Security & Privacy
Lawzana Flow is built with security and privacy at its core. This guide covers how your data is protected.
Data Encryption#
- In transit: All data is encrypted using TLS 1.3 (HTTPS) between your browser and our servers
- At rest: All stored data is encrypted using AES-256 encryption
- Database: PostgreSQL with encrypted storage and secure connections
- Documents: Stored in Google Cloud Storage with server-side encryption
Data Residency#
During onboarding, you choose where your data is stored:
| Region | Location | Compliance |
|---|---|---|
| US | Iowa, United States | US data residency requirements |
| EU | Belgium, Europe | GDPR compliance |
| APAC | Singapore, Asia-Pacific | APAC data residency requirements |
Your primary application data is stored in your selected region. Some AI operations are processed through Google Vertex AI managed infrastructure; contact support if you need confirmation on AI-processing location for your compliance requirements.
Note
Your data region cannot be changed after initial setup. Choose carefully based on your regulatory requirements.
AI Data Privacy#
Zero Data Retention#
All AI operations follow a Zero Data Retention (ZDR) policy:
- Your documents and data are never used to train AI models
- AI processing data is not stored after the response is generated
- No AI provider (Google) retains your data beyond the immediate request
- Your queries, documents, and responses are not logged by the AI provider
How AI Processing Works#
- You request an AI operation (e.g., summarize a document)
- The document text is sent to Google Vertex AI for processing
- The AI generates a response
- The response is returned to Lawzana Flow and saved in your account
- No data is retained by the AI provider
Authentication & Access#
- Email + Password authentication with email verification
- Magic link authentication for client portal (no password required)
- Role-based access control (RBAC) — four permission levels (Owner, Admin, Member, Viewer)
- Ethical walls — Prevent team members from accessing conflicted matters
- Token-based portal access — Secure, expirable links for client portal
Session Security#
- Sessions are managed securely using Auth.js
- Session tokens are encrypted and HTTP-only (not accessible to JavaScript)
- Sessions expire after a configurable period of inactivity
Audit Logging#
Every significant action is recorded in the audit log:
- User login and logout events
- Document uploads, downloads, and deletions
- Matter creation, modification, and stage changes
- Team member additions and removals
- Setting changes
- Portal access and document sharing
- AI operation requests
Audit logs are:
- Searchable by action type, user, or date
- Exportable for compliance records
- Immutable — entries cannot be modified or deleted
- Available to Owners and Admins in Settings → Audit Logs
Infrastructure Security#
- Hosted on Google Cloud Platform with enterprise-grade infrastructure
- DDoS protection via Cloudflare
- Web Application Firewall (WAF) to block common attacks
- Content Security Policy (CSP) headers to prevent XSS attacks
- Regular security updates and dependency patching
- Error monitoring via Sentry (no sensitive data is sent to error tracking)
Data Backup#
- Continuous database backups
- Point-in-time recovery capability
- Document storage with redundancy across multiple data centers
Compliance#
- GDPR — Full compliance for EU data subjects
- Data processing agreements available on request
- Right to be forgotten / data deletion supported
- Data export available for portability
Responsible Disclosure#
If you discover a security vulnerability, please report it to [email protected]. We take all reports seriously and will respond promptly.
Contact#
For security-related questions:
- Email: [email protected]
- General support: [email protected]