privacy expectations of international law firms. The following frameworks describe our roadmap, not our current state:

• NIST 800-53 Rev. 5 — we intend to map our controls to the NIST 800-53 control families (Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, System and Communications Protection, System and Information Integrity) as part of our enterprise-readiness work. This mapping has not yet been performed or independently reviewed.
• SOC 2 Type II — we intend to pursue a SOC 2 Type II audit once the platform has stabilized and we have customers in production. No audit has been initiated, no auditor has been engaged, and no SOC 2 report exists.
• EU GDPR, UK GDPR, and U.S. state privacy laws — we are designing the platform with privacy-by-design principles and intend to support data subject rights when we onboard production customers in those jurisdictions. We have not yet appointed an EU Representative, UK Representative, or formal Data Protection Officer.
• EU AI Act — Regulation (EU) 2024/1689 will apply to AI systems used in judicial contexts. We are aware of the obligations it imposes on providers and deployers and consider compliance work part of our roadmap. We have not yet undertaken a conformity assessment.

If you would like to discuss our compliance roadmap and timeline, please contact trust@uip.example.

2. Security Controls Implemented Today

The following controls are implemented in the current build:

• Password hashing with bcrypt (cost factor 12) and per-password salts; plaintext passwords are never stored or logged
• JWT RS256 (asymmetric) authentication: a single signing service holds the private key; downstream services verify with the public key only
• Audit events written to immudb, an append-only Merkle-tree-backed database, with the intent of providing tamper-evident audit history
• A single self-hosted LLM gateway (LiteLLM) through which all model traffic is routed, providing a chokepoint for data-retention controls
• Per-service network segmentation via Kubernetes namespaces
• HTTP transport-layer security for traffic to external services
• Linting and import restrictions that prevent application code from bypassing the LLM gateway and reaching upstream provider SDKs directly

3. Security Controls Planned but Not Yet Implemented

The following controls are on our roadmap and are not in place today:

• Multi-factor authentication and single sign-on integration
• Mutual TLS for service-to-service communication inside the cluster
• Encryption at rest using a managed key service (KMS) with the option of customer-managed keys
• External Secrets Operator integration with cloud secret stores
• Workload Identity for cloud IAM integration (IRSA on AWS, Workload Identity on Azure/GCP)
• Default-deny Kubernetes NetworkPolicies
• Formal incident response runbooks and on-call rotation
• Independent third-party penetration testing
• SOC 2 Type II audit engagement
• Background checks and confidentiality agreements for all production-access personnel (we have these for current personnel, but the formal program is not yet documented)

4. Sub-processors

The current development build runs in a local Kubernetes cluster and does not yet engage external sub-processors for production data processing. When the platform reaches production, we expect to use infrastructure providers (AWS, Azure, or GCP) and one or more LLM providers reached through our LiteLLM gateway. A formal sub-processor list with contractual data-protection commitments will be published at that time, and we will give your firm reasonable notice before adding new sub-processors.

5. Cookie Notice

UIP uses a strictly necessary set of first-party cookies and local-storage items to operate the Service. We do not use third-party tracking cookies, advertising pixels, analytics fingerprinting, or session-replay tools. We do not share usage data with advertising networks.

6. Accessibility Statement

We aim to make UIP accessible to users with disabilities and intend to conform to the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA. Current accessibility features include:

• Semantic HTML and ARIA labels on interactive elements
• Keyboard-navigable interfaces with visible focus indicators
• Theme-aware light and dark color schemes that respect prefers-color-scheme
• Alternative text on meaningful imagery

We have not yet completed a formal accessibility audit. If you encounter an accessibility barrier, please report it to accessibility@uip.example and we will work to resolve it.

7. AI & Automated Processing Disclosure

The Service uses large language models, vision-language models, and embedding models to assist with evidence analysis, summarization, and generation of work product. The following design intents apply:

• All model traffic is routed through our self-hosted LiteLLM gateway, which gives us a single chokepoint at which to apply data-retention controls and provider-specific configurations
• The platform's architecture is designed to tokenize personally identifiable information at the ingest boundary; this layer is in development
• Customer Data is not used to train, fine-tune, or evaluate general-purpose models
• UIP does not engage in solely automated decision-making producing legal effects on individuals; AI-assisted outputs are intended for review by qualified attorneys before being relied upon
• AI-generated artifacts in the user interface are intended to carry provenance metadata (model identifier, prompt hash, timestamp) for auditability — this metadata pipeline is in active development

AI-generated content is not legal advice and does not create an attorney-client relationship. AI-assisted outputs are tools to assist licensed attorneys and must be reviewed and verified by qualified counsel before being relied upon.

8. Open Source Attribution

UIP is built on a foundation of open-source software. We are grateful to the maintainers of, among others: Python, FastAPI, Pydantic, Starlette, HTMX, Alpine.js, Tailwind CSS, ScyllaDB, Apache Kafka, Redis, Qdrant, OpenSearch, immudb, MinIO, Kubernetes, KEDA, LiteLLM, uv, and Ruff. A complete third-party software inventory and license attribution will be published as part of our production release.

9. Copyright & DMCA

UIP respects intellectual property rights. If you believe material processed by the Service infringes your copyright, please send a notice in compliance with the U.S. Digital Millennium Copyright Act (17 U.S.C. § 512) to dmca@uip.example. We will respond to good-faith notices and act on them as required by law.

10. Trademarks

"UIP", "Unified Intelligence Platform", and the UIP wordmark are trademarks of UIP, Inc. All other product, service, and company names referenced on the Service are the trademarks of their respective holders.

11. Responsible Disclosure

Security researchers who discover a vulnerability in the Service are encouraged to report it via good-faith coordinated disclosure. Submit reports to security@uip.example. We will not pursue legal action against good-faith security researchers who follow coordinated disclosure norms. A formal bug-bounty program will be considered as part of our enterprise-readiness work.

12. Contact

For questions about anything on this page:

• Trust & compliance: trust@uip.example
• Privacy: privacy@uip.example
• Legal: legal@uip.example
• Security: security@uip.example
• Accessibility: accessibility@uip.example