Security built for
attorney-client privilege.
Law firms trust Legalitize with their most sensitive client data. We treat security as a foundational engineering requirement — not a compliance checkbox. Our platform is designed from the ground up to meet the rigorous demands of professional responsibility, privilege, and regulatory compliance.
Encryption
All stored data including documents, notes, messages, and database records is encrypted using AES-256. Encryption keys are managed through a dedicated KMS with automatic rotation on a 90-day schedule.
All communications between clients, servers, and storage infrastructure use TLS 1.3. HTTPS is enforced on all endpoints with HSTS preloading to prevent any downgrade attacks.
Highly sensitive fields (MFA secrets, backup codes, API keys) are encrypted at the application layer with separately managed keys — providing defense-in-depth beyond database-level encryption.
Encryption keys are never co-located with the data they protect. Key rotation is automatic and logged. Access to key management infrastructure is restricted to two employees with hardware security keys required.
Access Control
- →Role-Based Access Control (RBAC). Granular permissions model down to the individual matter level. Firm administrators configure which attorneys and staff can access specific matters, documents, and features. Every access decision is logged.
- →Multi-Factor Authentication. TOTP-based MFA available for all accounts and enforceable firm-wide by administrators. Compatible with Google Authenticator, Authy, and 1Password. Backup codes are encrypted at the application layer.
- →Brute-Force Protection. Accounts lock automatically after configurable failed login attempts (default: 10) with a 30-minute cooldown. Lockout events trigger immediate security alerts.
- →JWT Session Security. Short-lived access tokens (15 minutes) with rotating refresh tokens. All tokens are cryptographically signed. Refresh token rotation prevents replay attacks.
- →SSO / SAML 2.0. Enterprise customers can enforce single sign-on through their existing identity provider (Okta, Azure AD, Google Workspace) with SAML 2.0 or OIDC. Local password auth can be fully disabled.
Infrastructure
Legalitize is deployed on Cloudflare's global infrastructure, which provides SOC 2 Type II and ISO 27001 certified data centers, enterprise-grade DDoS protection, and a Web Application Firewall that blocks the OWASP Top 10. Document storage uses zero-trust object storage with no public egress by default. Automatic failover is configured across multiple availability zones with a 99.99% infrastructure uptime SLA.
- →SOC 2 Type II and ISO 27001 certified data center infrastructure
- →DDoS protection and Web Application Firewall (WAF) at the network edge
- →Object storage with zero public egress — all document access routed through authenticated API only
- →Multi-zone automatic failover with 99.99% infrastructure uptime SLA
- →Geographic data residency options available for Enterprise customers (US-only storage)
Audit Logging
Every significant action in Legalitize is recorded in a tamper-evident audit log. Logs cannot be modified or deleted by any user — including administrators. All events include the actor identity, timestamp, IP address, action type, resource affected, and outcome. Firm administrators can access, filter, and export audit logs directly from the Compliance dashboard. Logs are retained for 7 years to meet state bar and federal regulatory requirements.
Events captured include: document access, uploads, and downloads; AI queries and generated outputs; login events and authentication failures; permission changes and admin actions; billing events; and API access.
HIPAA Compliance
For law firms handling healthcare matters, personal injury litigation, or any matters involving protected health information, Legalitize provides a HIPAA-compliant environment:
- →Business Associate Agreement (BAA) execution for Covered Entities and Business Associates
- →Automated PHI detection and classification across all uploaded documents using ML-based scanning
- →PHI access audit trails meeting 45 CFR § 164.312 technical safeguard requirements
- →Minimum necessary access controls with role-based PHI access restrictions
- →Breach notification procedures with documented response timelines within HIPAA requirements
To execute a HIPAA Business Associate Agreement, contact legal@legalitize.com. BAAs are included on Enterprise plans and available as an add-on on Firm plans.
Vulnerability Management
- →Penetration Testing. Annual third-party penetration tests conducted by independent security researchers. Reports available to Enterprise customers and prospects under NDA.
- →Dependency Scanning. Continuous automated scanning for known vulnerabilities in all dependencies. Critical patches applied within 72 hours; high severity within 7 days.
- →Responsible Disclosure. We welcome good-faith security research. Report vulnerabilities to security@legalitize.com. Acknowledgment within 24 hours; critical issues remediated within 30 days. We do not pursue legal action against good-faith researchers.
Employee Security
- →Background checks for all employees prior to hiring
- →Security awareness training conducted quarterly with phishing simulations
- →NDAs and confidentiality agreements required for all staff with access to production systems
- →Principle of least privilege — production data access requires explicit approval and is individually logged
- →Hardware security keys (FIDO2) required for all production system access by Legalitize employees
Certifications & Compliance Posture
Our SOC 2 Type II report is available to Enterprise customers and qualified prospects under NDA. Contact security@legalitize.com to request the full report.
Our security and compliance team responds to all inquiries personally.