SternBench Authority Security and Data Handling Overview

This overview describes the security and data-handling posture for SternBench Authority, the ChatGPT app and MCP authority-retrieval service operated at authority-mcp.sternbench.com.

Service Posture

SternBench Authority is a read-only legal authority retrieval service. It is designed to search and retrieve data from SternBench authority systems and return citation-friendly results, passages, paragraph pinpoints, caveats, and SternBench Search source links.

The service does not provide tools for creating, editing, deleting, posting, sending, uploading, or modifying user files, court records, public records, third-party systems, or external accounts.

Authentication and Access Control

Access to SternBench Authority is authenticated. During pilot and review operation, access may be limited to approved accounts through allowlist controls.

Authentication is designed to use OAuth-based authorization for ChatGPT and MCP-compatible clients, with Clerk or another identity provider supporting account and allowlist checks where applicable. The service verifies authentication and authorization server-side before allowing protected MCP tool calls, and the implementation is designed to align with OpenAI's Apps SDK authentication requirements applicable to ChatGPT app review and operation.

Review or pilot credentials must not be shared with unauthorized users.

Least-Privilege Design

SternBench Authority is designed to request only the account and query information needed to provide authority retrieval. Tool inputs are purpose-specific, such as legal research queries, case references, jurisdictions, citations, or propositions.

The service does not intentionally request full conversation history, precise location, payment data, medical data, or user-uploaded documents.

Server-Side Validation

SternBench validates inputs and authorization on the server side. The service treats model-generated tool calls, user prompts, and returned content as potentially imperfect and applies server-side checks rather than relying solely on client behavior.

Errors, expired credentials, malformed credentials, missing authorization, and unauthorized accounts may be rejected or challenged through the authentication flow.

Prompt-Injection Awareness

SternBench Authority is designed for retrieval from legal authority data, but prompts and retrieved text may still contain misleading, irrelevant, or malicious instructions. The service is operated with the assumption that prompt-injection attempts and adversarial inputs may occur.

The service's tool posture is read-only, which reduces risk from prompt injection because MCP calls retrieve authority data rather than performing external write actions. Users should still verify returned authorities and avoid treating model output as legal advice.

Logging and Monitoring

SternBench may log operational and security events such as timestamps, tool names, request status, latency, errors, correlation identifiers, authentication and authorization outcomes, allowlist decisions, and abuse-prevention signals.

Logs are used for reliability, debugging, security monitoring, abuse prevention, support, and review readiness. SternBench aims to avoid storing secrets, bearer tokens, passwords, one-time codes, or raw prompt text where a shorter operational record is sufficient.

Data Retention

SternBench Authority is designed not to create a persistent SternBench history of user legal research queries or user-specific authority results.

When you submit a query through ChatGPT or another MCP-compatible client, SternBench Authority processes the query transiently to retrieve authorities, passages, citations, paragraph pinpoints, and source links from the SternBench corpus. SternBench Authority does not store user-specific query history or result history in an application database.

The MCP service may keep short-lived, in-memory fetch handles so that a selected search result can be fetched during the same research flow. These handles are temporary, are not written to a database, and expire automatically. They may also disappear earlier if the service restarts.

SternBench Authority writes minimal operational and security logs for service operation, debugging, reliability, abuse prevention, and support. These logs are designed to record metadata such as request path, method, status, duration, protocol/header presence, and error category. They are not designed to include raw legal research queries, returned authority payloads, bearer tokens, OAuth access or refresh tokens, passwords, one-time codes, or payment information.

SternBench Authority does not intentionally store user-uploaded documents because the current MCP service does not support document upload.

Authentication and account records, such as review or pilot account email addresses, may be retained by SternBench and its identity provider for access control, security, and support while the account remains authorized. OpenAI/ChatGPT and Clerk may retain account, session, and client-surface data according to their own policies and user settings.

If you contact us at founder@sternbench.com, we may retain the support correspondence for as long as needed to respond and maintain appropriate business records. You may request deletion of SternBench Authority access records or support records associated with your use, subject to legal, security, and operational requirements.

Source Corpus

SternBench Authority retrieves from SternBench authority systems, including public judgment and authority materials curated for the SternBench corpus. Results may include source links to SternBench Search pages so users can inspect the underlying material.

SternBench Authority is not a complete citator, complete appellate-history service, complete negative-treatment service, or complete good-law review.

No Document Upload Posture

The current SternBench Authority MCP service does not support document upload or user file storage. If that changes, SternBench should update this overview and the SternBench Authority Privacy Policy before launch of the new capability.

Operational Readiness

SternBench monitors production health, authentication behavior, error rates, and tool behavior during review, pilot access, and operation. The service may be limited to a controlled review or pilot audience while reliability, access controls, and applicable review requirements are validated.

Security Contact

To report a security concern or ask about SternBench Authority data handling, contact:

founder@sternbench.com