Data Security

CoAdvocate.ai is the permanent, secure home for your co-parenting communication. Because those messages can matter in a custody matter — sometimes years after they were sent — we treat security and durability as core guarantees of the product, not afterthoughts. This page explains, in concrete terms, how we protect your information.

Last reviewed: June 2026.

Our security principles

Three commitments shape every decision below:

  • Your record is yours, and it endures. The communication tied to a co-parent is preserved as an evidence-grade record that the platform itself cannot quietly alter or erase — so it remains trustworthy no matter what anyone does later.
  • Least access, by default. Within the product, your data is reachable only by you and by the people you explicitly authorize — and only within the exact scope you granted. For what CoAdvocate staff can technically access to run the service, see Can CoAdvocate see my messages? below — we are straight with you about it.
  • No surprises. We are deliberately specific here, and we are honest about the limits. We would rather under-promise than overstate what a system can do.

Encryption

In transit. Everything you send to and receive from CoAdvocate travels over modern TLS — the same kind of HTTPS encryption banks use. Our storage layer goes a step further and actively refuses any request that is not encrypted in transit, so unencrypted access is not merely discouraged, it is rejected.

At rest. Your stored data is encrypted with AES-256 using keys managed in AWS Key Management Service (KMS). Different classes of data — your message archive, the parenting plans and court orders you upload, and file attachments — are protected with separate, dedicated keys, so a problem affecting one does not expose the others. Encryption keys are rotated on a regular schedule. Encryption at rest defends your data against lost or stolen hardware and against anyone who obtains the stored data without our keys; it is not a way of hiding your content from CoAdvocate's own systems (see Can CoAdvocate see my messages?).

Secrets are vaulted. Database credentials and service keys live in a managed secrets vault and are retrieved only at runtime. They are never written into our source code, configuration files, or container images.

Your evidence record: an immutable chain of custody

When a message is tied to a co-parent or other party you have tagged, the original is written to a dedicated, encrypted archive that is append-only. The archive keeps every version of every object, and deletion is refused at the storage layer itself — there is no path in the CoAdvocate application, and no routine operator action, that can modify or remove an archived record. This applies in both directions: messages from your co-parent and the messages you send to them are both preserved.

For the strongest evidentiary guarantee, we apply write-once (WORM) retention locks to this archive as it grows, placing records beyond the reach of any party — including CoAdvocate staff, and even the cloud provider — for a multi-year retention period. This is what lets your communication stand up as a clean, tamper-evident record if it is ever needed.

The flip side is just as deliberate: mail from unregistered senders (spam, marketing, one-off messages) is not part of this evidence layer, and you can delete it. Deleted items are removed permanently after a 30-day grace period.

Your AI companion is walled off from your evidence

The private conversations you have with the CoAdvocate companion are stored completely separately from your message record. This separation is enforced in the data model itself, and it has real consequences you can rely on:

  • Clearing your companion history never touches your messages.
  • Companion conversations are never included in an evidence export.
  • An attorney you grant access to cannot see your companion conversations — period. Professional access reaches your evidence record only, never the place where you think out loud.

One honest caveat. These promises describe how CoAdvocate handles your data — they are not a shield against the law. Like any company, if we receive a valid subpoena or court order, we have to respond to it (see our Privacy Policy). Be clear-eyed about what that means: conversations with the companion are not legally privileged the way a conversation with your own attorney is, and if compelled by a court they could be discoverable. In practice, the emotional processing and venting the companion is mostly for carry little legal risk; the thing to be thoughtful about is factual statements that could contradict a position you have taken in a legal proceeding. (This isn't legal advice — your attorney can advise you on your situation.)

What we can tell you is how we hold it: when you delete a companion conversation, it is permanently removed from CoAdvocate — not soft-deleted, not hidden, not archived. Once you delete it, it is no longer part of your account for us to keep or to hand over. For everyday privacy, clearing conversations you no longer need is the most reliable protection — with one important exception.

If you are in or anticipate litigation, do not delete — preserve. Once you have a legal duty to preserve evidence (a "litigation hold"), deleting material that could be relevant — these conversations included — can carry serious consequences (this is called spoliation). If you are in active proceedings, or reasonably expect them, talk to your attorney about your document-preservation obligations before you delete anything.

Scoped access for attorneys and professionals

You can give an attorney or other professional access to your record. That access is tightly contained:

  • Per-grant scope. A professional sees only the client data you granted, and nothing beyond it. A professional who works with several CoAdvocate clients has a separate, independently scoped grant for each — one client's data can never bleed into another's.
  • Stronger sign-in. Professional accounts are required to use multi-factor authentication before they can view any client data.
  • Every access is logged. Each time a professional opens your record, that access is recorded in an audit trail — who, when, and what they viewed.
  • You stay in control. You can revoke a grant at any time, and access ends when you do.

Accounts and sign-in

Authentication is handled by AWS Cognito, a managed identity service. Concretely:

  • Passwords must meet a strong complexity policy and are never stored by us in readable form.
  • Multi-factor authentication (MFA) using an authenticator app is available to everyone and required for professional accounts.
  • Sign-in is designed not to reveal whether a given email belongs to an account.
  • Sessions use short-lived access tokens, so a token cannot be reused indefinitely.

We strongly recommend turning on MFA for your own account in Settings — it is the single most effective thing you can do to protect it.

Isolation between accounts

CoAdvocate is multi-tenant, and every request is scoped to the account that makes it. One account can never read another account's messages, documents, calendar, or companion conversations. Our environments are also kept separate, so the systems where we build and test never touch real customer data.

Can CoAdvocate see my messages?

Honest answer: yes, to the extent needed to run the service. CoAdvocate is not an "end-to-end encrypted" or "zero-knowledge" product, and we don't claim to be. The features that make it useful — classifying tone and urgency, the AI companion, letting an attorney you authorize read your record, search, and evidence export — all require our systems to be able to read your content. Encryption at rest protects that content from lost or stolen hardware and from anyone who does not hold our keys; it does not, and is not meant to, hide your content from CoAdvocate itself.

In practice, a small number of authorized personnel can access stored data when it is genuinely necessary to operate, secure, troubleshoot, or support the service, or to comply with a valid legal request. Access follows least-privilege principles, and we do not sell your content or use it for anything beyond running the service and delivering the features you ask for. If you need a system where even the provider mathematically cannot read your data, CoAdvocate is not the right fit — and we would rather tell you that plainly than imply otherwise.

How AI processes your content

Some features — drafting help, the companion, tone and conflict analysis, and questions about your parenting plan — work by sending the relevant content to third-party AI model providers acting as our service providers. We handle this carefully:

  • We send only what is needed to produce the result you asked for.
  • We aim to work with providers that do not use your content to train their general-purpose models. You can request our current list of these providers at info@coadvocate.ai.
  • Because the companion is walled off from your evidence record (see above), thinking out loud with the AI never becomes part of the documentation.

As with anything that touches an AI system, a good rule holds: do not submit information you would not want processed by an AI system. You always control what you type and upload.

Email handled the right way

CoAdvocate works over ordinary email, so your co-parent needs no app. All outbound mail flows through the CoAdvocate application — never directly from your browser or phone to the email network — which lets us authenticate it, rate-limit it to prevent abuse, and record it to your account. Inbound mail is parsed and archived before any further processing, so the original is captured first.

Infrastructure and operations

CoAdvocate runs entirely on Amazon Web Services. A few practices worth calling out:

  • Private by default. Our production database runs on a private network with no public internet endpoint, reachable only by the application.
  • No long-lived cloud keys. Our deployment pipeline authenticates with short-lived, federated credentials — there are no permanent cloud keys sitting in a build system waiting to be stolen.
  • Reviewed, reversible changes. Database schema changes are tested forward and backward and reviewed before they reach production.
  • Durable backups. Data is continuously backed up, and the evidence archive additionally retains every prior version of every object.

Data minimization in our logs

Operational logs help us keep the service healthy, but they are not a place for your private content. Sensitive fields — email addresses, message bodies, and access tokens — are redacted or one-way hashed before anything is written to a log.

Your data, your choices

You can delete non-evidence mail, clear your companion history, and close your account. Some records are kept by design: your evidence archive is preserved as your chain of custody, and records of legal agreements are retained for legal-defense purposes. For the full picture of what we collect, how long we keep it, and the rights you have (including access, correction, and deletion), see our Privacy Policy.

Reporting a security concern

If you believe you have found a vulnerability or have a security question, we want to hear from you. Email security@coadvocate.ai, or reach us through our contact page. We investigate every report in good faith.

An honest word on limits

No method of transmitting or storing data is ever completely secure, and no company can promise absolute security — anyone who tells you otherwise is overselling. What we can promise is that we use strong, well-understood safeguards, that we are deliberate about them, and that we will keep improving them. Your part of the bargain is to keep your credentials private and to turn on MFA. If our practices and this page ever diverge, the practices are what govern, and we will correct the page.