A real estate transaction file is a stalker's, fraudster's, and identity thief's dream: government IDs, Social Security numbers, bank details, signatures, home addresses, purchase prices, and the exact date a large sum of money will move. When your firm adopts a document platform, you are handing that file, for every client, every deal, to a vendor. Their security posture becomes your security posture, and in many respects your professional responsibility.
Most firms vet legal tech on features and price, then accept the security page's logos at face value. That's backwards: features change monthly; a data breach is forever. Here is the due diligence a US real estate or legal practice should actually run, the questions, what good answers look like, and the red flags. (And yes, we'll tell you VeriCasa's answers as we go, because we think vendors should have to answer their own checklist.)
1. Independent certification, "Who audited you?"
Self-descriptions like "bank-grade security" are marketing. What counts is independent attestation:
- SOC 2, the US-standard audit of a service organization's controls for security, availability, and confidentiality, performed by an independent CPA firm. Ask for the report under NDA, not just the badge; a Type II report (controls tested over time) is stronger than Type I (a point-in-time snapshot).
- ISO 27001, the international standard for information security management systems. It certifies that security is run as a continuous, audited management process, not a one-time hardening project.
Good answer: current certifications, reports available on request, a named person responsible for security. Red flag: "we follow industry best practices" with nothing verifiable behind it. VeriCasa is SOC 2 certified and ISO 27001 aligned.
2. Encryption, "Where is my data unprotected?"
The right mental model: data has three states, in transit (moving over networks), at rest (stored), and in processing. Ask about each:
- In transit: TLS on every connection, no exceptions.
- At rest: strong encryption of stored documents and databases, 256-bit encryption (AES-256) is the benchmark answer.
- Key management: who holds the keys, how are they rotated, and can one compromised credential decrypt everything?
VeriCasa encrypts with 256-bit encryption throughout, and signed contracts live in a secure, centralized database rather than scattered across email, which brings us to the point most checklists miss:
3. Architecture, "Does the workflow itself leak?"
A platform can be perfectly encrypted and still push your practice into insecure behavior. The classic failure: the "secure" system emails documents as attachments, so every file also exists in a dozen unencrypted inboxes. Evaluate the workflow, not just the vault:
- Do documents stay inside the platform through analysis, drafting, signature, and storage, or do they round-trip through email at each step?
- Are there role-based access controls, so a new hire sees their files and not the firm's entire history? (VeriCasa supports unlimited users with managed roles and permissions.)
- Is there a complete audit trail, who viewed, edited, sent, and signed what, when? In a dispute or a breach investigation, the audit log is the difference between answers and guesses.
4. Signatures, "Can you prove who signed?"
If the platform executes documents, its signature technology is part of your evidentiary posture. Click-to-sign is legally valid under ESIGN/UETA, but certified digital signatures, identity verified by a certification authority, signature cryptographically bound to the exact document, alterations mathematically detectable, are the standard you want on instruments that move six and seven figures. Ask which the vendor provides. VeriCasa gathers certified digital signatures with identity verification, in a few clicks.
5. AI-specific questions, the new section of the checklist
If the platform uses AI (as VeriCasa does, for extraction and legal cross-checking), add these:
- "Is my clients' data used to train models available to others?" The answer must be an unambiguous policy, in the contract, not a shrug.
- "Can the AI's outputs be verified?" Good AI in legal work shows its sources. VeriCasa's cross-check findings each cite the source document and field, so a professional can verify any flag in seconds, no black-box conclusions.
- "What happens to documents after processing?" Retention, deletion on request, and data location should all have concrete answers.
- "Where does the human sit?" Platforms should be positioned as analysis and drafting tools whose output a professional reviews and owns, that's both the responsible design and the professionally defensible one.
6. Privacy discipline, "Built for the strictest regime?"
US privacy law is a patchwork, state acts like California's CPRA, sectoral rules, FTC enforcement. A useful shortcut when vetting vendors: ask whether they operate to GDPR-grade standards (the EU's regime, generally the world's strictest general framework, data minimization, purpose limitation, deletion rights, breach notification). A vendor engineered for GDPR clears most US state requirements as a side effect. VeriCasa operates GDPR-compliant by design.
7. Boring-but-critical operational questions
- Breach history and notification: Have you had incidents? What is your notification commitment, in hours?
- Backups and continuity: If your infrastructure fails the week of my closings, what happens?
- Exit: If we leave, do we get all our documents and data out, in usable formats, and is our data then deleted? A vendor that makes leaving hard is telling you something.
- Support: When something breaks at a critical moment, is there a human? (VeriCasa provides ongoing customer support, 24/7.)
The uncomfortable comparison: your current process
One more question, pointed at the mirror: how does your existing workflow score on this checklist? Files in email threads: unencrypted at rest, no access control, no audit trail. Documents on local drives: no certification, uncertain backups. Wet-ink pages couriered around: no tamper evidence at all. For most practices, a well-vetted platform isn't a new risk to accept, it's the retirement of a much larger one nobody had audited.
Compliance without compromise: GDPR-grade privacy, certified digital signatures, SOC 2, ISO 27001 alignment, and 256-bit encryption, the standard your clients' files deserve.
The takeaway
Vet the vendor like you'd vet a title: independently verified, consistent across documents, and with nothing material left unexplained. The right platform doesn't just protect your files, it upgrades your entire practice's security posture in one move, while making the work faster. That combination is the point.
See VeriCasa on your own files
Hundreds of AI legal cross-checks, reports and contracts in minutes, certified digital signatures.
Book a demo