1. Service Overview

Astrea eDiscovery provides technology-enabled and managed eDiscovery and litigation support services to law firms, corporations, government entities, legal departments, and other organizations. These services include the identification, preservation, collection, processing, hosting, review support, analytics, production support, consulting, and related workflows required to manage electronically stored information (ESI) throughout the EDRM lifecycle.

Core service offerings include:

• Data Collection: Forensic acquisition of ESI from endpoints, cloud systems, collaboration platforms, mobile devices, and structured or unstructured data sources.
• Data Processing: Metadata extraction, deduplication, text extraction, OCR, indexing, and file normalization to prepare data for review.
• Hosting & Review Support: Secure hosting of client data in Reveal and Relativity SaaS environments, including workspace configuration, user provisioning, analytics setup, and review workflow support.
• Production Support: Preparation of productions in TIFF, PDF, native, and load-file formats; Bates numbering; redaction workflows; and privilege log support.
• Managed Services: Comprehensive support for ongoing eDiscovery operations, including project management, consulting, workflow design, and review team management. Oversight of matter planning, coordinating review activities, optimizing workflows for efficiency and defensibility, and providing strategic guidance throughout the lifecycle of a matter.

2. Client Onboarding

The client onboarding process begins when a client reaches out to Astrea eDiscovery (through approved communication channels) to initiate a new engagement. Astrea collects required information including matter name and parties to execute a conflict check, as well as authorized contacts. A scoping call ensues to discuss the scope of the matter, custodian lists, data sources, legal hold status, deadlines, and production requirements.

Authorization is confirmed through an accepted estimate, as well as an executed engagement letter or statement of work, and a retainer. Once approved, the matter is created in Astrea’s matter management software (Clio), internal resources are assigned, communication channels are established, and data intake procedures are initiated.

3. Supported Platforms and Subservice Organizations

Astrea eDiscovery delivers eDiscovery and litigation support services using a combination of internal systems and approved third-party SaaS platforms. These platforms provide hosting, review, analytics, matter management, communication, and secure data transfer capabilities essential to service delivery. Astrea manages configuration, access, and operational workflows within these platforms, while the underlying infrastructure and platform-level controls are provided by the respective vendors.

Astrea eDiscovery uses the carve-out method for all subservice organizations. Controls operated by these vendors are excluded from the scope of this SOC 2 examination; however, Astrea relies on their SOC reports, contractual commitments, and security documentation to validate the effectiveness of their controls.

• Relativity (RelativityOne)
• Used for secure hosting, document review (including AI), searching & analytics, and production.
• Vendor Responsibilities: Physical security, infrastructure security, platform availability, AI model security, core application and underlying system controls.
• Astrea Responsibilities: Workspace configuration, user provisioning & access management, data ingestion, review workflow support, and production execution.
• Reveal
• Used for secure hosting, document review (including AI), searching & analytics, and production.
• Vendor Responsibilities: Physical security, infrastructure security, platform availability, AI model security, core application and underlying system controls.
• Astrea Responsibilities: Workspace configuration, user provisioning & access management, data ingestion, review workflow support, and production execution.
• Microsoft 365
• Used for communication, productivity, documentation, and secure file transfer.
• Vendor Responsibilities: Physical and infrastructure security of the Microsoft cloud environment, platform availability, and core security controls.
• Astrea Responsibilities: Tenant configuration, user access management, secure communication practices, and data handling within the environment.
• Clio
• Used for matter management, task tracking, documentation, and workflow coordination.
• Vendor Responsibilities: Platform security, infrastructure management, and availability.
• Astrea Responsibilities: Matter creation, matter management, task assignment, documentation, and access management.
• Other Approved Platforms
• Additional specialized tools may be used for forensic collection, secure data transfer, analytics, or data processing. These platforms & vendors are evaluated for security and compliance prior to use.

4. Data Handling Process

• Data Receipt & Intake
• Client data is received through secure transfer methods such as SFTP, encrypted physical media, secure cloud upload, or direct forensic collection.
• Data Access & Data Processing
• Authorized Astrea personnel access data through secure protocols, procedures, and mechanisms. Data is processed using industry-standard tools to extract metadata, text, and prepare datasets for review.
• Hosting & Review
• Processed data is uploaded into Astrea’s SaaS platforms, Reveal or Relativity. User access is provisioned based on client authorization, with role-based permissions and multi-factor authentication enforced.
• Storage & Transfer
• Data is stored in encrypted cloud environments. Transfers between systems occur using secure, encrypted channels.
• Matter Closure
• Upon client instruction, user access is removed and matter workspaces and data are archived or securely deleted. The matter is updated and documented accordingly in Clio.

5. Client Responsibilities

Clients play a critical role in ensuring the secure and effective delivery of eDiscovery services. To support defensible workflows, maintain data integrity, and enable proper system operation, clients are responsible for performing the following activities:

• Matter Definition and Scope
• Provide accurate and complete information regarding matter details, scope, custodians, data sources, timelines, and production requirements.
• Notify Astrea promptly of any changes to scope, custodians, deadlines, or production specifications.
• Legal Hold and Preservation
• Issue, manage, and/or maintain legal holds for relevant custodians.
• Ensure custodians comply with preservation obligations and do not alter or delete potentially relevant data.
• Communicate any changes in legal hold status to Astrea.
• Data Transfer and Collection
• Ensure data is transferred to Astrea using secure, approved methods.
• Provide access, credentials, or authorization required for remote or onsite data collection.
• Confirm that data provided is complete, accurate, and free from corruption.
• Access and Authorization
• Approve user access requests and designate authorized client representatives.
• Work with Astrea to manage client-side user access within review platforms when applicable.
• Notify Astrea immediately when user access should be modified or revoked.
• Review and Approval of Deliverables
• Review and approve processing reports, search results, review workflows, production sets, parameters and protocols.
• Provide timely feedback or corrections to ensure deadlines are met.
• Validate that productions meet required specifications before submission to opposing parties or regulators.
• Security and Compliance Responsibilities
• Maintain secure endpoint configurations for systems used to access Astrea’s hosted review platforms.
• Ensure client personnel follow secure authentication practices, including MFA where required.
• Protect credentials, access tokens, and shared links from unauthorized use.
• Retention, Archiving, and Closure
• Provide instructions regarding data retention, archiving, or deletion at the conclusion of a matter.
• Confirm that all required data has been produced or preserved before authorizing archiving or deletion.
• Submit formal closure requests when a matter is complete.
• Communication and Issue Reporting
• Communicate promptly regarding deadlines, urgent requests, or potential issues affecting service delivery.
• Report suspected security incidents, unauthorized access, or data anomalies immediately.
• Use approved communication channels for support, escalations, and change requests.

6. Support Process

• Clients may request support through email, phone, scheduled meetings, or platform-specific channels. Support requests may be triaged based on urgency and are assigned to the appropriate team member.
• Escalations may follow a defined chain from the matter’s assigned project manager up to senior leadership.
• Standard business hours apply, with after-hours support available with reasonable response times.

7. FAQs

• How do we transfer data? Clients may use SFTP, encrypted drives, or secure cloud upload.
• How long does processing take? Turnaround times vary based on volume and complexity; estimates are provided during matter onboarding.
• How is confidentiality maintained? All data is encrypted in transit and at rest. Access is restricted to authorized personnel only.
• What vendors/platforms are used? Reveal, Relativity, Microsoft 365, and Clio.
• How long is data retained? Retention is based on client instructions and contractual requirements.
• How do we close a matter? Clients submit a closure request; data is archived or deleted per instructions.

8. Change or Issue Requests

• Clients may request changes or report issues through email, phone, or scheduled meetings.
• Requests that result in tasks are logged in Clio, assigned to the appropriate team member, and tracked through resolution. Other requests may be handled via email.
• Issues affecting data integrity or availability follow Astrea eDiscovery’s incident response procedures, including escalation and client notification.