Your legal tech app works. Users can log in Part 1. They can upload documents Part 2. Now you need somewhere to keep track of everything else. Users. Matters. Clients. The relationships between documents and cases. The metadata that makes your app actually useful.
Where does that data live?
If you vibe-coded your app, there's a good chance your AI assistant dropped in SQLite because it's the path of least resistance. One file, no configuration, works immediately. That's fine for building. It gets complicated when you're trying to scale, collaborate, or answer questions about data security.
Option 1: SQLite
SQLite is everywhere. It ships with Python, works out of the box, and requires zero configuration. Your vibe-coding session probably generated something like sqlite3.connect('app.db') and moved on.
Here's the thing: SQLite is way more capable than most developers realize. The sqlite.org website handles 400K+ requests per day on SQLite. Discord uses it for critical infrastructure. It can handle databases up to 281 terabytes and supports unlimited concurrent readers.
The limitation is writes. SQLite allows only one writer at a time. For many applications, this is fine. Writers queue up, each transaction completes in milliseconds, and nobody notices. But if you're building something with heavy concurrent writes, you'll hit a wall.
The bigger issue for legal tech: SQLite is a file. Files live on one machine. You can't easily connect from multiple servers, can't share access with teammates during development, and can't give a client's IT team the access controls they're going to ask about.
Works for: Prototypes, local development, single-user apps, read-heavy workloads.
Doesn't work for: Multi-server deployments, concurrent writes, anything requiring audit logs or access controls.
Option 2: Managed Postgres (Supabase, Neon)
The standard upgrade from SQLite is a managed Postgres database. You get a real client-server database without managing the infrastructure yourself.
Supabase bundles Postgres with auth, storage, and real-time subscriptions. If you're building a full-stack app and want one platform for everything, Supabase is the path of least resistance. Row-level security lets you control data access at the database layer. The generous free tier (500MB database, 1GB storage) is enough for prototyping and early users.
Neon takes a different approach: serverless Postgres that scales to zero when idle. You only pay for what you use. Their branching feature lets you spin up isolated database copies for development and testing. Databricks acquired Neon in May 2025, which signals where enterprise data infrastructure is headed.
Both are SOC 2 Type II certified. Supabase is additionally HIPAA compliant, which matters if you're storing protected health information.
Works for: Production applications, teams collaborating on development, apps that need real database features like joins and transactions.
Watch out for: You're still responsible for schema design, query optimization, and building anything legal-specific on top of generic Postgres.
The Compliance Problem
Here's where legal tech databases get complicated. General-purpose managed Postgres gives you a place to store data. It doesn't give you answers when a client's security team sends over a vendor questionnaire.
Audit Logging is table stakes for legal applications. Who accessed what data and when? Postgres doesn't track this by default. You need to configure logging, store logs separately, and build interfaces to query them. When a client asks for an access report, you need to actually produce one.
Row-Level Security controls who can see which records. Supabase makes this relatively easy. But "relatively easy" still means writing policies, testing edge cases, and maintaining them as your schema evolves. Get it wrong and you've got a data leak.
Data Residency matters for some clients. Where is the data physically stored? Can you guarantee it stays in a specific region? Managed database providers offer region selection, but demonstrating compliance requires documentation and potentially third-party audits.
HIPAA applies the moment you're storing protected health information. Personal injury cases, medical malpractice, workers' comp. You need a Business Associate Agreement with your database provider, encryption at rest and in transit, access controls, and audit trails. Supabase offers HIPAA compliance on their paid plans. Neon doesn't yet.
SOC 2 Type II certification tells enterprise clients that someone independent verified your security practices over time. Both Supabase and Neon have SOC 2. But their certification covers their infrastructure. Your application's compliance is still your responsibility.
None of these are impossible with managed Postgres. But each requires additional configuration, documentation, and often third-party audits.
Option 3: Legal-Grade Data Infrastructure
Beyond compliance, legal applications have data requirements that generic databases don't address out of the box.
Law firms don't just store records. They need matter-centric data models where everything connects to cases. They need conflict checking to ensure they're not representing adverse parties. They need retention policies that automatically handle document destruction schedules. They need audit trails that satisfy bar association requirements and client security questionnaires.
You can build this on top of Supabase or Neon. Design legal-specific schemas. Implement conflict checking logic. Build audit logging. Create retention policy enforcement. Wire up the reporting. Pursue SOC 2 certification. Negotiate BAAs. It's doable. It's also months of work that has nothing to do with what makes your app valuable.
Purpose-built legal data infrastructure handles these requirements out of the box: matter-centric data models, built-in audit trails, compliance certifications, and APIs designed for legal workflows. The tradeoff is less flexibility and another vendor relationship.
Works for: Legal applications where case data is core to the product. Apps needing conflict checking, audit trails, or compliance certifications. Anything where you need confident answers to security questionnaires.
Doesn't work for: If you just need a place to store users and settings and your clients don't ask hard questions about security.
Making Your Decision
Still prototyping? SQLite is fine. Don't overcomplicate it.
Need production infrastructure but data is straightforward? Supabase or Neon. Pick Supabase if you want auth and storage bundled. Pick Neon if you want serverless scaling and database branching.
Dealing with PHI or enterprise clients? You need HIPAA-compliant infrastructure and probably SOC 2 certification. Supabase can get you there. Or find a provider who's already done the legal-specific work.
Building something where case data is the product? That's where purpose-built infrastructure saves you from rebuilding what every legal tech company needs.
Databases feel like a solved problem until you're three months in, your audit logging is half-built, a BigLaw firm is asking about your SOC 2 status, and you realize you need conflict checking. Pick the right level of infrastructure for where your app is headed, not just where it is today.
Or, skip all of this. case.dev gives you production-ready legal tech infrastructure out of the box, and with Thurgood, our legal-first vibe-coding tool, you can build exactly what you want without worrying about the details. We're here to help you get your app over the finish line. Drop us a line at hello@casemark.com.
This is Part 3 of the "So You Vibe-Coded a Legaltech App?" series. Coming next: Deployment, or how to get your app in front of actual users.
