Trust & Compliance Center
Enterprise-grade security, regulatory compliance, and unwavering commitment to protecting your sensitive legal information
Security certifications
Legali is built on a foundation of enterprise-grade security, regulatory compliance, and unwavering commitment to protecting your sensitive legal information. We've invested in the same rigorous security infrastructure used by Fortune 500 companies and major law firms—and made it accessible to individuals who need it most.
SOC 2 Type II certified
Independently audited annually with 12-month continuous observation
- Independently audited annually
- 12-month continuous observation
- All five trust service criteria
- Report available upon request
GDPR & CCPA compliant
EU's gold-standard privacy and California rights nationwide
- EU's gold-standard privacy
- California rights nationwide
- Comprehensive user controls
- Transparent data practices
HIPAA-grade security
Healthcare-level encryption and protection for sensitive information
- Healthcare-level encryption
- Business associate agreements
- Protected health information
- Audit controls & logging
ISO 27001 aligned
International security standards with continuous improvement
- International security standards
- 18 control families implemented
- Continuous improvement framework
- Regular compliance audits
SOC 2 Type II certification
Service Organization Control (SOC) 2 is the gold standard for security certifications in the technology industry. Our Type II certification proves we maintain strong security controls consistently over time, not just during an audit period.
The five trust service criteria
- Security - Protection against unauthorized access, network security, access controls
- Availability - System uptime monitoring, disaster recovery, business continuity
- Processing Integrity - Complete, valid, accurate, timely, and authorized processing
- Confidentiality - Protection of sensitive information with encryption standards
- Privacy - Collection, use, retention, disclosure, and disposal of personal information
Encryption standards
Data at rest
- AES-256 encryption (US Government TOP SECRET standard)
- AWS Key Management Service (KMS) with Hardware Security Modules
- Automatic key rotation every 90 days
- Zero-knowledge encryption available for ultra-sensitive documents
Data in transit
- TLS 1.3 with perfect forward secrecy
- 2048-bit RSA or 256-bit ECC certificates
- No outdated protocols (SSL, TLS 1.0/1.1)
- End-to-end encryption for attorney communications
Security headers implementation
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()Access control
Multi-factor authentication (MFA)
We support multiple MFA methods to ensure secure access to your account:
- TOTP (Google Authenticator, Authy, 1Password)
- SMS/Text message verification
- Email verification codes
- Hardware security keys (FIDO2/WebAuthn - YubiKey, Titan)
- Biometric authentication (Face ID, Touch ID, Fingerprint)
Security recommendation: MFA is mandatory for all employees and strongly recommended for all users. Enable it now in Account Settings → Security.
Password requirements
- Minimum 12 characters (16+ recommended)
- Bcrypt hashing with salt (work factor: 12)
- Checked against breach databases
- 10-password history enforcement
- Secure reset process only (no password recovery)
Session management
- 15-minute idle timeout (configurable up to 60 minutes)
- 24-hour absolute session expiration
- Maximum 3 concurrent devices
- Remote logout capability from all devices
- Active session monitoring with device details
Your privacy rights
Under GDPR and CCPA, you have comprehensive rights over your personal data. We extend these rights to all users, regardless of location.
Right to know
Access all your personal data in JSON, CSV, or PDF format. Self-service export available 24/7.
Right to correction
Update inaccurate information immediately through your account settings or with support assistance.
Right to deletion
Delete your account and all data with a 30-day grace period. Permanent deletion after 30 days.
Right to portability
Export your data in machine-readable formats to transfer to another service provider.
How to exercise your rights
Self-service portal
Access: Account Settings → Privacy Rights
Features: Immediate access to most functions, no waiting period
Available: 24/7
Email request
Email: privacy@legali.ai
Response: Within 30 days (GDPR) or 45 days (CCPA)
Required: Identity verification
Phone request
Toll-Free: 1-800-LEGALI-1 (1-800-534-2541)
Hours: Monday-Friday, 9 AM - 5 PM Pacific
Support: Privacy rights specialists
Data retention & deletion
| Account status | Retention period | User control |
|---|---|---|
| Active account | While account is active | Full control, can delete anytime |
| Inactive 24+ months | 90-day grace period after notification | Can reactivate to prevent deletion |
| Deleted account | 30 days soft delete (recoverable) | Can recover within 30 days |
| Permanent deletion | After 30 days, backups within 90 days | Not recoverable |
| Legal requirements | 7 years (financial records, audit logs) | De-identified where possible |
Deletion timeline: When you delete your account, data is soft-deleted for 30 days (recoverable), then permanently deleted. Backups are purged within 90 days. Legal retention requirements apply to financial records (7 years) and audit logs (7 years, de-identified).
Infrastructure security
AWS cloud architecture
SOC 1/2/3, ISO 27001, PCI DSS Level 1, FedRAMP certified with multi-region deployment
Network security
AWS WAF, DDoS protection, intrusion detection, and network segmentation
PostgreSQL hardening
Row-level security, SSL/TLS required, encrypted at rest and in transit
Disaster recovery
4-hour RTO, 1-hour RPO, 99.999999999% data durability with automated backups
Cloud architecture
Provider: Amazon Web Services (AWS)
- SOC 1/2/3, ISO 27001, PCI DSS Level 1, FedRAMP certified
- Multi-region deployment (US-East-1, US-West-2)
- 3+ Availability Zones per region for redundancy
- 99.9% uptime SLA (99.97% actual 2024 performance)
Network security
- AWS WAF (Web Application Firewall) with OWASP Top 10 protection
- DDoS protection (AWS Shield Standard + Advanced)
- Intrusion Detection System (AWS GuardDuty)
- Network segmentation with private subnets
- VPC with NACLs and security groups
Database security
PostgreSQL hardening
- Row-level security enabled for tenant isolation
- SSL/TLS required for all connections
- Encrypted at rest and in transit
- Point-in-time recovery (35-day retention)
- Automated encrypted backups with cross-region replication
- Database activity monitoring and query logging
Business continuity & disaster recovery
Recovery objectives:
- RTO (Recovery Time Objective): 4 hours maximum
- RPO (Recovery Point Objective): 1 hour maximum data loss
- 99.999999999% (11 9's) data durability
Backup strategy:
- Continuous backup with point-in-time recovery
- Daily automated snapshots (35-day retention)
- Weekly full backups (1-year retention)
- Cross-region replication for disaster recovery
- Monthly restore testing to verify integrity
2024 performance: 99.97% uptime achieved (exceeding our 99.9% SLA). Zero data loss incidents. Average recovery time in drills: 2.3 hours (well within 4-hour RTO).
Security monitoring & incident response
24/7 security operations center
SIEM monitoring with Splunk, AWS CloudWatch, and real-time alerting via PagerDuty
Incident response
P0 (15 min), P1 (1 hour), P2 (4 hours), P3 (24 hours) response time SLAs
Data breach response
72-hour notification, credit monitoring, identity theft insurance, and transparent communication
24/7 security operations center (SOC)
Our security team monitors systems around the clock to detect and respond to threats in real-time.
Monitoring tools
- SIEM: Splunk Enterprise Security for log aggregation and correlation
- Infrastructure: AWS CloudWatch and Datadog for performance monitoring
- Threat Intelligence: Multiple feeds integrated for emerging threats
- Real-time alerting with PagerDuty for critical incidents
What we monitor
- Failed login attempts (threshold: 5 in 5 minutes)
- Unusual access patterns (geographic, temporal anomalies)
- Data exfiltration attempts and large data queries
- Configuration changes and privilege escalations
- API abuse patterns and rate limit violations
- Malware and phishing attempts
Incident response
| Priority | Description | Response time |
|---|---|---|
| P0 - Critical | Active data breach, ransomware, complete outage | 15 minutes |
| P1 - High | Suspected breach, major vulnerability, partial outage | 1 hour |
| P2 - Medium | Minor security incident, service degradation | 4 hours |
| P3 - Low | Policy violation, non-critical vulnerability | 24 hours |
Data breach response
In the unlikely event of a data breach, we commit to:
- Notify affected users within 72 hours of discovery
- Provide transparent communication about what happened
- Offer 12-24 months of free credit monitoring
- Provide identity theft insurance ($1M coverage)
- Establish dedicated support team for affected users
- Publicly post incident report and remediation steps
Track record: Since inception, zero data breaches affecting user data. Last security incident (Q2 2024) was minor and non-customer-impacting. Total users affected by breaches: 0.
Vendor & third-party management
SOC 2 certified vendors
All vendors handling customer data are SOC 2 Type II certified with strict data processing agreements
AI vendor transparency
Zero data retention, no model training, no data sharing, and opt-out available
Critical vendors
All vendors handling customer data are SOC 2 Type II certified and operate under strict data processing agreements.
| Vendor | Purpose | Certifications |
|---|---|---|
| Amazon Web Services | Cloud infrastructure hosting | SOC 2, ISO 27001, PCI DSS Level 1 |
| Stripe | Payment processing | SOC 2, PCI DSS Level 1 |
| SendGrid (Twilio) | Email delivery | SOC 2, GDPR compliant |
| Zendesk | Customer support | SOC 2, ISO 27001 |
| Auth0 (Okta) | Authentication services | SOC 2, ISO 27001 |
| Anthropic (Claude) | AI services | SOC 2 Type II |
| OpenAI | AI services (limited) | SOC 2 in progress |
AI vendor transparency
We use AI to enhance legal services, but your data privacy is paramount:
- Zero data retention: AI providers don't store your data after processing
- No model training: Your data is never used to train AI models without explicit consent
- No data sharing: Your data is never shared with other customers
- Opt-out available: You can disable all AI features entirely
- Human review: Always available for AI-generated content
AI disclaimer: AI-generated content may contain errors. Always review carefully and consult with a licensed attorney before relying on AI-generated legal information. AI is not a substitute for attorney advice.
Frequently asked questions
Contact us
Questions about security or privacy? We're here to help.
General privacy questions
Data protection officer
Chief information security officer
Email: contact@legali.ai
Role: Security strategy, incident response
Response: 24 hours for security concerns
Security vulnerability reporting
Domestic violence safety
Enterprise sales & partnerships
Customer support
Legal & compliance
Email: contact@legali.ai
Purpose: Subpoenas, legal process
Our commitment
At Legali, security and privacy aren't afterthoughts—they're foundational principles guiding every decision. When you trust us with your legal matters, you're sharing some of the most sensitive information in your life.
Highest security standards
Maintain SOC 2, GDPR, CCPA, HIPAA-grade security standards
Transparency
Be transparent about our practices and any incidents
Data control
Give you complete control over your data
Continuous improvement
Continuously improve our security posture
Dignity and respect
Treat your information with dignity and respect
No data selling
Never sell or inappropriately share your personal information
Access to justice
Support your access to justice while protecting your privacy
We're here for you. If you have questions, concerns, or feedback about our security and privacy practices, please reach out.