TimelineSystem
TimelineSystem  /  Documentation

TimelineSystem Documentation

TimelineSystem turns a litigation production into a source-cited chronology that is reviewable, signable, and verifiable on the day you file. This page covers what the platform does, how a matter moves through it, and what to expect when you ingest your first volume.

Last updated 2026-05-27 · v1 · For platform version: current

Overview

TimelineSystem is a chronology platform for litigation teams. It ingests mixed evidence (email, PDFs, native files, spreadsheets, chat exports, audit logs), extracts date-anchored events with the source span attached, and exports a court-ready chronology with a tamper-evident SHA-256 manifest. Every event traces back to the page; every export is independently verifiable.

It is designed for the work between production and filing:

Where TimelineSystem sits. It lives downstream of your review platform (Relativity, Everlaw, Reveal) and upstream of the motion, the deposition outline, and the trial binder. It does not replace document review platforms; it produces the chronology that downstream artifacts cite.

Quick start

The fastest way to understand the platform is the guided demo.

Try the guided demo (no account)

  1. Open the workspace.
  2. The Guided Demo tab loads a fictional matter with 387 mock documents reduced to 30 reviewed events.
  3. Click any event in the timeline rail to open the citation panel, then click the citation to open the source span in the evidence viewer.
  4. Open the Review Workspace to walk an event from needs_review through under_review to accepted with a logged reviewer attestation.
  5. Click Export — Court-Ready PDF. The export carries a SHA-256 fingerprint you can verify offline.

Try the EDRM Micro pipeline

The EDRM Dataset tab simulates the end-to-end processing pipeline against the EDRM Micro corpus. Click Run EDRM Pipeline to watch ingestion, extraction, review queue, and export run in sequence — useful for explaining the data lifecycle to a security reviewer or a non-technical stakeholder.

Connect to a real tenant

  1. Open the Live Matters tab.
  2. Enter your workspace slug and the email address attached to your account.
  3. Click Send Secure Code. A six-digit one-time code is delivered to your inbox; sessions expire after eight hours by default.
  4. Pick a matter. Filters default to the case-template preset for the practice area.
Pitch mode. Toggle Pitch mode in the workspace header to hide operational controls during a live customer demo. The URL hash records the mode (for example /app/#guided-demo+pitch) so you can bookmark a clean view.

Core concepts

The platform models a litigation chronology with seven primitives.

Tenant
A firm, in-house team, or service provider. Tenants are isolated; one tenant’s evidence is never visible to another.
Matter
A single case or investigation. Holds evidence, events, reviewers, and exports. Each matter has a case-template preset (commercial, PI, employment, IP, investigation).
Ingestion job
A unit of intake. One upload, one connector pull, or one batch import. Tracks parsing, OCR, deduplication, and canonicalization to completion.
Extraction job
A unit of event extraction over ingested artifacts. Versioned to a frozen prompt contract and model identity for replay.
Event
A date-anchored fact in the chronology. Has a description, occurrence timestamp, event type, status, reviewer metadata, and one or more evidence spans.
Evidence span
The exact source of an event: a passage in a PDF, a paragraph in an email, a row in a spreadsheet, a message in a chat. Always cited with offsets and a bates / exhibit identifier.
Citation view
A logged reviewer action: opening an evidence span. Citation views are required before an event status can advance to accepted.

The chronology workflow

A matter moves through four stages: ingest, extract, review, export. Each stage emits artifacts the next stage consumes, and every transition is logged.

1. Ingest

Drop the production into the workspace, or pull it from a connector. The ingestion pipeline runs in the background and reports per-file status.

Ingestion handles:

2. Extract

Extraction runs a frozen prompt contract against canonicalized artifacts and emits candidate events. Every event arrives with one or more evidence spans, each pinned to a byte offset in the source.

The extractor handles:

3. Review

Counsel walks the chronology event-by-event in the review workspace. Status transitions are deliberate; every change is logged against a reviewer with a reason and a citation view.

Event lifecycle

An event progresses through a small, auditable state machine:

Reviewer attestations

An event cannot be advanced to accepted until the reviewer has opened at least one of its evidence spans. The platform records the citation view, the elapsed time between opening the citation and approving the event, and the reviewer identity. The chain of (reviewer → citation → decision) is what makes the resulting export defensible.

Trust panel

Each event surfaces a trust score (0–100) that combines extraction confidence, citation strength, custodian agreement, and conflict detection. Events that conflict with another custodian’s record, with served interrogatories, or with their own metadata are surfaced at the top of the risk queue.

4. Export

The platform produces five export formats, all signed:

FormatUse
Court-ready PDFBound chronology with cover, corpus summary, color-coded events, citation footnotes, color legend, and SHA-256 manifest on the final page.
Structured CSVOne row per event with all fields, dates as ISO-8601, citation ids cross-referenced to a companion evidence CSV.
Structured JSONThe same data as CSV with nested evidence spans, fingerprintable for downstream tooling.
Word (.docx)Editable chronology with track-changes-friendly formatting for working drafts and exhibits.
Signed handoff bundleZip containing PDF, CSV, JSON, evidence span manifest, audit log, and the signed export manifest. Useful for co-counsel handoff or sealed productions.

Verification

Every export carries a SHA-256 manifest. Opposing counsel or the court can verify the export with a single command:

$ shasum -a 256 -c manifest.sha256
chronology.pdf:    OK
chronology.csv:    OK
audit-log.json:    OK

Or, in-app, the GET /api/v1/matters/{matterId}/exports/{exportId}/verify endpoint returns the manifest, the canonical hash, and a signed attestation that the export has not been modified since seal.

Supported evidence

TimelineSystem ingests the mixed evidence formats that litigation teams actually receive.

CategoryFormatsHandling
Email EML, MSG, MBOX, PST Threaded into canonical conversations; headers, attachments, and time zones preserved.
PDF PDF (text and image), PDF/A Text extracted directly; image PDFs routed to OCR with per-page confidence scores.
Office DOCX, XLSX, PPTX, ODT, ODS Native structure preserved; spreadsheets canonicalized into per-row events when date columns are present.
Chat Slack export, Microsoft Teams export, SMS / iMessage JSON Canonicalized into per-message events with sender, channel, and reactions retained.
Audit / log JSON, JSONL, CSV exports from production systems Mapped to events by configurable column / field. Useful for system-of-record timelines.
Image / scan TIFF, PNG, JPG, single-page scans OCR with language detection and orientation correction.
Archive ZIP, TAR, 7Z (unencrypted) Expanded recursively; encrypted archives quarantined with a remediation prompt.

Connectors

Connectors pull evidence directly from production systems instead of going through a manual export step. Each connector is authenticated per matter, runs under a fair-queue scheduler, and writes through the same ingestion pipeline as a manual upload.

ConnectorWhat it pullsUse cases
Microsoft 365 / Office 365Mailboxes, OneDrive, SharePoint sites, Teams chatsCustodian-scoped pulls under legal hold.
Google Workspace (Gmail Vault)Vault search exports, mailboxes, DriveVault-search-driven custodian collections.
NetDocumentsMatter workspaces, document versions, metadataFirm-managed matter documents.
iManage WorkWorkspaces, documents, version historyFirm-managed matter documents.
SlackWorkspace exports, channel historiesIn-house investigations, custodian-scoped collections.
Microsoft TeamsChats, channel messages, meeting transcriptsSame as Slack, for Teams-first organizations.
RelativityWorkspace documents, fields, productionsMove from Relativity review into TimelineSystem chronology.

Connectors are available on the Practice tier and above. Custom connectors (Egnyte, ShareFile, M-Files, custom REST sources) are available under the Firm tier with a documented data-mapping contract.

Security & evidence integrity

TimelineSystem is designed for evidence that ends up in court. Integrity is a first-class concern at every layer.

Tamper-evident exports

Every export bundle is sealed with a SHA-256 manifest of its contents. The manifest is signed with a tenant-scoped key, and the public verification endpoint is content-addressed: anyone with the export can confirm it has not been modified since seal. The signing secret is configurable per deployment (EXPORT_MANIFEST_SIGNING_SECRET).

Signed audit log

Every reviewer transition, citation view, export, and admin action is written to a hash-chained audit log. Each entry references the previous entry’s hash, so a tampered entry breaks the chain. The full audit log is exportable per matter and verifiable independently.

Envelope encryption at rest

Evidence is encrypted at rest with envelope encryption: a per-tenant data key wraps per-artifact data-encryption keys. On the Firm tier, the wrapping key can be customer-managed (CMK) via your KMS.

Privilege quarantine

The privilege quarantine service intercepts artifacts flagged as attorney-client-privileged or attorney work product. Quarantined material is accessible only to designated reviewers and never enters extraction or export bundles without an explicit privilege-clear decision logged in the audit trail.

DLP redaction

Configurable patterns (SSNs, financial account numbers, PHI, custodial PII) can be redacted at ingest. Originals are retained encrypted under a separate key class for privileged audit; redacted copies are what reach extraction and review.

Retention & version freeze

Each matter has a retention policy. Closed matters can be archived to immutable export bundles and purged from working storage on a schedule. When a matter is sealed, the extraction model identity and prompt contract are frozen so any future re-extraction yields the same output.

Public security pages

Authentication & access

Reviewer authentication (one-time code)

Attorney and paralegal reviewers sign in with a one-time code delivered to their inbox. There is no password to forget, phish, or rotate. Sessions expire after eight hours by default (UI_SESSION_TTL_MINUTES) and the login code is valid for ten minutes (UI_LOGIN_CODE_TTL_MINUTES). 

POST /api/v1/auth/request-code
{ "tenantSlug": "your-firm", "email": "attorney@example.com" }

POST /api/v1/auth/verify-code
{ "tenantSlug": "your-firm", "email": "attorney@example.com", "code": "482719" }
→ { "sessionToken": "...", "expiresAt": "2026-05-27T23:00:00Z" }

Service authentication (API key)

Service-to-service calls authenticate with X-Tenant-Id and X-API-Key headers. Mutating endpoints also require X-User-Id when not using a bearer session.

Single sign-on (Practice / Firm)

SAML 2.0 and OpenID Connect SSO are supported on the Practice tier and above. Group-based authorization maps directly to the role-based access model (admin, partner, reviewer, observer).

Authorization model

Four roles, scoped per matter:

API reference

All endpoints are versioned under /api/v1. The default base URL is http://0.0.0.0:8080 for self-hosted, or https://api.your-tenant.timelinesystem.com for managed deployments. Use Authorization: Bearer <session_token> for reviewer flows, or X-Tenant-Id + X-API-Key for service flows.

Health and metadata

Matters & jobs

Events & exports

Review workflow

Audit & webhooks

API keys

Example: list matters

$ curl -s https://api.your-tenant.timelinesystem.com/api/v1/matters \
    -H "X-Tenant-Id: ten_01HV..." \
    -H "X-API-Key: tsk_live_..."

Example: trigger an extraction job

$ curl -s -X POST \
    https://api.your-tenant.timelinesystem.com/api/v1/matters/mat_01HV.../extraction-jobs \
    -H "X-Tenant-Id: ten_01HV..." \
    -H "X-API-Key: tsk_live_..." \
    -H "X-User-Id: usr_01HV..." \
    -H "Content-Type: application/json" \
    -d '{"scope":"unreviewed","priority":"normal"}'

Example: verify a sealed export

$ curl -s https://api.your-tenant.timelinesystem.com/api/v1/matters/mat_01HV.../exports/exp_01HV.../verify \
    -H "X-Tenant-Id: ten_01HV..." \
    -H "X-API-Key: tsk_live_..."
{
  "exportId": "exp_01HV...",
  "manifest": { "files": [ ... ], "sha256": "a3f1b2..." },
  "signature": "...",
  "verified": true,
  "sealedAt": "2026-05-12T14:00:01Z"
}

Webhooks

Webhook subscriptions deliver platform events to your endpoint with a signed body. Event types include:

Each delivery includes X-Signature (HMAC-SHA256 of the body using the subscription secret) and X-Delivery-Id for idempotency. Failed deliveries retry with exponential backoff for up to 24 hours.

Configuration

The API runtime reads configuration from environment variables. Defaults shown.

VariableDefaultNotes
API_HOST0.0.0.0Bind address
API_PORT8080Bind port
DB_PATH./data/autochrono.dbSQLite database path
API_AUTO_MIGRATEtrueRun pending migrations on boot
API_CORS_ORIGINS*Comma-separated allow-list
API_KEY_HEADERX-API-KeyService auth header
API_BODY_LIMIT_BYTES1000000Max request body size
API_EXPORT_DIR./data/exportsSealed export bundles
API_UPLOAD_DIR./data/uploadsRaw upload staging
EXPORT_MANIFEST_SIGNING_SECRETdev-only-change-meSet per-tenant in production.
UI_SESSION_TTL_MINUTES480Reviewer session length
UI_LOGIN_CODE_TTL_MINUTES10One-time code validity
Do not deploy with the default signing secret. The export manifest signature is what makes a sealed export verifiable. Set EXPORT_MANIFEST_SIGNING_SECRET to a per-tenant secret managed by your secrets store before accepting real evidence.

Deployment options

Managed multi-tenant (Practice)

TimelineSystem operates the platform on shared infrastructure. Tenant isolation is enforced in the data layer. Region selection (US / EU / UK / CA) is available at tenant creation.

Single-tenant VPC (Firm)

TimelineSystem operates the platform in a dedicated VPC inside your cloud account. You own the keys; we operate the runtime. Suitable for firms with SOC 2 or ISO 27001 vendor controls that require single-tenant boundaries.

On-premises (Firm)

TimelineSystem ships as a container set you run inside your own perimeter. Operates against your own KMS, your own LLM provider (or an on-premises inference cluster), and your own object storage. Useful for matters with protective orders that prohibit external transit of evidence.

Component inventory

Compliance posture

AreaStatus
SOC 2Controls inventory mapped to the CIS18 framework. Type I audit roadmap discussed at Firm tier engagement.
ISO 27001Controls mapping documented; certification timeline scoped at Firm tier engagement.
GDPRData Processing Addendum executable on contract. EU data residency available under the Firm tier.
HIPAABusiness Associate Agreement available under the Firm tier for matters involving PHI.
CCPA / CPRAData subject access, deletion, and portability supported per matter.
Data residencyUS is the default region. EU, UK, and Canada residency available under the Firm tier.
EncryptionTLS 1.3 in transit; AES-256-GCM envelope encryption at rest. Customer-managed keys under the Firm tier.
LoggingHash-chained audit log per matter; exportable, independently verifiable.
Honest status. Where this table says available under the Firm tier, we mean the work to deliver that control is part of a Firm engagement and the operational evidence is produced during onboarding. We do not claim a finalized third-party audit report unless we can hand you one under NDA.

The public Security & Trust page restates the operational controls; the DPA is signable on execution of a Practice or Firm contract.

Pricing

Three tiers. All ship the same source-cited chronology and the same signed exports.

Pilot

$5,900 / matter

One matter, fixed-fee. Up to 10 GB. Court-ready PDF and signed exports. 30-day workspace.

Practice

From $39,000 / year

Up to 25 concurrent matters, 250 GB / year, all connectors, SSO, REST API, webhooks, business-hours support.

Firm

Talk to us

Unlimited matters and reviewers. Dedicated tenancy, VPC, or on-prem. CMK, residency controls, SOC 2 evidence, 24×7 support.

What every tier includes

Source-cited extraction with span-level evidence; deterministic event deduplication; uncertainty windows on ambiguous dates; immutable review telemetry; tamper-evident exports with SHA-256 manifest; the same attorney-friendly review workspace; demo data and the EDRM Micro simulation at no charge.

What we do not charge for

Volume & overage

Volume is measured by ingested, post-canonicalization bytes — not raw upload size. Practice tier overage is billed per 50 GB; Firm tier sets its own caps. The platform notifies tenant admins at 80% and again at 95% of the contracted cap.

Government, non-profit, and academic-litigation programs: ask about reduced-fee access. Pricing in USD, billed annually for Practice and Firm; Pilot engagements paid up front.

Request a guided demo →   See pricing on the homepage

FAQ

Does TimelineSystem replace Relativity, Everlaw, or our review platform?

No. TimelineSystem sits downstream of document review and upstream of the motion, the deposition outline, and the trial binder. It produces the chronology that downstream artifacts cite. Reviewed documents and productions are pulled in via the Relativity connector (and the other connectors) when you are ready to build the chronology.

How does the platform handle uncertainty in dates?

Date extraction records a minimum, a maximum, and a confidence. A document dated “Q3 of last year” arrives in the chronology with the correct uncertainty window, not a false-precise timestamp. Uncertain events are surfaced in review with a visible band on the timeline rail.

What does “source-cited” actually mean?

Every event in the chronology carries one or more evidence spans. Each span records a byte offset into a specific artifact: the email header range, the PDF page and paragraph, the spreadsheet row, the chat message ID. Clicking an event opens the cited span in the evidence viewer at the exact passage.

What does the signed manifest actually sign?

The export bundle is sealed at export time. The manifest lists each file (PDF, CSV, JSON, audit log) with its SHA-256, and the bundle is signed with the tenant’s signing key. Verification is independent of the platform: anyone with the export and the public verification routine can confirm integrity.

What happens if the underlying extraction model changes?

Extraction is bound to a frozen model identity and prompt contract. When the model is upgraded, prior matters continue to replay against the frozen version. Re-extraction against a new model version is an opt-in operation that produces a new extraction record, not an in-place rewrite of the original chronology.

Can opposing counsel verify our chronology without an account?

Yes. The sealed export bundle includes the manifest, the SHA-256 hashes, and the verification routine. Opposing counsel runs shasum -a 256 -c manifest.sha256 (or the equivalent on Windows) and confirms integrity. The platform also exposes a public verification endpoint per export that does not require an account.

Does the platform store raw model prompts or responses?

Prompt contracts are stored per matter, scoped to the extraction job. Raw responses are retained for replay purposes for the matter retention period and are not used for any cross-tenant training or evaluation.

What if we need a connector that is not listed?

Custom connectors are available under the Firm tier with a documented data-mapping contract. Manual upload of exported volumes is supported on every tier in the meantime.

Support & contact

To start a pilot, request a guided demo, or schedule a security review:

For all other inquiries, including custom connectors, security review under NDA, or SOC 2 evidence package requests, use the contact form on the workspace sign-in page.