We Don't Just Say Your Data Is Isolated. We Prove It With Cryptography.
Every document processing vendor tells you your data is secure. We built a system that lets you verify it yourself, not just take our word for it.
The Problem With "Trust Us"
When law firms send documents to a processing vendor, they're told: "Your data is isolated. It's encrypted. It's safe." But how do you actually know? You're trusting a claim you can't independently verify.
In litigation support/eDiscovery, that's not good enough. Chain of custody matters. Proof matters.
What We Built
UnitizeAI's isolation audit is a cryptographically signed report that proves your data was processed in a fully isolated environment. Every job gets:
- A dedicated service account - no shared credentials between jobs
- An isolated storage bucket - your data physically can't be read by another job
- A locked-down virtual private cloud - network egress restricted to HTTPS-only GCP API calls; all other ports blocked
And we don't just configure these controls. We test them live, during your job, and cryptographically sign the results.
How It Works
Step 1: Test Before Processing
Before a single page of your data is touched, we run a battery of tests:
- TLS verification - confirm encrypted connections to Google Cloud Storage with valid certificates
- Identity attestation - confirm the job runs under its own unique service account
- Bucket isolation - attempt to read, write, and list files in other jobs' buckets (all must fail)
- Public access prevention - verify the bucket can't be made publicly accessible
- Network egress tests - attempt connections on non-HTTPS ports (TCP 80, 8080, etc.) and confirm they're blocked by firewall rules
Every test records what was attempted, what was expected, and what actually happened.
Step 2: Sign the Results
The test results are serialized into a canonical JSON payload and signed using ECDSA P-256 with SHA-256 via Google Cloud KMS. The private key never leaves Google's infrastructure and we never touch it directly.
This creates a pre-processing signature: cryptographic proof that isolation was verified before your data was processed.
Step 3: Process Your Documents
Your documents go through OCR and LLM-based boundary detection inside the isolated environment.
Step 4: Test Again and Chain the Signatures
After processing completes, we re-run the network isolation tests. This proves the VPC firewall rules held for the entire duration of processing, not just at the start.
The post-processing payload includes all tests plus the pre-processing signature, creating a signature chain. If either signature is tampered with, the chain breaks.
Step 5: Deliver the Proof
You receive two files alongside your processed documents:
isolation_audit.txt- a human-readable report with every test, its rationale, and its resultisolation_audit.json- a machine-parseable version with both signatures and their payloads
Verify It Yourself - In Your Browser
Here's where it gets interesting. You don't need to trust us to verify the audit.
Our verification page runs entirely in your browser. No data leaves your machine. It:
- Parses the audit JSON
- Fetches our public key from a well-known URL (
/.well-known/signing-key.pem) - Reconstructs the canonical payloads
- Verifies both ECDSA signatures using the Web Crypto API
- Checks that the signature chain is intact
If any byte in the report was altered, verification fails. If someone tried to swap one job's audit for another, the chain breaks. The math doesn't lie.
What Makes This Different
Transparency over black boxes. Most security reports give you a pass/fail. Ours show you every test: what was tested, why it matters, what the expected result was, and what actually happened.
Cryptographic proof, not assertions. ECDSA P-256 and SHA-256 are NIST-approved standards used across the industry. We use Google Cloud KMS for key management - no home-rolled crypto.
Zero-trust verification. The customer never needs to trust our servers during verification. The public key is published. The signatures are in the report. The math is standard. Verify it yourself.
Continuous enforcement. Testing at both the start and end of processing proves isolation held throughout, not just at a single point in time.
The Technical Details
For those who want to dig deeper:
| Component | Standard |
|---|---|
| Hash function | SHA-256 |
| Signing algorithm | ECDSA P-256 |
| Key management | Google Cloud KMS (EC_SIGN_P256_SHA256) |
| Signature encoding | DER, then base64 |
| Public key format | PEM (X.509 SubjectPublicKeyInfo) |
| Payload serialization | Canonical JSON (sorted keys, minimal separators) |
| Browser verification | Web Crypto API |
The public key fingerprint is the SHA-256 hash of the DER-encoded public key bytes, so you can independently confirm you're verifying against the correct key.
Why This Matters for Legal Tech
Document processing in litigation carries real liability. Commingling data between matters (even accidentally) can trigger sanctions, waive privilege, or compromise a case.
An isolation audit that customers can independently verify isn't just a nice-to-have. It's the standard the industry should be moving toward.
UnitizeAI is a document unitization platform for litigation support. We use AI to identify document boundaries, extract metadata, and produce load files - all in cryptographically verified isolated environments.
See It in Action
Every job processed through UnitizeAI includes a cryptographically signed isolation audit report — at no extra cost. Upload a document, and you'll receive a verifiable proof of isolation alongside your load files.
Try UnitizeAI today and see what provable data isolation looks like.