Skip to main content

Cannabis regulatory counsel design-partner pilot

Design-partner trust and source-grounding methodology

Aeacus is in controlled design-partner mode. This page is the honest current posture for law-firm pilot conversations: how source-grounded work product is assembled, what controls exist now, what is explicitly not being claimed, and what must be agreed before confidential client material is used.

Methodology

Source-grounding methodology

This is a public explanation of the current design-partner workflow, not a certification report. It is meant to help counsel evaluate how Aeacus turns public regulatory sources into reviewable work product.

1. Source ingestion

Aeacus monitors selected public regulatory sources, connector outputs, and source catalogs. Ingestion is bounded to known source adapters and does not imply every possible authority has been captured.

2. Source versions and snapshots

Each captured source version preserves source metadata, retrieval timing, and snapshot context so later work can point back to the version reviewed instead of an undated web page.

3. Chunking, retrieval, and citation assembly

Source text is chunked for retrieval, then assembled into cited answers, memos, alerts, matrices, and packets. Citations are review aids, not guarantees that every applicable authority has been exhausted.

4. Freshness and change context

Freshness dates and detected changes help counsel distinguish current source context, stale records, proposal-stage material, and items that need follow-up review.

5. Human review and audit trail

Aeacus drafts and organizes source-grounded work product, but attorney review is required before client use or operator handoff. Counsel remains responsible for legal conclusions and client advice.

6. Data boundaries

Pilot work starts from public or anonymized scenarios unless a design partner separately agrees confidential-data handling, retention, export, and deletion terms in writing.

Buyer comparison

Where Aeacus fits against the products buyers already know

Cannabis regulatory counsel will compare Aeacus against broad legal AI, horizontal RegTech, and cannabis operator systems. Aeacus is not trying to replace all-law research databases, GRC suites, POS, ERP, or state traceability systems. The wedge is source-grounded legal/regulatory work product and evidence handoff for regulated-vertical matters.

Broad legal AI platforms

Harvey, Legora, CoCounsel, Lexis+, Vincent

Can this produce reviewable legal work product with trusted sources?

Aeacus focuses on cannabis regulatory counsel workflows: matter-scoped answers, memos, alerts, matrices, source-version citations, and attorney-reviewed client packets.

Live/beta: cited matter outputs, sample packet, Source Vault grounding, citation-validation evals.

Regulatory intelligence / RegTech

FiscalNote, Regology, CUBE, Compliance.ai, Ascent

Can this monitor regulatory change, explain impact, and create an audit trail?

Aeacus narrows the RegTech pattern to regulated-vertical source monitoring, source freshness, change impact, operator obligations, and counsel/operator handoff evidence.

Live/beta: Source Vault status, durable monitor foundation, change-impact workflow; broader source coverage remains in development.

Cannabis operator systems

Simplifya, Distru, Metrc/BioTrack, Dutchie/Greenbits, Canix, age/license verification vendors

Does this replace POS, ERP, traceability, or audits?

No. Aeacus is the legal/regulatory evidence and decision-support layer across packages, facilities, licenses, obligations, and operator-system records.

Live/beta: packaging review records and evidence memos; planned: read-only commerce/traceability evidence integrations before any write/blocking automation.

Source coverage

Cannabis source coverage status

This is the current public-beta coverage posture for cannabis counsel conversations. It is intentionally conservative: live/beta means the source category exists in current workflows or deterministic evals; fixture/demo means useful for regression or examples only; planned means not a current guarantee. This is not a claim of exhaustive national cannabis coverage.

Live / public beta

Sources that are represented in current Source Vault, monitor, eval, or sample-packet workflows. Availability still depends on source-specific retrieval health and counsel review.

  • Federal Register cannabis scheduling and hemp-adjacent notices.
  • eCFR Title 21 Controlled Substances Act context.
  • California DCC public regulatory materials.
  • Washington WAC cannabis rules.
  • Illinois Part 1290 cannabis rules.

Fixture / demo only

Rows used for deterministic demos or regression coverage, not marketed as live monitored jurisdiction breadth.

  • New York rows are retained as deterministic fixtures until live source monitoring and freshness status are validated.
  • Sample packet citations are public, inspectable examples and do not imply every client fact pattern is covered.

Planned with design partners

coverage expands source-by-source after counsel validates authority priority, update cadence, and pilot relevance.

  • Additional state cannabis agencies, municipal ordinances, regulator guidance pages, enforcement bulletins, and operator-system evidence connectors.
  • Read-only traceability, POS, ERP, license, and facility evidence integrations before any write-enabled or blocking workflow.
Jurisdiction
Authority / source type
Freshness / retrieved
Monitoring status
Demo / live caveat
Federal — Federal Register / eCFR
Federal Register notices and eCFR Title 21 controlled-substance context
Current through public beta source snapshots; verify cited version before client use
Live/beta Source Vault and deterministic eval coverage
Live public-source workflow, not a complete federal legal-research universe
California — Department of Cannabis Control
State cannabis regulator materials, guidance, and public rules
Retrieved / validated in Source Vault seed and eval artifacts
Live/beta for pilot cannabis counsel workflows
Validated for current pilot demos; counsel must confirm client-specific facts
Washington — WAC cannabis rules
Washington Administrative Code cannabis rule corpus
Retrieved / validated in Source Vault seed and eval artifacts
Live/beta source corpus and regression coverage
Useful for cited answers and impact examples; not a guarantee every bulletin is captured
Illinois — Part 1290 cannabis rules
Illinois cannabis rules used in source-backed eval and matrix rows
Retrieved / validated in Source Vault seed and eval artifacts
Live/beta deterministic coverage for selected Part 1290 topics
Scope is selected cannabis regulatory material, not full-state legal coverage
New York — fixture rows
Deterministic regression rows for demo and internal packet checks
Fixture only until live monitoring is validated
Fixture/demo only
Do not present as monitored live coverage in buyer conversations

Current baseline, not certification

Diligence-ready security and data posture

This compact baseline answers the first-pass law-firm diligence questions for a design-partner pilot. It separates current controls from terms or roadmap items that require written agreement before confidential client material is used.

Hosting

Current control: Vercel-hosted Next.js application with Supabase Postgres and Storage for product data and source artifacts.

Design-partner term or roadmap item: firm-specific hosting, private networking, and data-residency terms are not guaranteed without a signed pilot addendum.

Encryption

Current control: TLS in transit for public HTTPS traffic and Supabase-managed encryption at rest for database/storage services.

Design-partner term or roadmap item: customer-managed keys and formal cryptographic attestation are not claimed today.

Access controls

Current control: invite-only workspace access, Supabase-authenticated sessions, role-based product permissions, and workspace-scoped matter/work-output access.

Design-partner term or roadmap item: per-firm access matrix and least-privilege reviewer roster are agreed before confidential use.

MFA / SSO status

Current control: pilot access is invite-gated; MFA and enterprise SSO are not marketed as live contractual controls.

Design-partner term or roadmap item: SAML/OIDC SSO and required MFA policies should be scoped before broader law-firm rollout.

Model providers and subprocessors

Current control: Anthropic and Voyage AI may process prompts, generations, embeddings, or reranking inputs for enabled workflows; Supabase and Vercel provide core application infrastructure.

Design-partner term or roadmap item: subprocessor list, model-routing boundaries, and any zero-retention terms must be documented in the pilot agreement.

No-training and data-use posture

Current control: No model training on pilot data without written approval; public/anonymized scenarios are preferred until confidential-data terms are set.

Design-partner term or roadmap item: confidential-data use, prompt logging, and model-provider retention terms need written confirmation before production use.

Retention, deletion, and export

Current control: design partners should agree retention, deletion, and export expectations before confidential client material is used; sample artifacts are public/non-confidential.

Design-partner term or roadmap item: automated retention windows, deletion SLA, and export packaging format remain pilot-scoped terms.

Audit logging

Current control: product workflows preserve source-version citations, work-output lifecycle state, and review/audit-trail context where implemented.

Design-partner term or roadmap item: firm-facing audit log exports and SIEM integrations are not claimed as current guarantees.

Incident and security contact

Current control: security and pilot incident reports should be sent to contact@aeacus.ai with affected workspace, timeframe, and artifact details.

Design-partner term or roadmap item: formal incident response SLA, DPA, insurance, and breach-notice terms require a signed agreement.

Current controls

  • Invite-only pilot access for law-firm design partners.
  • Matter/work-output access is scoped to the invited workspace and existing role-based product permissions.
  • Source-grounded outputs preserve citation and source-freshness context for attorney review.
  • The Intelligence Center source status dashboard separates live Source Vault, fixture/demo, stale/error, and planned coverage signals.
  • Public sample artifacts avoid client confidential information and attorney work product.
  • Public source records and source-version metadata are stored separately from client work product.

Not claimed today

We do not claim SOC 2 or ISO certification yet. This posture is not a production security attestation, penetration-test report, insurance representation, or substitute for a firm security review. Aeacus does not make autonomous legal determinations or live checkout-blocking decisions.

  • SOC 2, ISO 27001, FedRAMP, HIPAA, or formal penetration-test attestation.
  • Zero-retention, no-subprocessor, or firm-wide deployment commitments outside a signed pilot agreement.
  • Full legal-research coverage across all jurisdictions or every applicable authority.
  • Autonomous legal advice, regulator approval, live checkout blocking, or production enforcement decisions.

Pilot data and legal boundaries

  • No autonomous legal advice: Aeacus drafts and organizes research, but counsel owns legal judgment.
  • Attorney review is required before client use or operator handoff.
  • No model training on pilot data without written approval.
  • Deletion/export expectations are agreed before confidential client material is used.
  • Role-based access is limited to the invited design-partner workspace.

Roadmap, not current guarantee

  • Regulatory change redline/detail views with effective/proposed status and affected-obligation context.
  • Design-partner security review artifacts and firm-specific data-handling addenda where required.
  • Supervised export paths for operator evidence packets before any write-enabled integrations.

Citation validation and eval baseline

The current trust baseline is deterministic and source-backed. It is designed to catch regressions in source retrieval, quote validation, answer caveats, and hallucination guardrails before a design-partner demo—not to support a public accuracy marketing claim.

  • Deterministic CI eval rows currently cover 50 cannabis regulatory Q&A rows, 15 change-impact rows, and 10 matrix rows across California, Washington, Illinois, federal, and hemp topics, plus New York fixture rows.
  • Each Q&A row checks retrieval hit, citation validity, quote grounding, temporal scope, jurisdiction scope, and prohibited-claim checks, plus required-answer terms.
  • Change-impact and matrix rows check severity/deadline preservation, facility scoping, human-review gates, jurisdiction coverage, and source-version coverage.
  • A JSON artifact can be generated with npm run eval:golden for internal design-partner review.
  • No public accuracy percentage is claimed yet; results are internal regression evidence for design-partner review.

Open decisions before confidential use

  • Whether a design partner will provide only public/anonymized scenarios or confidential client material.
  • Who at the firm may access each pilot workspace and exported packet.
  • Retention period, deletion timing, and export format for pilot work product.
  • Whether additional firm-specific security review is required before production use.