How BarGuard Protects Your Compliance Data

How BarGuard Protects Your Compliance Data

BarGuard is built for a simple premise: when a bar association asks "prove what your tool found and when," you need an answer that holds up. Every design decision in the system reflects this. Here is how it works.

A real-world example

On January 15th, BarGuard scans your website and finds a prohibited testimonial claim on your practice areas page. On February 3rd, a rescan confirms the issue is still present. On February 10th, you fix the language. On February 12th, BarGuard rescans, detects the change, and marks the finding as resolved. On March 1st, the bar sends a complaint about your January advertising.

You export the January 15th scan report — it shows exactly what was found, with the original evidence quote, the rule citation, and a frozen snapshot that has not been altered by anything you did in February. The audit log shows the complete timeline: detected January 15th by system scan, confirmed February 3rd, resolved February 12th by system scan after content change. Every data point is traceable, every transition is logged, and the original evidence is preserved alongside the current state.

This is what BarGuard's data integrity system is designed to support. Below is how each piece works.

Your compliance data is permanent

Scans, violations, and reports are never deleted. When you remove a page from monitoring, it is archived — the page and all of its historical findings remain in the database, accessible for reference. When you delete a scan or a report, the record is marked as removed but preserved in full. Compliance rules that are retired are soft-deleted rather than erased, so past scans that relied on those rules remain explainable.

This extends to every category of data in the system. Scan reports, page monitoring history, and all associated records follow the same pattern: removal is a label, not destruction. The underlying data persists so that any historical question — "what did this page look like six months ago?" — can be answered from the original records.

Violations are never orphaned by deletion of related records. If a scan is removed, the violations it discovered retain their own independent history. If a monitored page is archived, its violations remain linked and queryable. The system uses referential rules that preserve violation records even when surrounding context is cleaned up.

Every finding has a complete history

When BarGuard first detects a compliance issue, it records the exact date of discovery, the scan that found it, and the original evidence — the specific language on the page that triggered the finding, along with the AI's confidence assessment. These original values are preserved permanently, even as the finding evolves over subsequent scans.

Every status change is logged automatically in a tamper-resistant audit trail. The system records what the status was before, what it changed to, when the change occurred, and who or what made it. When an attorney dismisses a finding, the log captures whether it was marked as a false positive or an accepted risk, along with the attorney's identity. When the system itself resolves or regresses a finding, the log records that it was a system action and links it to the specific scan that triggered the change. This distinction — human decision versus automated detection — is always preserved.

Findings track their full lifecycle: the date first detected, the date last confirmed, and how many consecutive scans have observed the issue. If a finding's supporting evidence changes between scans — for example, if problematic language is reworded but the underlying issue persists — the system preserves both the original evidence and the current evidence side by side. You can always see what was originally found and how it compares to what exists on the page today.

When a previously resolved finding reappears, it is not treated as a new issue. The system recognizes it as a regression, links it back to the original finding's history, and marks the return clearly. The full chain of detection, resolution, and reappearance is maintained as a single continuous record.

Scan results are frozen at completion

When a scan finishes, BarGuard creates a point-in-time snapshot of every finding — a frozen record of what was detected, at what severity, with what evidence, and in what status. This snapshot is stored directly on the scan record and cannot be altered by subsequent activity.

This means that if you dismiss a finding after a scan completes, the scan's snapshot still shows the finding as it was at completion. PDF reports and data exports draw from this snapshot by default, ensuring that exported documents reflect what was actually found at the time of the scan — not the current state of your dashboard.

This design is critical for evidentiary reliability. A compliance report generated from a March scan will show March's findings, regardless of what actions were taken in April. The snapshot cannot be edited, overwritten, or selectively filtered after the fact.

We never show "compliant" unless we are sure

BarGuard is designed to fail loudly rather than fail silently. Several mechanisms prevent the system from ever presenting a false clean bill of health.

Failed analysis preserves existing findings. If the AI model returns a response that cannot be interpreted — a malformed output, a network failure, or an unexpected format — the system does not treat the absence of new results as evidence of compliance. Instead, it leaves all existing findings in place and flags the scan with a visible warning. A failed analysis never causes existing violations to disappear.

Missing content is not treated as fixed content. When the system re-scans a page and cannot find a previously detected violation through its matching algorithms, it checks whether the original problematic language is still present on the page. If the evidence is still there, the finding is carried forward regardless of whether the AI re-identified it. This protects against the inherent variability in AI analysis — a finding is never silently dropped while its evidence remains visible.

Absence-type findings receive special protection. Findings like "this page is missing a required disclaimer" have no positive evidence to search for — the issue is that something is absent. These findings are never automatically resolved based on page content analysis alone. They are always either carried forward or explicitly re-evaluated by the AI with full context.

Partial scans are clearly labeled. If some pages in a scan fail to load or analyze, the scan is marked as partial — not completed. The number of pages that succeeded versus failed is recorded, and any credits consumed for failed pages are automatically refunded.

Configuration changes force full re-analysis. If the AI model, compliance rules, or analysis provider changes between scans, the system automatically abandons incremental analysis and performs a complete re-evaluation. This prevents stale comparisons between results produced under different analytical conditions.

Every scan is fully traceable

Each scan records the complete set of parameters that governed its analysis, creating a reproducibility record that can explain exactly how results were produced.

The scan record captures which AI model and provider performed the analysis, including whether the model version was pinned to a specific release. It records the exact temperature setting that controlled the AI's analytical variability, whether extended reasoning was enabled and at what depth, and the maximum response length permitted. The version of the analysis prompt is tracked, so changes to how the AI is instructed can be correlated with changes in results.

The compliance rules applied to each scan are recorded by source and verified by a cryptographic hash. If the rules change between scans, the system detects this automatically. Every individual AI interaction — each page analyzed, each jurisdiction evaluated — is logged with the specific model used, the number of tokens processed, and the effective cost.

This level of traceability means that for any finding, you can reconstruct the full chain: which rules were applied, which AI model evaluated the page, what prompt guided the analysis, and what the AI's raw assessment was before post-processing.

Your data is yours alone

BarGuard enforces firm-level data isolation at the database layer, not just the application layer. Every query that retrieves compliance data passes through access control rules embedded directly in the database, which verify that the requesting user has an active role on the firm that owns the data. This verification happens on every request, for every table, without exception.

This means that even if an application-level bug were introduced, the database itself would refuse to return data belonging to another firm. Scans, violations, audit logs, page monitoring records, reports, and usage logs are all independently protected by the same firm-scoped access rules. There is no shared data pool that could leak between accounts through a query error or permission misconfiguration.

Built to withstand scrutiny

BarGuard is engineered for the scenario where every claim it makes must be independently verified. The combination of permanent data retention, immutable scan snapshots, comprehensive audit logging, and full analytical traceability creates a system where no finding exists in isolation — every result can be traced back to the evidence that produced it, the rules that required it, the model that evaluated it, and the exact moment it was recorded.

The system's conservative approach to automated resolution — requiring evidence-based confirmation before removing findings, preserving existing results when analysis fails, and forcing complete re-evaluation when analytical conditions change — reflects a deliberate design choice: it is better to over-report than to under-report. A finding that persists one scan longer than necessary is an inconvenience. A finding that disappears prematurely is a liability.

Concurrent operations cannot corrupt your data. The system uses atomic database operations to ensure that even when multiple pages are being analyzed simultaneously, scan completion is counted exactly once per page, finalization runs exactly once per scan, and no race condition can produce an inconsistent state. Stuck or abandoned scans are detected, safely marked as failed, and their unused credits are refunded automatically.

When you present a BarGuard report to a bar association, opposing counsel, or a malpractice insurer, every data point in that report is backed by a frozen snapshot, a complete audit trail, and a fully traceable analytical record. The system is designed so that the answer to "prove it" is always available.