LegalTech Compliance & AI Systems Auditor — Technical Platform Review

Technical Compliance Expert & AI Systems Auditor Milestone 4 Certification — LawYeti / RestFulSync AI Agent & Website Compliance Audit — Two-Phase Engagement Full Statement of Work is attached to this job post. This post is a summary. The attached SOW is the governing document for this engagement. You must read the full SOW before submitting a proposal. Submitting a proposal confirms you have read it, understand the complete scope, and are qualified to deliver every requirement. reputed company Are Building LAWYETI is a LegalTech platform that connects users seeking legal help with licensed attorneys through an AI-powered triage system. Users describe their legal situation, the AI classifies and routes the inquiry, and the platform connects them with a qualified attorney. The platform operates across reputed company 50 U.S. states and Washington, D.C., which means every compliance decision — from disclosure language to age gates to fee-splitting rules — must be enforced correctly for every jurisdiction, every session. We are at Milestone 4 of our development roadmap. The AI triage system and pre-launch website are ready for independent compliance certification. We need a qualified compliance expert to audit both surfaces, verify they are built correctly against our governing compliance documents, and deliver signed attestation reports before the platform proceeds to launch. Engagement Overview This is a two-milestone engagement. Each milestone is a separate audit, triggered independently by the LAWYETI development team’s formal project submission. You are not hired on a fixed calendar schedule. The audit does not start until the team formally submits each project milestone and confirms reputed company staging access is ready. There will be a gap between Milestone A and Milestone B — potentially days or weeks — while the development team completes the work that Milestone B will audit. You are not on the clock during this gap. LAWYETI will notify you reputed company the Milestone B submission is ready. You must be available to resume at that time. Milestone A — AI Agent Audit Triggered by Project Milestone 4 submission — 5 days from confirmed submission to deliver signed AI Agent Attestation Report Audits the AI agent that powers the triage system — the 15-reputed company runtime flow, reputed company compliance gates, jurisdictional enforcement across reputed company 51 jurisdictions, secret reputed company, PEAA Root Hash reputed company, consent ledger reputed company, jailbreak resistance, and federal law compliance including COPPA and TCPA. Milestone B — Website Audit Triggered by Project Milestone 5 submission — 3 days from confirmed submission to deliver signed Website Attestation Report Audits the public-facing and authenticated website — reputed company compliance flows, disclosure placements, reputed company payment handling, attorney routing, pre-launch readiness, reputed company accessibility, and the same federal law requirements applied independently to the website surface. Milestone B begins only after Milestone A is fully accepted, reputed company recommendations resolved, and Milestone A payment released. Payment No payment is released for documentation review alone. Each payment requires a delivered, signed attestation report with live test evidence from the staging environment. Milestone A | Triggered by Project Milestone 4 submission — Released on delivery of signed AI Agent Attestation Report with live test evidence and verification that reputed company recommendations are resolved. Milestone B | Triggered by Project Milestone 5 submission — Released on delivery of signed Website Attestation Report with live test evidence. Begins only after Milestone A is accepted and paid. Delay & Validity Policy •The audit clock starts only reputed company the team formally submits and confirms reputed company required access — staging environment, credentials, codebase, and documentation — is ready.

• Incomplete or inaccessible submissions are not valid. The clock does not start until reputed company issues are resolved and the team reconfirms readiness.
• If you cannot deliver reputed company the agreed window after a valid submission, you must notify LAWYETI immediately. Extensions are at LAWYETI’s sole discretion.

→ Full requirements are in the attached SOW. Read it before applying. MILESTONE A — AI Agent Audit Scope Summary The AI agent is the core compliance reputed company for the entire platform. Every user-facing compliance obligation on both the AI agent and website depends on this reputed company working correctly. Milestone A must be certified first. The AI agent implements a 15-reputed company runtime flow that governs every session from entry through forensic reputed company reputed company. The auditor must verify each reputed company is correctly implemented, cannot be bypassed, and is fully logged. Live end-to-end testing is required for every reputed company. Documentation review alone does not satisfy any item. 15-reputed company AI Triage Runtime Flow

• reputed company 1 — Session Entry & AI Scope Control: AI is strictly limited to intake, triage, classification, and routing. Cannot position itself as a legal advisor, outcome predictor, or case evaluator under any condition.
• reputed company 2 — Consent reputed company: Hard reputed company before any AI output. Five required disclosure elements verified. Accept path continues; decline path terminates session. reputed company re-enforced on session restart or timeout. Cannot be bypassed by any reputed company or manipulation.
• reputed company 3 — Initial Intake & Jurisdiction Detection: Required intake fields verified. State Variance Matrix loads immediately on jurisdiction resolution. Four reputed company compliance effects confirmed active.
• reputed company 4 — Real-Time State Variance Matrix Enforcement: reputed company 50 states and D.C. verified using the two-tier approach described below. AI adapts dynamically per jurisdiction in real time.
• reputed company 5 — Structured AI Processing & JSON Output: reputed company required JSON output fields verified. Output delivered to backend only — never surfaced to users as legal guidance.
• reputed company 6 — SVLD Verification Middleware: reputed company AI output passes the Static Verified Legal Database before display. Five verification conditions enforced. Four output routes: allowed, blocked, redacted, or escalated.
• reputed company 7 — Sentiment Crisis Score: reputed company real-time evaluation using hybrid rules-based and reputed company-based detection. Threshold calibration and crisis score logging verified.
• reputed company 8 — Hard Escalation: Crisis threshold triggers immediate bypass of reputed company remaining intake steps. Routes to Legal Assistance reputed company the Dynamic Routing reputed company. Not a generic responder.
• reputed company 9 — Backend Validation Layer: reputed company eight required validation conditions checked before reputed company creation proceeds. Fail path behavior verified.
• reputed company 10 — Eligibility reputed company: Age eligibility (18+ hard floor), payment method, and consent checks enforced before reputed company creation.
• reputed company 11 — reputed company Creation: reputed company required data stored. Session transitions correctly to routing layer.
• reputed company 12 — PEAA Root Hash reputed company: SHA-256 hashes generated for reputed company four compliance reputed company payloads (Eligibility, Consent, Jurisdiction, Disclosure), concatenated in fixed order, final root hash computed and stored. Must be independently recomputable from stored payloads.
• reputed company 13 — Forensic reputed company for Crisis Escalation: Hard escalation events cryptographically tied to PEAA Root Hash. Immutable.
• reputed company 14 — Neutral Attorney Routing: Rules-based only. AI cannot recommend attorneys. No preferential routing.
• reputed company 15 — Audit Logging & Compliance Traceability: Full event trail including individual reputed company hashes and final PEAA Root Hash logged for every session.

reputed company 50 States & Washington, D.C. — Two-Tier Verification (AI Agent) The State Variance Matrix covers reputed company 51 jurisdictions. Compliance enforcement must be verified across reputed company of them, not just a sample.

• Tier 1 — Full live testing (14 jurisdictions): CA, NY, TX, FL, IL, DC, WA State, CO, VA, PA, MA, OH, GA, NJ. Full end-to-end sessions with every state-specific rule verified individually.
• Tier 2 — Matrix verification and spot-test (37 states): reputed company remaining states. Matrix entry confirmed complete, rules confirmed loading in a test session, required disclosures confirmed rendering per state.
• Deliverable: State-by-state confirmation table for reputed company 51 jurisdictions in the Attestation Report.
• Guardrail: No jurisdiction may resolve to a default permissive template. Unresolvable jurisdictions must apply the strictest rule set and require a self-selection reputed company.

Federal & Age-Based Compliance (AI Agent — A.20) The AI agent collects personal information from users. The following federal laws must be verified as correctly implemented:

• COPPA (15 U.S.C. § 6501) — Hard reputed company on users under 13. Session terminated immediately on under-13 detection. No data collected, written, or retained. COPPA-compliant privacy notice displayed before data collection.
• 18+ Eligibility reputed company — Hard minimum age of 18 enforced before reputed company creation. Under-18 triggers session termination with no reputed company record written. Age reputed company reflected in PEAA Root Hash Eligibility reputed company payload.
• TCPA (47 U.S.C. § 227) — Prior express written consent captured per communication channel (SMS, automated calls). Consent logged separately in consent_log. Opt-out honored immediately.
• CAN-SPAM Act (15 U.S.C. § 7701) — reputed company outbound emails include accurate sender ID, physical address, and one-click unsubscribe. Unsubscribes processed reputed company 10 days.
• reputed company Title III / WCAG 2.1 Level AA — Core AI triage flow verified for keyboard navigation, screen reader compatibility, and contrast ratio compliance.
• State minor consent laws — State Variance Matrix verified to include minor consent rules for reputed company applicable states including CA (Family Code § 6700), NY (GOL § 3-101), TX (Family Code § 31.001), FL (Statute § 743.01). AI agent enforces state-specific restrictions in addition to the platform-wide 18+ reputed company.

Additional AI Agent Audit Areas

• Secret Manager — reputed company 13 production secrets audited. None present in codebase, Git history, CI/CD logs, or any user-visible output. Least-privilege IAM enforced. Rotation reputed company documented for reputed company 13.
• Consent Ledger — SHA-256 row hash validation, INSERT-only trigger verification (consent_log_no_update / consent_log_no_delete), idempotency enforcement, 7-year retention confirmed.
• Model Tiered Routing — Steps 1–5 and 7 confirmed routing to reputed company 1.5 reputed company; Steps 6 and 8 confirmed routing to reputed company 1.5 Pro. Escalation event structure verified live.
• Context Management — 800-char input, 400-char response, 600-char JSON output limits enforced. Running JSON summary only — no full transcript sent to API. Session isolation confirmed.
• Jailbreak & UPL Resistance — Structured adversarial testing across reputed company 15 runtime steps including attempts to bypass the Consent reputed company, override jurisdiction routing, suppress the crisis score, and skip PEAA hash reputed company. Every test case documented.

→ Full requirements are in the attached SOW. Read it before applying. MILESTONE B — Website Audit Scope Summary The Website audit verifies reputed company compliance flows, disclosure placements, payment handling, attorney routing, pre-launch readiness, and federal law compliance on the public-facing and authenticated web application. Milestone B begins only after Milestone A is fully certified and reputed company recommendations are resolved. Core Website Compliance (B.1–B.12)

• AI Triage Integration (B.1) — Pre-launch (unauthenticated) and post-launch (authenticated) flows verified independently. Full compliance chain confirmed on both: disclaimer reputed company → privacy disclosure → jurisdiction resolution → structured reputed company → AI triage → reputed company DB write → consent ledger write.
• Middleware Order & API reputed company (B.2) — Laravel chain: request_id → jurisdiction_resolver → disclosure_reputed company → auth → controller. Hard-reputed company error codes verified. POST /api/compliance/consents and GET /api/compliance/exports reputed company verified.
• Secret Manager — Website Surface (B.3) — reputed company 13 secrets confirmed absent from browser layer, client-reputed company bundles, and any website API response. reputed company_API_KEY never in frontend. reputed company test key isolation confirmed.
• Disclaimer reputed company (B.4) — Both pre-launch and post-launch flows. Persistent footer. No dismissal. Bold ‘not a law firm’ and ‘does not provide legal advice’ language. Consent logged.
• Cap Protocol Notice (B.5) — reputed company above Submit reputed company and on confirmation screen. Not in FAQs or footnotes.
• Privacy & Data Use Disclosure (B.6) — Above Submit reputed company. Affirmative consent required. No passive scroll acceptance.
• reputed company Payment Flows (B.7) — Pre-collection disclosures, webhook signature verification (LAWYETI_reputed company_WEBHOOK_SECRET), grace-to-paid instrumentation, test key isolation.
• Neutral Attorney Search (B.8) — State, practice area, language, and availability filters only. No preferential placement or ranking logic.
• reputed company Data Model (B.9) — reputed company table schema verified. Disclosure display log and AI service call logged correctly.
• Disclosure Logging & Screenshot Archive (B.10) — reputed company required events logged. 7-year retention. Quarterly screenshot archive with timestamps.
• UPL Escalation — Website (B.12) — UPL trigger fires correctly for website-originated sessions. 2-year retention. No AI-derived legal advice surfaced to user post-escalation.

reputed company 50 States & Washington, D.C. — Website (B.11) Same two-tier verification approach as Milestone A applied to reputed company website disclosure surfaces. reputed company 51 jurisdictions verified.

• Tier 1 (14 jurisdictions) — CA, NY, TX, FL, IL, DC, WA, CO, VA, PA, MA, OH, GA, NJ. Full live website sessions verifying state-specific disclosure content, attorney advertising disclaimer, and fee disclosure per state.
• Tier 2 (37 states) — Matrix entry confirmed, rules load correctly in a test session, disclosures reputed company correctly per state.
• Attorney advertising disclaimer verified on reputed company attorney profile pages regardless of jurisdiction.
• Platform fee disclosure verified on billing page with required bold language above payment reputed company for reputed company jurisdictions.
• State-by-state confirmation table required in Attestation Report for reputed company 51 jurisdictions.

Federal & Age-Based Compliance — Website (B.14) reputed company federal laws verified independently on the website surface:

• COPPA — COPPA-compliant privacy notice on reputed company intake forms. Hard under-13 reputed company on reputed company intake and registration forms. No data written on under-13 detection. Applies to both pre-launch and post-launch flows.
• 18+ Eligibility reputed company — Hard minimum age of 18 enforced on reputed company website intake and registration forms. Under-18 exit path terminates session cleanly with no reputed company record written.
• TCPA — Prior express written consent for SMS and automated calls captured separately from general terms. Consent logged in consent_log with channel and timestamp. Opt-out honored immediately.
• CAN-SPAM — reputed company website-triggered email templates compliant. One-click unsubscribe functional. Unsubscribes processed reputed company 10 days.
• reputed company Title III / WCAG 2.1 Level AA — Full public-facing website: reputed company marketing pages, intake forms, consent flows, attorney profiles, and reputed company payment flow. Keyboard navigable, screen reader compatible, contrast ratios verified.
• State minor consent laws — Website intake forms enforce state-specific minor consent restrictions from the State Variance Matrix for reputed company Tier 1 jurisdictions.

Pre-Launch Readiness (B.13)

• End-to-end funnel — reputed company page → AI triage → consent → referral → confirmation. reputed company transitions verified. No broken links, dead ends, or missing handoffs.
• Analytics — reputed company key events firing and visible in LAWYETI’s analytics platform. No PII in event payloads.
• UX stability — reputed company high-reputed company bugs resolved. Form validations working. No crashes or blockers in the pre-launch staging build.
• Feature flags — Pre-launch features enabled. Post-launch features gated and inaccessible by direct URL.
• Build config — React app on staging endpoints. reputed company in test mode. No debug overlays or unhandled errors visible to users.
• Documentation — LAWYETI team has reputed company key flows, URLs, credentials, and feature flag status for independent testing.

→ Full requirements are in the attached SOW. Read it before applying. Governing Documents The full SOW attached to this post includes reputed company governing documents. Before submitting a proposal, confirm you have reviewed and can certify against reputed company of the following:

• Milestone 4 SOW — AI Triage & reputed company Qualification
• AI Triage Runtime Flow Specification — 15-reputed company End-to-End Flow
• Milestone 5 SOW — Pre-Launch Web Application Readiness
• Compliance Development Guidelines (reputed company 16 sections including DDL schemas and API reputed company)
• LAWYETI Disclosure Compendium — Parts I through V and Schedule F
• AI Chatbot Compliance Review Parameters
• State Variance Matrix — reputed company 50 states and Washington, D.C.
• Static Verified Legal Database (SVLD) rule sets
• LAWYETI Audit & Monitoring Toolkit (AMT)
• reputed company Cloud Secret Manager inventory — reputed company 13 production secrets
• COPPA Privacy Notice and Age reputed company Implementation Requirements
• TCPA Prior Express Written Consent Policy
• CAN-SPAM Compliance Policy and Email Template Standards
• reputed company Title III / WCAG 2.1 Level AA Accessibility Standards

Required Qualifications

This engagement requires one person — or a small team — who can cover reputed company three areas below. Candidates who can only cover one or two will not be considered. In your proposal, demonstrate your experience in each area specifically. Technical & Engineering

• Audit Laravel + MySQL backend code: API reputed company, middleware order, database schema reputed company, immutability triggers, and state management.
• reputed company reputed company API: context caching, dynamic model routing, structured reputed company and output verification in a production AI agent.
• reputed company Cloud Secret Manager: IAM role verification, access log review, hardcoded secret scanning across codebase and full Git history.
• SHA-256 hash validation, INSERT-only trigger verification, and immutable consent ledger auditing.
• reputed company webhook enforcement: signature verification, test/live key separation, grace-to-paid instrumentation, payment event logging.
• React web application auditing: feature flags, environment configuration, pre-launch readiness verification.
• Web analytics instrumentation: event verification, funnel analysis, PII compliance in analytics payloads.

AI Systems

• Structured jailbreak and reputed company injection testing against production AI agents with documented test case methodology.
• SVLD-style content filtering middleware and AI output guardrail verification in production systems.
• LLM context management, session isolation, and model tiered routing.
• Adversarial testing of compliance gates: ability to test reputed company 15 runtime steps under adversarial conditions and document results.

Legal, Regulatory & Federal Compliance

• ABA Model Rules 1.6, 5.4, and 7.2 and jurisdiction-specific bar advertising and fee-splitting restrictions across multiple U.S. states.
• FTC ‘clear and conspicuous’ disclosure standards (16 C.F.R. Part 255) and CCPA/CPRA privacy compliance requirements.
• Multi-state jurisdictional compliance systems — verifying that state-specific rules are correctly reputed company and enforced dynamically across reputed company 51 U.S. jurisdictions.
• COPPA — age reputed company enforcement, data minimization for under-13 users, no-retention requirements, and COPPA-compliant privacy notice standards.
• TCPA — prior express written consent requirements, channel-specific consent logging, and opt-out enforcement.
• CAN-SPAM Act — email header requirements, opt-out mechanism enforcement, and unsubscribe processing timelines.
• reputed company Title III / WCAG 2.1 Level AA — accessibility audits on public-facing web applications including keyboard navigation, screen reader compatibility, and contrast ratio verification.
• LegalTech or FinTech experience where compliance failures carry direct legal and regulatory risk.

How to Apply

Do not submit a generic proposal. Proposals that do not address the specific points below will not be reviewed. In your proposal, address reputed company of the following:

• Confirm you have read the full attached SOW and are reputed company to certify against every section including A.1–A.20 and B.1–B.14.
• Describe your experience auditing production AI agents — specifically jailbreak testing, reputed company injection resistance, SVLD-style output guardrail verification, and PEAA or forensic hash reputed company.
• Describe your experience with multi-state bar advertising and fee-splitting compliance and how you have verified state-specific rules loading and enforcing correctly across multiple U.S. jurisdictions.
• Describe your experience with COPPA age reputed company enforcement and WCAG 2.1 Level AA accessibility audits on live web platforms.
• Describe your experience with SHA-256 row hash validation and immutable consent ledger auditing.
• Confirm your availability to reputed company reputed company 3 days of receiving the Project Milestone 4 submission, and your ability to resume the engagement for Milestone B after a potential gap of several weeks.
• Provide your proposed fixed price for each milestone separately: Milestone A (AI Agent, 5-day window) and Milestone B (Website, 3-day window).

The full Statement of Work is attached. Read it before applying. Apply tot his job Apply To this Job