01Our principles
Three commitments shape every design decision:
- Confidentiality first. Attorney-client privilege isn't a feature flag.
- Least privilege. People and services see only what they need.
- Assume breach. We build so that compromise of one layer doesn't cascade.
02Encryption
Data is encrypted in transit with TLS 1.3 and at rest with AES-256. Enterprise customers can bring their own keys via AWS KMS, Azure Key Vault, or GCP KMS with customer-managed rotation.
03Tenant isolation
Each customer tenant runs in its own logical boundary with per-tenant keys. Queries and prompts never cross tenants. Model inference happens in isolated pods; no cross-tenant caching, no shared embeddings.
04Certifications and audits
| Framework | Status | Detail |
|---|---|---|
| DPDP Act (India) | Aligned | India data residency by default |
| SOC 2 Type II | Controls aligned; audit in progress | Roadmap on request |
| ISO 27001 | Controls aligned | Roadmap on request |
| GDPR | Aligned (DPA available) | For customers with EU data subjects |
We describe our posture precisely: where an external audit or certification is complete, we say certified; until then, we say aligned. Ask security@lawyerdesk.ai for the current status of any framework.
05Access controls
SAML SSO, SCIM provisioning, role-based access control, IP allow-listing, and mandatory MFA for all LawyerDesk employees. Break-glass access to customer data is audited end-to-end and requires customer approval for enterprise tenants.
06Testing and disclosure
Third-party penetration tests twice a year. Continuous vulnerability scanning. We welcome responsible disclosure at security@lawyerdesk.ai with a 90-day coordinated-disclosure window.
07Incident response
Incidents are triaged within one hour, investigated by a dedicated security team, and customers are notified within 72 hours of confirmation in line with GDPR/DPDP. Post-incident reports are delivered to affected customers within 30 days.
Questions about this document?
Our legal team responds within two business days. Enterprise customers can reach their dedicated counsel through the support portal.