Discovery Services for Civil Litigation
How access to financial records works, who is exchanging information, and where the underlying data is stored.
Jump to: Data Sharing · Where Data Is Stored · OAuth2 API
Three parties take part in every discovery request, and each one has a different concern to resolve before financial information changes hands.
In lieu of a formal Subpoena Duces Tecum, the attorney sends a secure, one-time invite link asking the client to share their financial account statements and transaction history. The attorney's real concern isn't the request itself - it's completeness. It's easy to overlook an account the client rarely mentions, or to end up with a gap of a month or two in the statements. A discovery record is only as good as what it includes.
When the client receives that request, they need a straightforward way to respond - grant access to the requesting attorney, and just as easily revoke it later. Nothing about the grant is permanent or one-directional.
The financial institution wants to honor its client's wishes, but it can't take a request at face value. Before any data moves, the institution confirms that the party asking for it is the one the client actually authorized - not merely someone who claims to be.
Put together, these three concerns are what the access-token system resolves: the attorney gets a request built for completeness, the client keeps a revocable grant, and the institution never releases records without verifying the client's authorization first.
Plaid is the financial data network that makes this possible - it connects banks, brokerages, and fintech apps under a shared set of agreements and APIs. See who uses Plaid on Plaid's own site.
Civil Rule 26 .Com does not warehouse invitees' financial data. The records themselves stay with the financial institutions that issued them, and only move as far as a signed authorization allows.
Plaid is the financial data network that makes this possible - it connects banks, brokerages, and fintech apps under a shared set of agreements and APIs. See who uses Plaid on Plaid's own site.
Civil Rule 26 .Com never asks for or stores an invitee's online banking username or password. Instead, Plaid - the data broker described above - handles the OAuth2-style handshake between the invitee, their financial institution, and the requesting attorney.
Before any data moves, three separate agreements have to be in place. The attorney requests access and the invitee consents to share it. The invitee authorizes their financial institution to work with Plaid. Plaid, in turn, issues the attorney a scoped access token. No single party can shortcut the other two.
When the invitee grants access, they enter their username and password directly on their financial institution's own login page. That key moves in exactly one direction - from the invitee to their institution - and it is never shared with Plaid, the attorney, or Civil Rule 26 .Com.
Once the institution approves, Plaid issues the attorney an access token - a secret key that only works for this one request. Activating it does not hand over the invitee's login; it authorizes a single read-only, time-limited pull of the records the invitee agreed to share, and the invitee can revoke it at any time.
In short: OAuth2 lets an invitee say "yes, this attorney may view these specific records" without ever handing over their banking credentials, and lets them say "no" again later by revoking the grant.
Plaid is the financial data network that makes this possible - it connects banks, brokerages, and fintech apps under a shared set of agreements and APIs. See who uses Plaid on Plaid's own site.