LegalScout
Enterprise security

Controls built for legal practice.

AES-256 encryption at rest, TLS 1.2+ in transit, MFA enforced for every user, role-based access scoped to your organisation, and a full audit trail on every action.

AES-256TLS 1.2+MFA enforcedISO 27001 targeted

Encryption controls.

Every layer of the stack encrypted — keys managed by AWS KMS, never stored in code.

AES-256 at rest

Database and document storage encrypted using AES-256 with keys managed by AWS KMS. No plaintext data at rest.

TLS 1.2+ in transit

All traffic between clients and LegalScout servers encrypted with TLS 1.2 minimum. HSTS enforced to prevent protocol downgrade attacks.

AWS Secrets Manager

API keys, database credentials, and other secrets stored in AWS Secrets Manager — never hardcoded in configuration files or environment variables.

Identity & access.

Auth0-backed identity with MFA mandatory for every user.

MFA enforced via Auth0

Multi-factor authentication is mandatory for all users. LegalScout holds no password hashes.

Role-based access control

Users are scoped to their organisation. Permissions enforced at the API layer. No user can access another firm's data.

httpOnly session tokens

Authentication tokens stored in httpOnly cookies — inaccessible to JavaScript and immune to XSS-based token theft.

JWKS-based token validation

Session validation uses JSON Web Key Sets — stateless, performant, and eliminates the attack surface of a centralised session store.

Audit & monitoring.

Full tamper-evident audit trail across every user action.

Structured audit logging

Every auth event, document access, AI query, and admin action written to a tamper-evident audit_logs table in structured JSON. PII is never logged.

Input validation at all layers

All API inputs validated with Pydantic (backend) and Zod (frontend). Malformed inputs rejected before they reach business logic.

SAST in CI pipeline

Bandit (Python) and ESLint security plugin run on every pull request. Dependency vulnerabilities scanned weekly.

Compliance frameworks

Compliance frameworks.

LegalScout targets a set of internationally recognised frameworks that reflect both information security best practice and the unique requirements of AI systems in professional services. ISO 42001 is particularly significant: it is the first international standard specifically governing AI management systems — addressing accountability, transparency, and risk management for AI in high-stakes environments like legal practice.

  • ISO/IEC 27001:2022 — Information security management, controls mapped and gap analysis in progress
  • ISO/IEC 42001:2023 — AI management system standard, governance for responsible AI in legal contexts
  • ISO/IEC 27035:2023 — Security incident management, defined response plan and escalation procedures
  • IRAP — Information Security Registered Assessors Program, targeted for government-adjacent legal work
Request our security documentation

Ready to level the playing field?

See LegalScout on your own contracts in a 20-minute live walkthrough. No pressure. No procurement deck.

Get started

Australian owned · Hosted in AWS Sydney · 24/7 support