Security at LawMate

Architecture & isolation

We use per‑user/tenant isolation (including row‑level protections) and safe query patterns. Client portal access uses token‑scoped, time‑boxed links.

Encryption

TLS in transit; strong encryption at rest; key material is access‑controlled and rotated.

Identity & access (RBAC, SSO)

Role‑based access across the stack. Tokens are scoped, device‑bound, and time‑boxed. Our OTC SSO bridge exchanges a one‑time code from web to desktop/mobile without exposing tokens in the browser.

Audit logging

We log access, signatures, approvals, downloads, and administrative changes with actor, timestamp, IP, and user agent.

Retention & deletion

Operational data retained as necessary to provide the Service; export available during term; upon termination we delete or anonymize per policy, retaining limited security logs where required.

Backups & disaster recovery

Automated backups with point‑in‑time recovery windows; redundancy for critical components; periodic restore tests; tracked RTO/RPO objectives.

Secure SDLC & vulnerability management

Code review, dependency scanning, container/image scanning, and timely patching. Secrets management follows least‑privilege and rotation practices.

Testing & penetration tests

We run periodic internal testing and may commission third‑party assessments. Findings are triaged and remediated according to severity SLAs.

Subprocessors

We use vetted providers (e.g., hosting, email, analytics, payments, AI) under appropriate agreements. A current list is available on request and will be notified upon material changes.

Compliance & privacy

Workflows align with ESIGN/UETA for e‑signatures; billing supports LEDES/IOLTA conventions. See the Privacy Policy for GDPR/CCPA and DPA/SCC information.

Incident response

• Detection via monitoring and alerting
• Triage, containment, eradication, recovery
• Post‑mortems and corrective actions