particulars

Compliance

Every rule, mapped to a thing we actually do.

Crown disclosure in British Columbia arrives with written undertakings attached. The Law Society of BC has rules for how lawyers store records, including records held by third parties. PIPA and PIPEDA govern personal information. The 2024 LSBC AI Guidance and the 2025 BCPS Disclosure Letter address technology practices that were previously unregulated. This page maps every applicable rule to a specific, verifiable thing Particulars does — and is honest about the items still to land before our first paying customer.

Contents
  1. Crown disclosure undertakings (R v Basi; BCPS 2025 Disclosure Letter)
  2. LSBC Rule 10-3 — records storage
  3. LSBC Rule 10-4 — out-of-province storage notification
  4. LSBC Code of Professional Conduct, Rule 3.3 — confidentiality
  5. LSBC Cloud Computing Guidelines
  6. LSBC Guidance on Generative AI (2024)
  7. PIPA (Personal Information Protection Act, BC)
  8. PIPEDA (federal)
  9. Office of the Information and Privacy Commissioner of BC
  10. Pending pre-launch
  11. What we don’t pursue and why

01

Crown disclosure undertakings (R v Basi; BCPS 2025 Disclosure Letter)

What it requires

Crown disclosure in BC is supplied to defence counsel under written undertakings governing access, copying, secondary disclosure, and storage. Counsel are responsible for ensuring that any system or person handling the disclosure is bound by those terms.

What we do

  • Each Crown delivery is captured as a discrete event with the source, date received, transmittal letter, and the password used to decrypt the archive — a complete provenance record.
  • No copy of disclosure leaves the platform without an explicit, audit-logged action by the lawyer. Inline review (PDF, audio, video) renders content in-browser without a local download.
  • Secondary disclosure (to expert, co-counsel, or the accused) is performed through the platform with per-recipient access logging, time-bounded links, and watermarking.
  • The intake pipeline records the password used, the time of decryption, the contents extracted, and a content hash for every file — so the chain of custody from Crown to file is reconstructable.

Where to verify

  • Particulars security letter — Crown undertakings section [Pending — link]
  • ADR-0008: Disclosure event provenance [Pending — link]

02

LSBC Rule 10-3 — records storage

What it requires

Lawyers must store client and trust records in a manner that preserves their integrity and confidentiality, including records held by third parties on the lawyer’s behalf.

What we do

  • All disclosure and matter content is stored in object storage encrypted with a per-tenant master key held in HashiCorp Vault. Keys are not shared across firms.
  • Per-firm bucket isolation on the storage backend, enforced at the infrastructure layer in addition to application-level checks.
  • Default seven-year retention with audit-logged extension; expiry deletions are themselves audit-logged.
  • Single-click matter export produces a self-contained archive (documents + manifest + audit log) suitable for transfer or off-platform retention.

Where to verify

03

LSBC Rule 10-4 — out-of-province storage notification

What it requires

A lawyer who stores records outside British Columbia must notify the client and obtain consent in the manner specified by the rule.

What we do

  • Particulars infrastructure (compute, storage, backups, key management, logging) operates entirely within British Columbia.
  • Because no records are stored outside BC, Rule 10-4 notification is not triggered for clients of firms using Particulars in its standard configuration.
  • A change of region would be treated as a material change to the security posture and would be communicated to firms in advance, with documentation suitable for client notification if it ever occurred.

Where to verify

04

LSBC Code of Professional Conduct, Rule 3.3 — confidentiality

What it requires

A lawyer at all times must hold in strict confidence all information concerning the business and affairs of the client acquired in the course of the professional relationship.

What we do

  • Five-layer tenant isolation: per-firm subdomain, per-request tenant context, row-level security on every customer-data table, per-tenant storage and encryption keys, and operational logs that contain only IDs and metadata — never customer data.
  • Operator access is mediated, audit-logged, and limited to defined incident-response situations; routine engineering does not access tenant content.
  • Authentication uses WebAuthn with TOTP backup; session policy is conservative and re-auth is required for sensitive actions.

Where to verify

05

LSBC Cloud Computing Guidelines

What it requires

Lawyers using cloud services must take reasonable steps to ensure the provider’s practices meet the lawyer’s professional obligations, including with respect to security, jurisdiction of storage, contractual terms, and the ability to retrieve and migrate data.

What we do

  • Single-tenant data isolation, BC-resident infrastructure, and a written security letter that maps controls to the LSBC guideline questions point-by-point.
  • Contractual terms acknowledge the lawyer’s undertakings and obligations to the Law Society and to the Crown.
  • Self-serve, audit-logged matter and firm exports — the firm can retrieve everything Particulars holds for them, in a usable form, at any time.

Where to verify

06

LSBC Guidance on Generative AI (2024)

What it requires

Lawyers using generative AI must understand the technology, supervise its use, protect confidential information, and verify outputs before relying on them.

What we do

  • No generative-AI features are enabled by default on customer content. Where AI-assisted classification or transcription is offered, it runs on infrastructure under our control and is not used to train external models.
  • No customer content is sent to third-party AI providers without an explicit per-firm opt-in and a written addendum explaining what is sent, where, and what the provider’s retention is.
  • AI-derived classifications are surfaced as suggestions, never as ground truth, and a human review step is required before they affect a matter’s record.

Where to verify

07

PIPA (Personal Information Protection Act, BC)

What it requires

Private-sector organizations operating in BC must collect, use, and disclose personal information only for reasonable purposes, with notice and (where required) consent, and must protect it with security appropriate to the sensitivity of the information.

What we do

  • Particulars holds the firm’s personal information (firm contact, billing, user accounts) and processes the firm’s clients’ personal information on the firm’s instructions, as a service provider under PIPA.
  • Encryption at rest with per-tenant keys, encryption in transit (TLS 1.3), audit logging of access, and breach-notification process aligned with current PIPA expectations.
  • A privacy policy and a data-processing addendum are available and signed at firm onboarding.

Where to verify

08

PIPEDA (federal)

What it requires

Where personal information crosses provincial or national borders in the course of commercial activity, PIPEDA applies. Organizations must apply the ten fair-information principles, including accountability, accuracy, safeguards, and openness.

What we do

  • Standard practice mirrors PIPA obligations and additionally addresses cross-border data flow scenarios — though, because Particulars infrastructure is BC-resident, no routine cross-border transfer of customer content occurs.
  • A documented incident-response plan, including notification timelines, is in place and is exercised at least annually.
  • A designated privacy officer (Sudohuman Labs) is identified in the privacy policy with contact details for inquiries and complaints.

Where to verify

09

Office of the Information and Privacy Commissioner of BC

What it requires

The OIPC oversees PIPA in the private sector. Organizations must cooperate with investigations and follow guidance issued by the Commissioner, including on cloud services, breach notification, and the use of biometrics and AI.

What we do

  • Sudohuman Labs maintains a registered point of contact for OIPC correspondence and a documented internal procedure for receiving, triaging, and responding to OIPC inquiries within statutory timelines.
  • Breach notification procedure follows OIPC guidance and the Particulars terms of service identify the firm as the controller for the firm’s clients’ personal information.

Where to verify

Pending pre-launch

We will not enrol our first paying customer without these in place. They are listed visibly because hiding them would not actually make them less true.

  • External CREST-accredited penetration test Pending — pre-launch
  • Cyber liability insurance carrier and coverage figure Pending — pre-launch
  • Published sub-processor list Pending — pre-launch
  • Annual third-party legal review of LSBC alignment Pending — pre-launch

What we don’t pursue, and why

Particulars does not pursue SOC 2 Type II or ISO 27001 certification. The cost of those audits is significant and would be passed through to the firms that buy the product. More importantly, the controls those frameworks audit are designed against a generic SaaS threat model — not against the specific shape of Crown disclosure in BC, the Law Society’s rules about records held by third parties, or PIPA’s expectations for a service provider operating exclusively in this province.

Our security letter speaks directly to those obligations and to the controls that meet them. A firm’s LSBC practice review does not ask whether the firm’s vendor is SOC 2 certified. It asks whether the lawyer can answer for what their vendor does. We have written this page so that the lawyer can.