Tamper-evident grievance records · PLRA exhaustion defense · Built for county jails
Security & compliance

A litigation-defense product has to be defensible itself.

Custos handles sensitive grievance, medical, and PREA data. Here is how it's protected, what we've built, and exactly where we are on formal attestations — stated plainly, because your counsel will ask.

Built in

Security that ships today.

Tamper-evident ledger

Grievance actions are hash-chained and append-only. Records can be added and resolved, never silently altered or deleted.

Encryption in transit & at rest

TLS for all traffic; encrypted storage for grievance, medical, and PREA content.

Role-based access control

Counsel, command staff, and line officers see only what their role permits. Every view and change is logged.

Full audit trail

Who saw what, when, and what changed — a complete, exportable history for every record.

PREA-aware data handling

Confidential reports route off-unit and restrict visibility per §115.52.

Retention controls

Configurable retention to match your state schedule, with defensible deletion logging.

Where we are

Compliance roadmap, stated honestly.

We won't claim certifications we don't hold. Here's the real status — and what a pilot can proceed under in the meantime.

CJIS Security Policy alignment

In progress

Architecture and access controls built to CJIS standards; pursuing formal state CSA review. Pilots run under a county-supervised data agreement.

SOC 2 Type II

In progress

Controls implemented; observation window and third-party audit targeted next. Type I report available to pilot partners on request.

Tamper-evident record architecture

Live

Hash-chained, append-only grievance ledger is in production today.

Encryption & RBAC

Live

TLS in transit, encrypted at rest, role-based access with full logging — shipping now.

Data Processing Agreement

Available

County-specific DPA and security questionnaire ready for counsel review.

Custos is software, not legal advice. Compliance status is current as of June 2026 and provided for your counsel's due diligence; certifications are pursued on the timeline noted above.

Need the security packet for review?

We'll send the DPA, security questionnaire, and architecture overview for your counsel and IT.

Request the security packet