Security
This page lays out exactly what LenhardIntake stores, what it never touches, which storage providers are supported, and how account security works. No marketing language — just the architecture.
STORED
NEVER STORED
When a client submits a document or LenhardIntake generates a file (an intake summary, a transcript, a signed engagement letter), it passes through LenhardIntake's servers in transit only. The file is held in memory for the duration of that single request, then uploaded directly to your connected storage provider. Nothing is written to disk on LenhardIntake's infrastructure at any point.
Client device → LenhardIntake (in transit only) → Your storage
LenhardIntake requests the minimum OAuth scope each provider allows — enough to create and manage files it created, never broad access to your existing files.
TOKEN STORAGE
AES-256-GCM
IN TRANSIT
TLS in transit (enforced by Vercel's edge network)
AT REST
AES-256, managed by your storage provider's own infrastructure
Vendors who may process data as part of delivering LenhardIntake. None of them receive client documents — those go directly to your own storage.
We don't claim certifications we don't hold. Here's where things stand honestly.
Targeted as the customer base grows
Box offers a HIPAA BAA on its Business+ plan — LenhardIntake's Box integration is planned but not yet built
If you believe you've found a security vulnerability in LenhardIntake, please report it to security@lenhardintake.com. We ask that you give us a reasonable window to investigate and address the issue before any public disclosure. We will acknowledge your report and keep you updated as we work on a fix.