Data Security

1. HTTPS (TLS Encryption)

All communications between clients and our servers use HTTPS, secured via the latest TLS 1.3 protocol, which provides enhanced security and performance. We utilize AES-256 to ensure strong encryption and protection against unauthorized interception.

2. JWT (JSON Web Tokens)

We utilize JWTs for secure authentication and session management, ensuring secure and stateless user authentication.

3. OAuth2 Providers

Lawgical uses OAuth2 to provide a secure and scalable authentication solution, enabling single sign-on (SSO) and identity management for our users.

4. Passwordless Sign-ins

We support passwordless authentication via magic links, allowing users to securely access their accounts without traditional passwords.

1. Encryption at Rest

All stored data is encrypted using AES-256 to prevent unauthorized access.

2. Full-Disk Encryption

We have Full-Disk Encryption (FDE) enabled at the infrastructure level, which is managed by Supabase. This ensures that all data stored on physical disks is automatically encrypted, providing an additional layer of protection against data breaches and unauthorized access.

3. Column-Level Encryption

For highly sensitive data, we implement column-level encryption. This allows us to encrypt specific fields, such as personally identifiable information (PII) or financial records, ensuring that even in the event of a data breach, the encrypted data remains unreadable without the proper decryption keys.

1. Multi-Tenant Database Design

We use a shared database to manage multiple law firms while maintaining strict tenant isolation. Each law firm is assigned a unique id, which is used to logically separate users, cases, and other firm-specific data.

The core relational structure includes:
‍ᐧ Firms Table – Stores law firm metadata (id).
ᐧ Users Table – Associates each user with a specific firm (firm_id).
ᐧ Other Tables – Cases, documents, status updates, billing, etc. for a specific firm (firm_id).

2. Application-Level Tenant Isolation

All queries to the database are scoped to the logged-in user’s firm_id. This prevents unauthorized access, ensuring users only interact with their own firm’s data.

3. Row-Level Security (RLS)

We implement RLS policies at the database level to provide an additional layer of security. Even if an application-level issue occurs, the database will block unauthorized queries that attempt to access data outside a user's firm.

4. Role-Based Access Control (RBAC) for Law Firm Users

Each law firm can define roles such as Admin, Attorney, and Paralegal with granular permissions. RBAC ensures that sensitive actions (e.g., case modifications) can only be performed by authorized roles.

1. Daily Backups

Our database is automatically backed up every 24 hours. These daily backups are managed by our cloud providers and ensure that client data is regularly preserved and recoverable in the event of accidental deletion, corruption, or other unexpected issues.

2. Infrastructure and Data Hosting

Lawgical uses cloud, software, and payments services from the below providers:
ᐧ Supabase (AWS West 1 (Northern California)) - Database, Server Functions, Storage. Supabase is SOC 2 Type 2 and HIPAA compliant.
ᐧ Google Cloud - Document AI, Cloud Functions
ᐧ Stripe - Payments, invoicing, subscriptions. Stripe is a certified PCI Service Provider Level 1.
ᐧ Vercel - Frontend hosting. Vercel is ISO 27001, SOC2 type 2, PCI DSS, HIPAA, GDPR, and DPF compliant.