CaseRunway is bankruptcy intake management software that helps law firms track every prospect from consultation to filing. It includes a case dashboard, client self-service portal, document tracking, and automated follow-up alerts.

What problem does CaseRunway solve?

60-80% of bankruptcy consultations never convert to retained clients because prospects disappear during document collection. CaseRunway solves this with automated stale case alerts, a client self-service portal for document uploads, and streamlined follow-up workflows.

Does CaseRunway work for Chapter 7 and Chapter 13?

Yes, CaseRunway supports both Chapter 7 and Chapter 13 bankruptcy cases with customized document checklists for each chapter type.

Do clients need to create an account to use CaseRunway?

No, clients access their portal via a secure link - no login or account creation required. They can upload documents and message their attorney directly.

Data Handling Policy | CaseRunway

Bankruptcy intake involves some of the most sensitive personal information a client will ever share with their attorney. This Data Handling Policy describes how CaseRunway collects, protects, and retains that information, and what your firm should expect from us as a vendor under your professional responsibility rules. It supplements the Privacy Policy and the Terms of Service.

1. CaseRunway is not a law firm

CaseRunway is a software vendor. We are not a law firm. We do not provide legal advice. Our employees are not your clients’ attorneys. Communications routed through CaseRunway between your firm and your clients are not privileged communications between your client and us. The attorney-client privilege exists between your firm and your client; we are an external service provider through which those communications transit, similar to email or secure file transfer. You should treat CaseRunway like any other cloud vendor under your jurisdiction’s rules of professional responsibility, including the equivalents of ABA Model Rule 1.1 (technological competence), 1.6 (confidentiality), and 5.3 (responsibilities regarding non-lawyer assistance).

2. Sensitive data we expect to receive

The Service is designed to receive and store the following kinds of sensitive information for each case:

Debtor and joint debtor name, date of birth, and address.
Social Security Numbers (SSNs).
Employer name, occupation, and gross monthly income.
Marital status, dependents, and household composition information.
Uploaded documents: tax returns, pay stubs, bank statements, debt schedules, asset documentation, prior bankruptcy filings.
Communications between your firm and the client.

3. Encryption and access controls

SSN: encrypted at the application layer with a symmetric key (Fernet / AES-128-CBC + HMAC-SHA256) before being written to the database. Only the last four digits are stored in plain form for display. Decryption happens server-side only when a firm user explicitly views or exports the SSN, and exports including SSN are recorded in the audit log.
Documents: stored in encrypted object storage (Supabase Storage). Access is gated by short-lived signed URLs scoped to the requesting user and case. Documents are not served from public buckets.
Database: PostgreSQL with encryption at rest provided by Supabase. Multi-tenant isolation is enforced both in the application layer and at the database layer using row-level-security policies that scope every query to the firm that owns the data.
Network: all client traffic uses TLS 1.2 or higher.
Authentication: firm users authenticate with email and password through Supabase Auth. Passwords are stored hashed; we never see them in cleartext. Email confirmation is required before sign-in.
Internal access: CaseRunway operators have access to production systems only as needed to operate the Service. Direct database access is restricted, logged, and used only for incident response, support, and platform maintenance.

4. Audit logging

The Service maintains an append-only audit log of firm-level actions: account creation and deletion, user invitations and role changes, plan and billing events, calendar and integration connections, and case data exports (including whether SSN was included in an export). Audit log entries are visible to the firm owner and admins. Read-only queries against case data are not, by default, written to the audit log.

5. Document retention

Your firm controls how long a case lives in the Service. Cases remain active until you delete them. When you delete a case it is soft-deleted for 30 days (recoverable by support request) and then permanently purged, including documents. If your jurisdiction requires a longer retention window for closed bankruptcy matters (commonly 5 to 7 years post-filing, longer in some states), keep the case active in CaseRunway for that period or export the file to your firm’s long-term archive before deletion. We do not delete cases on your behalf based on age.

6. Legal holds

If your firm receives a subpoena or court order that requires preservation of data stored in CaseRunway, email support@caserunway.com with the case and date range. We will suspend automated deletion for the affected records and confirm in writing.

7. Sub-processors and integrations

The current sub-processor list is in the Privacy Policy. Optional integrations only run when your firm explicitly connects them:

Microsoft 365 / Google Calendar: when connected, consult dates, filing deadlines, and attendee names sync to the connected calendar. SSN, financial figures, and document contents do not sync.
Clio: when connected, matter metadata syncs in both directions. Document binaries do not.
Form webhooks (JotForm, WordPress, Typeform, etc.): submissions you direct to your firm’s intake webhook URL arrive in CaseRunway as leads. Whatever your form collects is what we receive.

OAuth tokens for connected services are encrypted at rest. You can disconnect any integration at any time from the firm settings page, which revokes our stored tokens.

8. Backups and disaster recovery

Production databases are backed up daily by Supabase, with backups retained for up to 30 days. Backups are encrypted at rest. We do not provide point-in-time restore as a customer-facing feature; in an incident we will restore from the most recent good backup and notify affected firms.

9. Breach notification

If we discover a security incident that compromises personal information your firm has entered, we will notify firm administrators without undue delay and in any event within 72 hours of confirmation. Notification will include what we know about the scope, the categories of data affected, and what we are doing to respond. We will support your firm in meeting its own breach-notification obligations to clients and to state regulators (the 50 US states and DC each have their own breach notification statutes; bankruptcy intake data typically triggers the SSN-or-financial-account-number tier).

10. Data export and portability

Your firm can export case data as CSV at any time from the staff dashboard. To request a full firm-level export of all data we hold about your firm in machine-readable form (JSON), email support@caserunway.com from the firm-owner email. We respond within 30 days.

11. Compliance scope

CaseRunway is designed for US-based bankruptcy law firms.

We are not a HIPAA Business Associate. Do not enter Protected Health Information beyond what a normal bankruptcy intake would require (e.g., a debtor’s general medical-debt summary on schedules is fine; treatment notes are not).
We are not a GLBA-covered financial institution. We do, however, handle nonpublic personal information that your firm receives in connection with bankruptcy filings, and we apply industry-standard safeguards as described in this policy.
We do not currently hold SOC 2 or ISO 27001 attestation. We apply the controls described in this policy on a continuous basis. Firms that require formal attestation should contact us to discuss roadmap.

12. Changes to this policy

We may update this Data Handling Policy. The version date at the top of the page reflects the most recent material change. If a change materially reduces protections we will notify firm administrators by email before it takes effect.

13. Contact

Data-handling questions, security disclosures, and legal-hold requests: support@caserunway.com.