Trust & Security

Security at Legalitize

Law firms trust Legalitize with their most sensitive client data. We treat security as a foundational requirement — not an afterthought. Our platform is built from the ground up to meet the rigorous demands of attorney-client privilege and legal professional responsibility.

🛡️

SOC 2 Type II

Certified annually

🏥

HIPAA Compliant

BAA available

🔐

AES-256

Encryption at rest

🌐

TLS 1.3

Encryption in transit

🔍

Pen Tested

Annual third-party

📋

Audit Logging

Immutable trail

Encryption

At Rest. All data stored in Legalitize — including documents, matter notes, messages, and database records — is encrypted using AES-256. Encryption keys are managed through Cloudflare's Key Management Service with automatic rotation.

In Transit. All communications between your browser, our servers, and our storage infrastructure use TLS 1.3. We enforce HTTPS on all endpoints and use HSTS to prevent downgrade attacks.

Sensitive Fields. Particularly sensitive fields (MFA secrets, backup codes) are encrypted at the application layer with separate keys, providing defense in depth beyond database-level encryption.

Access Control

Role-Based Access Control (RBAC). Legalitize enforces granular role-based permissions. Firm administrators can configure which attorneys and staff can access specific matters, documents, and features.

Multi-Factor Authentication (MFA). MFA is available for all accounts and can be enforced firm-wide by administrators. We support TOTP authenticator apps (Google Authenticator, Authy, 1Password) with encrypted backup codes.

Account Lockout. Accounts are automatically locked after configurable failed login attempts (default: 10) with a 30-minute cooldown, preventing brute-force attacks.

Session Security. Sessions use cryptographically signed JWT tokens with configurable expiry. All access tokens are short-lived; refresh tokens are rotated on each use.

Infrastructure

Legalitize is hosted on Cloudflare's global infrastructure, which provides:

SOC 2 Type II and ISO 27001 certified data centers
DDoS protection and Web Application Firewall (WAF)
Cloudflare R2 object storage with zero-egress-fee architecture
Automatic failover and 99.99% uptime SLA on infrastructure
Geographic data residency options available for enterprise customers

Audit Logging

Every significant action in Legalitize — document access, uploads, AI queries, login events, permission changes, and admin actions — is recorded in an immutable audit log. Logs include:

Timestamp, actor identity, and IP address
Action type and resource affected
Success/failure outcome
Metadata relevant to the event (file names, matter IDs, etc.)

Audit logs are retained for 7 years to support regulatory requirements. Firm administrators can access and export audit logs from the Compliance dashboard.

HIPAA Compliance

For law firms handling healthcare matters, Legalitize supports HIPAA compliance through:

Business Associate Agreement (BAA) execution for Covered Entities and Business Associates
Automated PHI detection and classification in uploaded documents
PHI access audit trails meeting 45 CFR § 164.312 requirements
Minimum necessary access controls
Breach notification procedures within required timelines

Contact legal@legalitize.com to execute a BAA.

Vulnerability Management

Penetration Testing. We engage independent security researchers to conduct annual penetration tests against our platform. Reports are available to enterprise customers under NDA.

Responsible Disclosure. If you discover a security vulnerability in Legalitize, please report it to security@legalitize.com. We will acknowledge receipt within 24 hours and target remediation within 30 days for critical issues. We do not pursue legal action against good-faith security researchers.

Dependency Management. We continuously monitor dependencies for known vulnerabilities using automated scanning and apply security patches within 72 hours for critical issues.

Incident Response

Legalitize maintains a documented Incident Response Plan (IRP) that includes:

24/7 security monitoring with automated alerting
Defined escalation paths and on-call security personnel
Breach notification to affected Customers within 72 hours (GDPR) / without unreasonable delay (HIPAA)
Post-incident root cause analysis and remediation documentation

Employee Security

Background checks for all employees prior to hiring
Security awareness training quarterly
NDAs and confidentiality agreements for all staff
Principle of least privilege — production data access is restricted and logged
Phishing simulation exercises annually

Certifications & Compliance

SOC 2 Type IIHIPAAGDPRCCPAGLBAState Bar Compliant

Our SOC 2 Type II report is available to enterprise customers and prospects under NDA. Please contact security@legalitize.com to request access.

Questions or Reports

Security issues: security@legalitize.com
Compliance inquiries: compliance@legalitize.com
DPA / BAA execution: legal@legalitize.com

View Data Processing Agreement →