LegalTech Compliance & AI Systems Auditor — Technical Platform Review

🌍 Remote, USA 🎯 Full-time 🕐 Posted Recently

Job Description

Technical Compliance Expert & AI Systems Auditor

Milestone 4 Certification — LawYeti / RestFulSync

AI Agent & Website Compliance Audit — Two-Phase Engagement

Full Statement of Work is attached to this job post. This post is a summary. The attached SOW is the governing document for this engagement. You must read the full SOW before submitting a proposal. Submitting a proposal confirms you have read it, understand the complete scope, and are qualified to deliver every requirement.

What We Are Building

LAWYETI is a LegalTech platform that connects users seeking legal help with licensed attorneys through an AI-powered triage system. Users describe their legal situation, the AI classifies and routes the inquiry, and the platform connects them with a qualified attorney. The platform operates across all 50 U.S. states and Washington, D.C., which means every compliance decision — from disclosure language to age gates to fee-splitting rules — must be enforced correctly for every jurisdiction, every session.

We are at Milestone 4 of our development roadmap. The AI triage system and pre-launch website are ready for independent compliance certification. We need a qualified compliance expert to audit both surfaces, verify they are built correctly against our governing compliance documents, and deliver signed attestation reports before the platform proceeds to launch.

Engagement Overview

This is a two-milestone engagement. Each milestone is a separate audit, triggered independently by the LAWYETI development team’s formal project submission. You are not hired on a fixed calendar schedule. The audit does not start until the team formally submits each project milestone and confirms all staging access is ready.

There will be a gap between Milestone A and Milestone B — potentially days or weeks — while the development team completes the work that Milestone B will audit. You are not on the clock during this gap. LAWYETI will notify you when the Milestone B submission is ready. You must be available to resume at that time.

Milestone A — AI Agent Audit

Triggered by Project Milestone 4 submission — 5 days from confirmed submission to deliver signed AI Agent Attestation Report

Audits the AI agent that powers the triage system — the 15-step runtime flow, all compliance gates, jurisdictional enforcement across all 51 jurisdictions, secret security, PEAA Root Hash generation, consent ledger integrity, jailbreak resistance, and federal law compliance including COPPA and TCPA.

Milestone B — Website Audit

Triggered by Project Milestone 5 submission — 3 days from confirmed submission to deliver signed Website Attestation Report

Audits the public-facing and authenticated website — all compliance flows, disclosure placements, Stripe payment handling, attorney routing, pre-launch readiness, ADA accessibility, and the same federal law requirements applied independently to the website surface.

Milestone B begins only after Milestone A is fully accepted, all recommendations resolved, and Milestone A payment released.

Payment

No payment is released for documentation review alone. Each payment requires a delivered, signed attestation report with live test evidence from the staging environment.

Milestone A | Triggered by Project Milestone 4 submission — Released on delivery of signed AI Agent Attestation Report with live test evidence and verification that all recommendations are resolved.

Milestone B | Triggered by Project Milestone 5 submission — Released on delivery of signed Website Attestation Report with live test evidence. Begins only after Milestone A is accepted and paid.

Delay & Validity Policy

The audit clock starts only when the team formally submits and confirms all required access — staging environment, credentials, codebase, and documentation — is ready.

Incomplete or inaccessible submissions are not valid. The clock does not start until all issues are resolved and the team reconfirms readiness.

If you cannot deliver within the agreed window after a valid submission, you must notify LAWYETI immediately. Extensions are at LAWYETI’s sole discretion.

→ Full requirements are in the attached SOW. Read it before applying.

MILESTONE A — AI Agent Audit Scope Summary

The AI agent is the core compliance engine for the entire platform. Every user-facing compliance obligation on both the AI agent and website depends on this engine working correctly. Milestone A must be certified first.

The AI agent implements a 15-step runtime flow that governs every session from entry through forensic proof generation. The auditor must verify each step is correctly implemented, cannot be bypassed, and is fully logged. Live end-to-end testing is required for every step. Documentation review alone does not satisfy any item.

15-Step AI Triage Runtime Flow

Step 1 — Session Entry & AI Scope Control: AI is strictly limited to intake, triage, classification, and routing. Cannot position itself as a legal advisor, outcome predictor, or case evaluator under any condition.

Step 2 — Consent Gate: Hard block before any AI output. Five required disclosure elements verified. Accept path continues; decline path terminates session. Gate re-enforced on session restart or timeout. Cannot be bypassed by any prompt or manipulation.

Step 3 — Initial Intake & Jurisdiction Detection: Required intake fields verified. State Variance Matrix loads immediately on jurisdiction resolution. Four downstream compliance effects confirmed active.

Step 4 — Real-Time State Variance Matrix Enforcement: All 50 states and D.C. verified using the two-tier approach described below. AI adapts dynamically per jurisdiction in real time.

Step 5 — Structured AI Processing & JSON Output: All required JSON output fields verified. Output delivered to backend only — never surfaced to users as legal guidance.

Step 6 — SVLD Verification Middleware: All AI output passes the Static Verified Legal Database before display. Five verification conditions enforced. Four output routes: allowed, blocked, redacted, or escalated.

Step 7 — Sentiment Crisis Score: Continuous real-time evaluation using hybrid rules-based and Gemini-based detection. Threshold calibration and crisis score logging verified.

Step 8 — Hard Escalation: Crisis threshold triggers immediate bypass of all remaining intake steps. Routes to Legal Assistance via the Dynamic Routing Engine. Not a generic responder.

Step 9 — Backend Validation Layer: All eight required validation conditions checked before lead creation proceeds. Fail path behavior verified.

Step 10 — Eligibility Gate: Age eligibility (18+ hard floor), payment method, and consent checks enforced before lead creation.

Step 11 — Lead Creation: All required data stored. Session transitions correctly to routing layer.

Step 12 — PEAA Root Hash Generation: SHA-256 hashes generated for all four compliance gate payloads (Eligibility, Consent, Jurisdiction, Disclosure), concatenated in fixed order, final root hash computed and stored. Must be independently recomputable from stored payloads.

Step 13 — Forensic Integrity for Crisis Escalation: Hard escalation events cryptographically tied to PEAA Root Hash. Immutable.

Step 14 — Neutral Attorney Routing: Rules-based only. AI cannot recommend attorneys. No preferential routing.

Step 15 — Audit Logging & Compliance Traceability: Full event trail including individual gate hashes and final PEAA Root Hash logged for every session.

All 50 States & Washington, D.C. — Two-Tier Verification (AI Agent)

The State Variance Matrix covers all 51 jurisdictions. Compliance enforcement must be verified across all of them, not just a sample.

Tier 1 — Full live testing (14 jurisdictions): CA, NY, TX, FL, IL, DC, WA State, CO, VA, PA, MA, OH, GA, NJ. Full end-to-end sessions with every state-specific rule verified individually.

Tier 2 — Matrix verification and spot-test (37 states): All remaining states. Matrix entry confirmed complete, rules confirmed loading in a test session, required disclosures confirmed rendering per state.

Deliverable: State-by-state confirmation table for all 51 jurisdictions in the Attestation Report.

Guardrail: No jurisdiction may resolve to a default permissive template. Unresolvable jurisdictions must apply the strictest rule set and require a self-selection gate.

Federal & Age-Based Compliance (AI Agent — A.20)

The AI agent collects personal information from users. The following federal laws must be verified as correctly implemented:

COPPA (15 U.S.C. § 6501) — Hard block on users under 13. Session terminated immediately on under-13 detection. No data collected, written, or retained. COPPA-compliant privacy notice displayed before data collection.

18+ Eligibility Gate — Hard minimum age of 18 enforced before lead creation. Under-18 triggers session termination with no lead record written. Age check reflected in PEAA Root Hash Eligibility Gate payload.

TCPA (47 U.S.C. § 227) — Prior express written consent captured per communication channel (SMS, automated calls). Consent logged separately in consent_log. Opt-out honored immediately.

CAN-SPAM Act (15 U.S.C. § 7701) — All outbound emails include accurate sender ID, physical address, and one-click unsubscribe. Unsubscribes processed within 10 days.

ADA Title III / WCAG 2.1 Level AA — Core AI triage flow verified for keyboard navigation, screen reader compatibility, and contrast ratio compliance.

State minor consent laws — State Variance Matrix verified to include minor consent rules for all applicable states including CA (Family Code § 6700), NY (GOL § 3-101), TX (Family Code § 31.001), FL (Statute § 743.01). AI agent enforces state-specific restrictions in addition to the platform-wide 18+ gate.

Additional AI Agent Audit Areas

Secret Manager — All 13 production secrets audited. None present in codebase, Git history, CI/CD logs, or any user-visible output. Least-privilege IAM enforced. Rotation cadence documented for all 13.

Consent Ledger — SHA-256 row hash validation, INSERT-only trigger verification (consent_log_no_update / consent_log_no_delete), idempotency enforcement, 7-year retention confirmed.

Model Tiered Routing — Steps 1–5 and 7 confirmed routing to Gemini 1.5 Flash; Steps 6 and 8 confirmed routing to Gemini 1.5 Pro. Escalation event structure verified live.

Context Management — 800-char input, 400-char response, 600-char JSON output limits enforced. Running JSON summary only — no full transcript sent to API. Session isolation confirmed.

Jailbreak & UPL Resistance — Structured adversarial testing across all 15 runtime steps including attempts to bypass the Consent Gate, override jurisdiction routing, suppress the crisis score, and skip PEAA hash generation. Every test case documented.

→ Full requirements are in the attached SOW. Read it before applying.

MILESTONE B — Website Audit Scope Summary

The Website audit verifies all compliance flows, disclosure placements, payment handling, attorney routing, pre-launch readiness, and federal law compliance on the public-facing and authenticated web application. Milestone B begins only after Milestone A is fully certified and all recommendations are resolved.

Core Website Compliance (B.1–B.12)

AI Triage Integration (B.1) — Pre-launch (unauthenticated) and post-launch (authenticated) flows verified independently. Full compliance chain confirmed on both: disclaimer gate → privacy disclosure → jurisdiction resolution → structured prompt → AI triage → lead DB write → consent ledger write.

Middleware Order & API Contracts (B.2) — Laravel chain: request_id → jurisdiction_resolver → disclosure_gate → auth → controller. Hard-block error codes verified. POST /api/compliance/consents and GET /api/compliance/exports contracts verified.

Secret Manager — Website Surface (B.3) — All 13 secrets confirmed absent from browser layer, client-side bundles, and any website API response. GEMINI_API_KEY never in frontend. Stripe test key isolation confirmed.

Disclaimer Gate (B.4) — Both pre-launch and post-launch flows. Persistent footer. No dismissal. Bold ‘not a law firm’ and ‘does not provide legal advice’ language. Consent logged.

Cap Protocol Notice (B.5) — Placed above Submit button and on confirmation screen. Not in FAQs or footnotes.

Privacy & Data Use Disclosure (B.6) — Above Submit button. Affirmative consent required. No passive scroll acceptance.

Stripe Payment Flows (B.7) — Pre-collection disclosures, webhook signature verification (LAWYETI_STRIPE_WEBHOOK_SECRET), grace-to-paid instrumentation, test key isolation.

Neutral Attorney Search (B.8) — State, practice area, language, and availability filters only. No preferential placement or ranking logic.

Lead Data Model (B.9) — Lead table schema verified. Disclosure display log and AI service call logged correctly.

Disclosure Logging & Screenshot Archive (B.10) — All required events logged. 7-year retention. Quarterly screenshot archive with timestamps.

UPL Escalation — Website (B.12) — UPL trigger fires correctly for website-originated sessions. 2-year retention. No AI-derived legal advice surfaced to user post-escalation.

All 50 States & Washington, D.C. — Website (B.11)

Same two-tier verification approach as Milestone A applied to all website disclosure surfaces. All 51 jurisdictions verified.

Tier 1 (14 jurisdictions) — CA, NY, TX, FL, IL, DC, WA, CO, VA, PA, MA, OH, GA, NJ. Full live website sessions verifying state-specific disclosure content, attorney advertising disclaimer, and fee disclosure per state.

Tier 2 (37 states) — Matrix entry confirmed, rules load correctly in a test session, disclosures render correctly per state.

Attorney advertising disclaimer verified on all attorney profile pages regardless of jurisdiction.

Platform fee disclosure verified on billing page with required bold language above payment button for all jurisdictions.

State-by-state confirmation table required in Attestation Report for all 51 jurisdictions.

Federal & Age-Based Compliance — Website (B.14)

All federal laws verified independently on the website surface:

COPPA — COPPA-compliant privacy notice on all intake forms. Hard under-13 block on all intake and registration forms. No data written on under-13 detection. Applies to both pre-launch and post-launch flows.

18+ Eligibility Gate — Hard minimum age of 18 enforced on all website intake and registration forms. Under-18 exit path terminates session cleanly with no lead record written.

TCPA — Prior express written consent for SMS and automated calls captured separately from general terms. Consent logged in consent_log with channel and timestamp. Opt-out honored immediately.

CAN-SPAM — All website-triggered email templates compliant. One-click unsubscribe functional. Unsubscribes processed within 10 days.

ADA Title III / WCAG 2.1 Level AA — Full public-facing website: all marketing pages, intake forms, consent flows, attorney profiles, and Stripe payment flow. Keyboard navigable, screen reader compatible, contrast ratios verified.

State minor consent laws — Website intake forms enforce state-specific minor consent restrictions from the State Variance Matrix for all Tier 1 jurisdictions.

Pre-Launch Readiness (B.13)

End-to-end funnel — Landing page → AI triage → consent → referral → confirmation. All transitions verified. No broken links, dead ends, or missing handoffs.

Analytics — All key events firing and visible in LAWYETI’s analytics platform. No PII in event payloads.

UX stability — All high-priority bugs resolved. Form validations working. No crashes or blockers in the pre-launch staging build.

Feature flags — Pre-launch features enabled. Post-launch features gated and inaccessible by direct URL.

Build config — React app on staging endpoints. Stripe in test mode. No debug overlays or unhandled errors visible to users.

Documentation — LAWYETI team has all key flows, URLs, credentials, and feature flag status for independent testing.

→ Full requirements are in the attached SOW. Read it before applying.

Governing Documents

The full SOW attached to this post includes all governing documents. Before submitting a proposal, confirm you have reviewed and can certify against all of the following:

Milestone 4 SOW — AI Triage & Lead Qualification

AI Triage Runtime Flow Specification — 15-Step End-to-End Flow

Milestone 5 SOW — Pre-Launch Web Application Readiness

Compliance Development Guidelines (all 16 sections including DDL schemas and API contracts)

LAWYETI Disclosure Compendium — Parts I through V and Schedule F

AI Chatbot Compliance Review Parameters

State Variance Matrix — all 50 states and Washington, D.C.

Static Verified Legal Database (SVLD) rule sets

LAWYETI Audit & Monitoring Toolkit (AMT)

Google Cloud Secret Manager inventory — all 13 production secrets

COPPA Privacy Notice and Age Gate Implementation Requirements

TCPA Prior Express Written Consent Policy

CAN-SPAM Compliance Policy and Email Template Standards

ADA Title III / WCAG 2.1 Level AA Accessibility Standards

Required Qualifications

This engagement requires one person — or a small team — who can cover all three areas below. Candidates who can only cover one or two will not be considered. In your proposal, demonstrate your experience in each area specifically.

Technical & Engineering

Audit Laravel + MySQL backend code: API security, middleware order, database schema integrity, immutability triggers, and state management.

Google Gemini API: context caching, dynamic model routing, structured prompt and output verification in a production AI agent.

Google Cloud Secret Manager: IAM role verification, access log review, hardcoded secret scanning across codebase and full Git history.

SHA-256 hash validation, INSERT-only trigger verification, and immutable consent ledger auditing.

Stripe webhook enforcement: signature verification, test/live key separation, grace-to-paid instrumentation, payment event logging.

React web application auditing: feature flags, environment configuration, pre-launch readiness verification.

Web analytics instrumentation: event verification, funnel analysis, PII compliance in analytics payloads.

AI Systems

Structured jailbreak and prompt injection testing against production AI agents with documented test case methodology.

SVLD-style content filtering middleware and AI output guardrail verification in production systems.

LLM context management, session isolation, and model tiered routing.

Adversarial testing of compliance gates: ability to test all 15 runtime steps under adversarial conditions and document results.

Legal, Regulatory & Federal Compliance

ABA Model Rules 1.6, 5.4, and 7.2 and jurisdiction-specific bar advertising and fee-splitting restrictions across multiple U.S. states.

FTC ‘clear and conspicuous’ disclosure standards (16 C.F.R. Part 255) and CCPA/CPRA privacy compliance requirements.

Multi-state jurisdictional compliance systems — verifying that state-specific rules are correctly loaded and enforced dynamically across all 51 U.S. jurisdictions.

COPPA — age gate enforcement, data minimization for under-13 users, no-retention requirements, and COPPA-compliant privacy notice standards.

TCPA — prior express written consent requirements, channel-specific consent logging, and opt-out enforcement.

CAN-SPAM Act — email header requirements, opt-out mechanism enforcement, and unsubscribe processing timelines.

ADA Title III / WCAG 2.1 Level AA — accessibility audits on public-facing web applications including keyboard navigation, screen reader compatibility, and contrast ratio verification.

LegalTech or FinTech experience where compliance failures carry direct legal and regulatory risk.

How to Apply

Do not submit a generic proposal. Proposals that do not address the specific points below will not be reviewed.

In your proposal, address all of the following:

Confirm you have read the full attached SOW and are prepared to certify against every section including A.1–A.20 and B.1–B.14.

Describe your experience auditing production AI agents — specifically jailbreak testing, prompt injection resistance, SVLD-style output guardrail verification, and PEAA or forensic hash generation.

Describe your experience with multi-state bar advertising and fee-splitting compliance and how you have verified state-specific rules loading and enforcing correctly across multiple U.S. jurisdictions.

Describe your experience with COPPA age gate enforcement and WCAG 2.1 Level AA accessibility audits on live web platforms.

Describe your experience with SHA-256 row hash validation and immutable consent ledger auditing.

Confirm your availability to begin within 3 days of receiving the Project Milestone 4 submission, and your ability to resume the engagement for Milestone B after a potential gap of several weeks.