Security Policy

LawyerDesk Advocacy Pvt Ltd

Last Updated: January 2025

Version: 1.0

1. Security Overview and Commitment

1.1 Our Commitment to Security

LawyerDesk Advocacy Pvt Ltd is committed to maintaining the highest standards of information security to protect the confidential and sensitive data of our clients, partners, and stakeholders. As a legal technology platform handling privileged attorney-client communications, case files, financial data, and personally identifiable information (PII), we recognize our responsibility to implement robust security measures that meet and exceed industry standards.

1.2 Security Philosophy

Our security approach is built on the principles of:

Defense in Depth

Multiple layers of security controls to protect data

Zero Trust Architecture

Never trust, always verify access requests

Least Privilege Access

Users and systems have only the minimum necessary permissions

Privacy by Design

Security and privacy integrated from the ground up

Continuous Improvement

Regular assessment and enhancement of security measures

Transparency

Clear communication about our security practices

2. Data Encryption

2.1 Encryption at Rest

All sensitive data stored within LawyerDesk systems is encrypted using industry-standard encryption algorithms:

Database Encryption

  • Algorithm: AES-256 (Advanced Encryption Standard with 256-bit keys)
  • Implementation: Transparent Data Encryption (TDE) for all production databases
  • Key Management: AWS KMS (Key Management Service) or equivalent HSM
  • Scope: All customer data, case files, documents, communications, and PII

File Storage Encryption

  • Algorithm: AES-256-GCM (Galois/Counter Mode)
  • Implementation: Server-side encryption for all object storage
  • Encryption Keys: Unique per-customer keys with automatic rotation every 90 days

2.2 Encryption in Transit

All data transmitted between clients and LawyerDesk systems is encrypted:

Transport Layer Security (TLS)

  • Minimum Version: TLS 1.3 (TLS 1.2 supported for legacy systems with approved exception)
  • Cipher Suites: Only strong cipher suites with Perfect Forward Secrecy (PFS)
  • Certificate Management: 2048-bit RSA or 256-bit ECDSA certificates from trusted CAs
  • HSTS: HTTP Strict Transport Security enabled with 1-year max-age

2.3 Key Management

  • Cryptographic keys generated using FIPS 140-2 validated modules
  • Keys stored in hardware security modules (HSMs) or cloud-based KMS
  • Key rotation performed automatically every 90 days for data encryption keys
  • All key access logged and monitored
  • Separation of duties enforced (no single individual has complete key access)

3. Access Controls and Authentication

3.1 User Authentication

Multi-Factor Authentication (MFA)

  • ✓ Required for all user accounts
  • ✓ TOTP, hardware tokens, biometric support
  • ✓ Mandatory for admin accounts
  • ✓ Required for production access

Password Policy

  • ✓ Minimum 12 characters
  • ✓ Complexity requirements enforced
  • ✓ 90-day expiration for standard users
  • ✓ Account lockout after 5 failed attempts

3.2 Authorization and Access Control

We implement Role-Based Access Control (RBAC) with:

  • Granular role definitions based on job functions
  • Predefined roles: Administrator, Legal Professional, Case Manager, Support Staff, Auditor, Read-Only
  • Principle of least privilege enforced across all roles
  • Quarterly access reviews for all user accounts
  • Automated deprovisioning of inactive accounts after 60 days

4. Infrastructure Security

4.1 Cloud Infrastructure Security

Cloud Service Provider

Primary: AWS (Amazon Web Services) with SOC 2, ISO 27001, and FedRAMP certifications

  • ✓ Multi-region deployment for high availability
  • ✓ Dedicated Virtual Private Cloud (VPC)
  • ✓ Cloud Security Posture Management (CSPM)
  • ✓ Infrastructure as Code (IaC) with security scanning

4.2 Network Security

  • Network Segmentation: Production, staging, and development environments logically separated
  • Firewall Rules: Default deny-all policy with explicit allow rules
  • Web Application Firewall (WAF): Protection for all public-facing applications
  • Intrusion Detection/Prevention: Network and host-based IDS/IPS systems

4.3 Monitoring and Logging

Security Information and Event Management (SIEM)

  • ✓ Centralized log aggregation and correlation
  • ✓ Real-time security event monitoring and alerting
  • ✓ Log retention: 1 year online, 7 years archived
  • ✓ 24/7 security operations center (SOC) monitoring

5. Application Security Practices

5.1 Secure Development Lifecycle (SDL)

Security by Design

Threat modeling for all new features

Secure Coding

OWASP Top 10 mitigation requirements

Code Review

Mandatory peer review for all changes

5.2 Application Security Testing

  • SAST: Automated static application security testing on every code commit
  • DAST: Dynamic application security testing of staging before production
  • SCA: Software composition analysis for third-party dependencies
  • Penetration Testing: Quarterly testing by third-party security firms

6. Incident Response Procedures

6.1 Incident Response Team

Contact Information

  • Security Incident Hotline: +91 6262 8686 00 (24/7)
  • Email: security-incident (at) lawyerdesk.ai

6.2 Incident Classification

Critical (P1)

Active data breach, ransomware, complete service outage

Response Time: Immediate (15 minutes)

High (P2)

Suspected data breach, critical vulnerability exploitation

Response Time: 1 hour

Medium (P3)

Unsuccessful attack attempt, security control failure

Response Time: 4 hours

7. Compliance Certifications

ISO 27001:2013

Information Security Management System

Status: Pending (Target Q2 2025)

SOC 2 Type II

Service Organization Control

Status: Pending (Target Q3 2025)

GDPR Compliance

General Data Protection Regulation

Status: Compliant

NIST CSF

Cybersecurity Framework

Status: Aligned

8. Contact Information

Security Contact

For Security Vulnerabilities:

  • Email: security (at) lawyerdesk.ai
  • Response Time: Acknowledgment within 24 hours

For Security Incidents:

  • 24/7 Hotline: +91 6262 8686 00
  • Email: security-incident (at) lawyerdesk.ai

For Privacy Concerns:

  • Email: privacy (at) lawyerdesk.ai
  • Data Protection Officer: dpo (at) lawyerdesk.ai

Security is Our Top Priority

We continuously invest in security measures to protect your data and maintain the trust you place in LawyerDesk. Our security program is regularly audited and updated to address emerging threats and comply with evolving regulations.

For the most current version of this policy, please visit our website or contact our security team.

© 2025 LawyerDesk Advocacy Pvt Ltd. All rights reserved.


We're leading a new era in legal progress, using advanced AI to deliver legal assistance that's accessible, efficient, and precise.

PRODUCTS

COMPANY

LEGAL

SUBSCRIBE

Stay in the loop with trends, news, and success stories from across the LawyerDesk ecosystem.