Security Controls

A detailed technical reference of the security controls in place within the LegalsOne platform.

Effective Date: February 23, 2026

This page provides a detailed technical reference of LegalsOne's security controls. It complements our Security Overview (plain-language) and Compliance Overview. Organizations requiring a more detailed security review may contact security@legalsone.com.

Architecture & Tenant Isolation

  • Single-tenant infrastructure: Each law firm receives its own dedicated AWS environment, including a dedicated VPC, EC2 instances (or equivalent compute), RDS PostgreSQL instance, and S3 bucket.
  • No shared database: Firm data is never stored in a multi-tenant shared database schema. Complete schema isolation is enforced at the infrastructure level.
  • No shared storage: Each firm's document and attachment storage is a dedicated S3 bucket. No cross-firm bucket access is possible at the IAM policy level.
  • Environment tagging: All resources are tagged with firm-specific identifiers and environment metadata to support IAM boundary enforcement and cost allocation.

Encryption in Transit

  • TLS 1.2 minimum: All traffic between users and the LegalsOne platform is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled.
  • TLS 1.3: TLS 1.3 is supported and preferred where client capabilities support it.
  • Certificate management: SSL/TLS certificates are managed via AWS Certificate Manager (ACM) with automated renewal.
  • Internal service communication: All internal service-to-service communication within the AWS VPC also occurs over encrypted channels.
  • Integration traffic: Data transmitted to and from third-party integrations (Microsoft 365, Zoom, payment processors) uses TLS 1.2+.

Encryption at Rest

  • Database encryption: All RDS PostgreSQL instances are encrypted at rest using AES-256 via AWS KMS. Each firm has a distinct KMS key.
  • Object storage encryption: All objects in S3 are encrypted using SSE-KMS (Server-Side Encryption with AWS KMS). Per-firm KMS keys ensure cryptographic isolation.
  • Key management: AWS KMS manages key creation, rotation, and access control. KMS keys are rotated annually by default. Key access is restricted to authorized IAM roles only.
  • Backup encryption: All backup data (database snapshots, S3 cross-region copies) is encrypted using the same KMS key as the source data.
  • Deletion via key destruction: Cryptographic deletion is used on termination — deleting or invalidating the KMS key renders encrypted data permanently unrecoverable, complementing physical deletion procedures.

Identity & Access Management

  • Role-based access control (RBAC): Platform access is governed by defined role tiers (e.g., attorney, paralegal, admin). Each role receives only the permissions necessary for its function.
  • Multi-factor authentication (MFA): MFA is required for all platform user accounts and for all LegalsOne staff accounts with access to production infrastructure.
  • Session management: Sessions expire after a configurable period of inactivity (default: 30 minutes for platform sessions; shorter for admin interfaces).
  • Password requirements: Passwords must meet minimum complexity requirements. Passwords are hashed using bcrypt or equivalent strength.
  • Account lockout: Accounts are temporarily locked after repeated failed authentication attempts to prevent brute-force attacks.

LegalsOne Staff Access Controls

  • Need-to-access basis: LegalsOne staff access to production systems is strictly limited to personnel with a specific operational need. No general broad access is granted.
  • VPN requirement: All staff access to production infrastructure requires connection via NetBird (WireGuard-based) VPN. Production environments are not directly internet-accessible to staff.
  • Access logging: All staff access to production systems is logged with identity, timestamp, and action. Logs are reviewed periodically.
  • Privileged access management: Privileged operations (e.g., database-level access, infrastructure changes) require additional authorization and are logged at an elevated audit level.
  • Offboarding: Staff access is revoked within 24 hours of separation. VPN certificates are revoked immediately.

Audit Logging

  • User activity logs: All user login events, document access events, record modifications, permission changes, and administrative actions are logged with user identity, IP address, and timestamp.
  • Immutability: User-facing audit logs cannot be deleted or modified by any platform user, including account administrators. They are stored in append-only infrastructure.
  • Retention: Audit logs are retained for 12 months (Starter), 24 months (Professional/Enterprise). See Data Retention Policy.
  • Export: Account administrators can export audit logs in CSV format for compliance review or legal hold purposes.
  • Infrastructure logs: AWS CloudTrail, VPC Flow Logs, and CloudWatch Logs capture infrastructure-level events and are retained for 90 days.

Network Security

  • VPC isolation: Each firm's environment is deployed within its own AWS Virtual Private Cloud (VPC) with security groups limiting inbound and outbound traffic to only what is required.
  • Web Application Firewall (WAF): AWS WAF is deployed in front of platform endpoints to filter common web attacks (OWASP Top 10 categories, including SQL injection, XSS).
  • DDoS protection: AWS Shield Standard provides baseline DDoS protection for all environments.
  • No direct database exposure: Database instances are deployed in private subnets with no direct internet access.
  • Port minimization: Security groups follow a deny-all-by-default approach. Only required ports and protocols are explicitly permitted.

Backup Controls

  • Nightly automated backups of all database and document storage data
  • Cross-region storage in a secondary AWS region
  • Encrypted using per-firm KMS keys
  • Retention: 30 days (Starter), 60 days (Professional), 90 days (Enterprise)
  • Restore capability: full environment or point-in-time database restore

See the Backups & Recovery Policy for full detail.

Vulnerability Management

  • Dependency scanning: Automated scanning of application dependencies for known CVEs as part of the CI/CD pipeline.
  • Patch management: Security patches for OS and platform dependencies are applied on a prioritized schedule — critical patches within 72 hours; high-severity patches within 14 days; others within 30 days.
  • Penetration testing: LegalsOne plans annual third-party penetration testing of the platform. Current status: initial assessment in progress. Published summary reports will be made available to customers upon signed NDA request once testing is completed.
  • Vulnerability disclosure: We accept responsible disclosure reports at security@legalsone.com. See our Vulnerability Disclosure Policy.

Incident Response

  • Dedicated incident response process with defined severity levels
  • 72-hour customer notification for confirmed data breaches affecting customer data
  • Postmortem publication for Critical/High incidents within 14 days
  • AWS CloudWatch and custom alerting for anomaly detection

See the Incident Response Policy for full detail.

Contact

Security questions or to request our security documentation package: security@legalsone.com