Security Overview

A plain-language summary of the security controls LegalsOne uses to protect your firm's data. We design our architecture around the principle that law firm data deserves the same level of protection law firms demand for their clients.

Last Updated: February 23, 2026

Transparency note: Security disclosures involve trade-offs. We share enough here for your firm to make an informed decision. We don't share specifics that could aid attackers. For deeper due diligence, request our Security Questionnaire.

1. Infrastructure Architecture

Every subscribing firm receives a dedicated, single-tenant environment on Amazon Web Services (AWS). This means your firm has its own server instances, its own PostgreSQL database, and its own encrypted S3 storage bucket. Customer environments are not shared. There is no multi-tenant database where a misconfiguration could leak one firm's data to another.

This single-tenant model is a deliberate security and compliance decision. It enables firm-specific encryption keys, isolated network boundaries, independent backup schedules, and the ability to perform firm-specific maintenance without affecting other customers.

LegalsOne's management plane (which provisions and monitors firm environments) is separated from customer environments and accessible only through hardened, access-controlled pathways.

2. Encryption

In Transit

All data transmitted between users' browsers and the LegalsOne platform is encrypted using TLS 1.2 or higher. Older, weaker TLS versions are not accepted. Connections that do not meet this standard are rejected. Internal service-to-service communication within each firm's environment is also encrypted.

At Rest

All data at rest — including database content, uploaded documents, and backups — is encrypted using AES-256 via AWS SSE-KMS (Server-Side Encryption with AWS Key Management Service). Each firm has its own KMS key, meaning encryption isolation at the customer level. Disk-level encryption is also applied to all underlying volumes.

Backups

Backup archives are independently encrypted before storage and are not accessible without the corresponding decryption credentials.

3. Access Controls

Customer-Facing (Platform)

Within each firm's environment, access is governed by role-based access control (RBAC). Firm administrators configure roles and assign users to roles — for example, limiting a billing staff member to accounting views without access to case documents. Permissions are enforced at the API and application layer, not just the UI.

LegalsOne supports multi-factor authentication (MFA) for all user accounts. We strongly encourage all firms to require MFA for all staff.

LegalsOne Staff Access

LegalsOne staff do not have routine access to customer environments. Support and engineering staff may access a customer's environment only when:

  • Explicitly requested by an authorized firm administrator, or
  • Required for a critical security or infrastructure issue, with follow-up notification to the firm.

Staff access requires approval and is logged. Access follows the principle of least privilege — staff are granted only the minimum access needed for the specific task.

Internal Systems

Access to LegalsOne's internal management systems requires MFA and VPN authentication through our NetBird private network. Privileged operations require additional authentication steps.

4. Audit Logging

LegalsOne maintains audit logs of security-relevant events within each firm's environment. Logged events include:

  • User login and logout events (including failed attempts)
  • Document access, upload, download, and deletion events
  • Permission and role changes (who changed what, when)
  • Administrative actions within the platform
  • LegalsOne staff access events

Audit logs are available to firm administrators through the platform. Logs are immutable — they cannot be altered by firm users or LegalsOne support staff after the fact. Logs are retained for a minimum of 12 months (24 months on Enterprise tiers).

5. Backups

LegalsOne performs nightly encrypted backups of each firm's database and object storage. Key parameters:

  • Frequency: Once daily (with point-in-time recovery available for databases within a 7-day window on Professional and Enterprise tiers).
  • Storage: Backups are stored in a separate AWS region from primary data to provide geographic redundancy.
  • Encryption: All backup archives are encrypted at rest with firm-specific keys.
  • Retention: Backups are retained for 30 days (Starter), 60 days (Professional), or 90 days (Enterprise) by default.
  • Restore Testing: LegalsOne performs periodic restore tests to validate backup integrity.

See our Backups & Recovery Policy for RPO/RTO targets and restore request procedures.

6. Network Security

Each firm's environment is isolated within its own Virtual Private Cloud (VPC) on AWS, with strict security group rules limiting inbound and outbound network traffic. Only necessary ports and protocols are permitted. LegalsOne uses AWS WAF (Web Application Firewall) and infrastructure-level DDoS protection for public-facing endpoints.

LegalsOne staff access to management systems is exclusively through the NetBird private network — a cryptographically secured zero-trust access layer. There is no publicly routable management interface.

7. Personnel Security

  • All LegalsOne employees and contractors with access to customer environments undergo background screening as permitted by applicable law.
  • Personnel are required to complete security awareness training at onboarding and annually thereafter.
  • All personnel with system access sign confidentiality agreements.
  • Access rights are reviewed upon role changes and revoked upon departure.
  • Contractor access is time-limited and scoped to specific work.

8. Incident Response

LegalsOne maintains an incident response plan with defined roles, communication procedures, and escalation paths. In the event of a confirmed security incident affecting customer data, LegalsOne will notify affected customers within 72 hours of confirmation. Details are in our Incident Response & Breach Notification Policy.

9. Third-Party & Vendor Security

LegalsOne evaluates the security posture of subprocessors before engagement. AWS — our primary infrastructure provider — maintains industry-leading security certifications including SOC 2 Type II, ISO 27001, and FedRAMP authorizations. Our full subprocessor list is available at legalsone.com/legal/subprocessors.

10. Industry Alignment

LegalsOne designs its security controls with reference to NIST Cybersecurity Framework and CIS Controls as applicable to a SaaS provider of our size and risk profile. We do not currently hold SOC 2 Type II certification, but our controls are designed with that framework in mind. We are evaluating a formal audit engagement.

We do not represent that our platform satisfies HIPAA, FedRAMP, or any other specific regulatory framework without a separate assessment. Firms with specific regulatory requirements should discuss those needs with us directly.

11. Report a Security Concern

If you have identified a potential security vulnerability in the LegalsOne platform, please disclose it responsibly via our Vulnerability Disclosure Policy.

For security incidents related to your firm's environment: security@legalsone.com

For the Trust Center, detailed controls, and deeper due diligence materials: Trust Center