Our Commitment
TheLawThing is built with defense-in-depth security principles. We implement multiple layers of security controls to protect your data and ensure the integrity of our Service.
Security Measures
Encryption
- In Transit: All data transmitted to and from the Service uses TLS 1.2+ encryption
- At Rest: Customer data is encrypted using industry-standard encryption algorithms
- Backups: All backups are encrypted and stored securely
Access Controls
- Multi-factor authentication (MFA) for administrative access
- Single Sign-On (SSO) integration support
- Role-based access controls (RBAC)
- Short-lived credentials and session management
- Least-privilege access principles
Network Security
- Strict network segmentation
- Firewall rules and intrusion detection systems
- DDoS protection and mitigation
- Regular security monitoring and logging
Application Security
- Secure Software Development Lifecycle (SDLC) practices
- Code review and automated security scanning
- Dependency vulnerability scanning
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
Data Isolation
- Logical data isolation between customer tenants
- Customer data is not used to train public AI models
- Configurable data retention policies
Compliance & Certifications
We align our security practices with industry standards including:
- SOC 2 Type II controls (in progress)
- ISO 27001 security management practices
- GDPR and CCPA compliance
- Regular third-party security assessments
- Annual penetration testing
Vendor Risk Management
We carefully vet all third-party service providers and require appropriate security controls and contractual protections. Subprocessors are listed and updated regularly.
Incident Response
We maintain an incident response plan and will notify affected customers without undue delay in the event of a security incident involving their data, in accordance with applicable laws.
Vulnerability Reporting
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to security@TheLawThing.dev.
Please include:
- Steps to reproduce the issue
- Potential impact assessment
- Affected endpoints or components
We will acknowledge receipt within 72 hours and work with you to resolve the issue. We do not pursue legal action against security researchers acting in good faith.
Data Processing Agreements
For customers requiring Data Processing Agreements (DPAs), we provide standard agreements that comply with GDPR and other applicable data protection regulations.