SOC 2 readiness and HIPAA-oriented data protection for Notary Ninjas, LLC
Notary Ninjas, LLC handles sensitive notary, apostille, remote signing, title-company, and client-support workflows. Because those workflows may involve identification, legal documents, financial documents, health-related paperwork, and private client communications, we are building the platform around strong access controls, encryption, audit trails, secure file handling, compliance evidence, and disciplined operational review.
Important compliance statement
This page describes the security and compliance work Notary Ninjas, LLC has built and is continuing to build. SOC 2 readiness and HIPAA-oriented safeguards are not the same as a completed SOC 2 audit, a legal opinion, or a blanket guarantee that every workflow is covered under every regulatory requirement. Formal compliance requires policies, training, vendor review, contractual safeguards where applicable, implementation evidence, ongoing monitoring, and review by qualified legal, compliance, and audit professionals.
Security by design
The project now includes stronger controls around authentication, admin-only areas, secure document handling, encrypted chat data, protected file uploads, and live security visibility. The goal is to reduce unnecessary exposure of client documents and make sensitive activity traceable.
Compliance evidence
A new internal compliance module tracks SOC 2-style controls, evidence records, security health checks, risks, incidents, vendors, backup tests, data retention rules, change-management records, and branded PDF evidence reports for management review.
Privacy-aware operations
We are separating ordinary marketing communication from sensitive document workflows, using role-based access, keeping document exchanges inside secured platform areas when possible, and building logs that help show who accessed, changed, or deleted sensitive records.
Security improvements completed so far
The platform has been expanded beyond a simple notary website into a security-conscious operational system. These features are designed to support remote notary sessions, title-company workflows, document review, live chat, AI-assisted intake, internal administration, and compliance evidence collection.
Encrypted live chat records
New live chat messages are stored encrypted at rest. Older rows can still display normally while new records use the enhanced storage structure.
Encrypted file upload storage
Chat uploads are restricted to PDF and image files, stored in a secure storage location, and viewed through a controlled inline viewer instead of exposing raw file paths.
Word document blocking
Word documents are blocked in chat uploads because of security concerns. The public interface explains this clearly to clients before upload.
25 MB controlled upload limit
The secure upload process was increased to support larger PDFs and images while still enforcing file-size and file-type restrictions.
Admin chat logs and deletion controls
Admins can view chat logs, delete individual logs, bulk-delete selected logs, and remove related encrypted uploaded files while keeping lead records separate.
Live visitor visibility
The platform can show live website visits, current pages, browser/device data, location signals, and when a visitor leaves the site.
AI assistant fallback and escalation
The chat now supports an AI assistant for basic service questions, human notary switching, human availability status, proactive AI invitations, and logged AI activity.
Website knowledge rebuild tool
Admins can run a website scraper to rebuild the AI knowledge base from public website content, including service pages and news content.
SOC 2 readiness module
The admin system includes controls, evidence, risks, incidents, vendor review, backup-test tracking, data-retention planning, and branded PDF evidence exports.
Security health checks
The system includes an admin security-health page to help review configuration items such as HTTPS, secure cookies, storage protection, debug settings, and administrative safeguards.
Append-only audit logging foundation
A compliance audit log foundation records sensitive administrative activity and includes hash-chain style fields to support tamper-evidence goals.
Remote session safeguards
Remote notary workflows are designed to keep document exchange inside platform-controlled areas instead of relying on ordinary email for sensitive files.
Controls we are organizing and strengthening
SOC 2 readiness focuses on whether security and operational controls are designed, documented, monitored, and evidenced over time.
- Security control register with assigned categories and readiness status.
- Evidence library for screenshots, reports, policy files, review notes, and exports.
- Administrative access review and role separation for admins, notaries, title companies, and staff.
- Audit logging for login, access, deletion, communication, settings, and high-risk administrative events.
- Security-health snapshots to document secure configuration checks.
- Vendor review tracking for third-party services such as payment, AI, hosting, email, and notary-service vendors.
- Incident register for documenting security concerns, response steps, containment, root cause, and closure.
- Backup and restore-test tracking for availability evidence.
- Change-management records for code, database, configuration, and operational updates.
- PDF evidence reports branded for Notary Ninjas, LLC management review.
Safeguards for sensitive documents and communications
HIPAA-oriented security requires administrative, technical, and physical safeguards. Our roadmap focuses on minimizing unnecessary exposure and strengthening control over sensitive information.
- Encrypted storage for chat messages and uploaded chat attachments.
- Controlled inline viewing for PDFs and images instead of direct public file links.
- Restricted upload types and blocking of higher-risk Word documents in chat.
- System notices telling users that sensitive communication should stay inside the secure platform.
- Role-based access direction for admins, notaries, and authorized users.
- Audit trails for sensitive viewing, deletion, communication, and administrative activity.
- Data-retention planning for chat logs, uploaded files, leads, remote-session documents, and AI logs.
- AI governance so users are not encouraged to share unnecessary sensitive information with the assistant.
- Vendor review planning for services that may process protected, personal, or confidential information.
- Ongoing review of policies, staff handling rules, and document exchange procedures.
Where the platform is going next
Our security roadmap is practical: improve the software, document the controls, gather evidence, review vendors, test recovery, train users, and keep tightening the workflows as the platform grows.
Phase 1: Platform hardening
Continue strengthening authentication, secure sessions, trusted devices, MFA enforcement, secure cookies, upload scanning, file permissions, protected storage, and database access controls.
Phase 2: Access and identity review
Formalize permissions for admins, notaries, signing agents, title companies, dispatchers, and clients. Review who can view, download, delete, export, email, or change sensitive records.
Phase 3: Evidence and policy discipline
Attach screenshots, configuration records, backup proof, access reviews, vendor reviews, training acknowledgments, incident response notes, and change-management records to the compliance module.
Phase 4: Data retention and deletion automation
Create scheduled enforcement for document deletion, chat attachment cleanup, lead retention, AI log retention, backup retention, and deletion evidence while preserving required audit and accounting records.
Phase 5: Vendor and AI governance
Review third-party vendors, document what data they process, keep agreements and security attestations where applicable, and maintain AI rules that prevent legal advice, unnecessary sensitive-data collection, or unsupported claims.
Phase 6: Audit preparation
Use the compliance center and PDF evidence reports to prepare for outside review, management review, and future SOC 2 or HIPAA-related advisory work with qualified professionals.
Encryption and secure storage
The project now includes encrypted-at-rest storage for live chat content and secure encrypted storage for chat file uploads. Future work includes broader encryption coverage for API keys, vendor credentials, backups, and remote session document workflows.
Auditability
Sensitive actions are being moved into trackable workflows. The compliance module creates a central place for audit events, evidence exports, risks, incidents, vendor records, backup tests, and security-health snapshots.
Human accountability
Technology is only part of compliance. The roadmap includes staff policies, acknowledgments, access reviews, incident documentation, vendor review, secure document handling rules, and clear limits on legal advice.
Why this matters for notary, apostille, and remote signing clients
A notary platform is not only a scheduling tool. Clients may upload IDs, affidavits, powers of attorney, estate documents, corporate records, medical-related documents, title documents, immigration-support paperwork, and other sensitive files. That requires a platform that is careful about access, storage, communication, and deletion.
Our objective is to keep clients inside controlled workflows, reduce avoidable email attachment exchanges, give admins better oversight, and create records that help management verify that security controls are operating as expected.
Client-facing security principles
What users should know
Even with secure systems, users should avoid placing unnecessary sensitive data into general messages. Documents should be uploaded only through the proper secure portal or approved upload workflow.
- Do not send Social Security numbers or full financial account numbers through ordinary email or general chat unless specifically required and instructed through a secure process.
- Remote notary clients should upload documents through the platform workflow whenever possible.
- Notaries are not attorneys and do not provide legal advice or tell clients which legal document to use.
- AI assistance is for general service guidance and routing, not legal advice, medical advice, or a formal review of document validity.
- Users should contact Notary Ninjas directly if they have a time-sensitive document security concern.
Ongoing commitments
The compliance roadmap will continue to mature as the platform grows. Planned improvements include malware scanning hooks, more formal RBAC permissions, stronger encrypted settings storage, periodic access reviews, policy acknowledgments, vendor-management documentation, and recurring backup restore tests.
Our practical goal
Build a notary technology platform that is easier to operate, safer for sensitive documents, more accountable for administrators, clearer for clients, and better prepared for formal security and compliance review.
Need a remote notary, apostille, translation, or secure document workflow?
Contact Notary Ninjas, LLC if you need help preparing for a remote notary session, arranging apostille support, uploading documents securely, or understanding which service path is appropriate for your situation.