1. Security architecture

• Identity-first: every protected operation requires an authenticated, scoped session.
• Server-side authorization: permission checks run on the server for all protected routes — never relied on in the browser.
• Least privilege: users and admins only see data they need; agents retrieve only the fields required for the requested operation.

2. Cloud platform security

• Hosted entirely on Google Cloud Platform, which is SOC 2 Type II, ISO 27001, and HIPAA certified.
• Physical security, network security, and baseline hardening are inherited from Google Cloud's compliance posture.
• All data resides in US regions; replication is automatic and geographically redundant.

3. Application security

• Protected API routes require verified bearer tokens scoped to the user's workspace.
• User isolation is enforced through collection-path scoping and Firestore security rules.
• Defensive error handling prevents leaking sensitive data through error messages or stack traces.
• Input validation on every write path; safe-by-default fallbacks where inputs cannot be validated.

4. Data security

• At rest: AES-256 encryption managed by Google Cloud.
• In transit: TLS 1.2+ across every connection; HTTPS enforced.
• Key management: Google Cloud holds and rotates encryption keys under HIPAA-compliant protocols. LegalAI employees cannot decrypt your data.
• Documents and metadata: stored in Google Cloud Storage and Firestore with controlled, scoped retrieval.

5. HIPAA & BAA

LegalAI operates under a signed Business Associate Agreement with Google Cloud that extends HIPAA protections to the Service. Firms that handle Protected Health Information may execute a BAA with LegalAI on request.

• Role-based access control (RBAC) across customer, customer admin, support, operations, and security roles.
• Multi-factor authentication required for administrators.
• API tokens are short-lived (1 hour) and rotated automatically.
• Inactive accounts are deactivated after 90 days of non-use.
• BAA copies and HIPAA compliance documentation are available on request at info@legalai.com.

6. Audit and traceability

• Cloud audit logging for administrative, read, and write activity on configured services.
• Application-level event logs for operational observability.
• Users can review who accessed their workspace data and when; audit logs are downloadable in CSV or JSON and admissible as evidence.

7. Reliability and safety

• 99.5% monthly uptime target with service-credit remedies — see Section 7 of the Terms of Service.
• Cached read patterns where appropriate to reduce unnecessary exposure and load.
• Defensive fallbacks for any path that might otherwise fail unsafely.

8. Incident response and breach notification

If LegalAI discovers unauthorized access to your data, we will notify you within 24 hours by email and phone, with details on what was accessed, which safeguards failed, recommended actions, and full cooperation with your investigation. You remain responsible for notifying affected clients under HIPAA, state law, or other applicable obligations.

9. User security features

• Role-aware UI; admin-only controls for privileged paths.
• Workspace indicator and access to compliance documentation in-app.
• Per-user audit trail visible to workspace admins.

10. Recommended organizational controls

Security is shared. We recommend that customer firms maintain:

• Security-awareness training for all staff with workspace access.
• Documented incident-response procedures.
• Periodic access reviews and offboarding checklists.
• Regular policy updates and a legal / compliance review cycle.

11. Compliance documentation & contact

For audit reports, SOC 2, ISO 27001 letters, the BAA, or any other compliance documentation, contact us at info@legalai.com. To report a vulnerability or suspected incident, email info@legalai.com.