Trust & Compliance

Security at LexBridge

Legal data demands the highest standards of protection. Here's exactly how we safeguard your firm's information.

πŸ”’

Encrypted at Rest

AES-256

πŸ”

Encrypted in Transit

TLS 1.2+

πŸ‡¦πŸ‡ͺ

Data Residency

UAE-First

πŸ›‘οΈ

Two-Factor Auth

TOTP / App

Infrastructure Security

AWS UAE Region

Primary data hosted in AWS me-central-1 (UAE), keeping your data in-country.

Multi-AZ Redundancy

Database and application servers span multiple availability zones for high availability.

Encrypted Storage

All data at rest is encrypted with AES-256. Database backups are encrypted separately.

TLS Everywhere

All data in transit uses TLS 1.2 or higher. HTTP is redirected to HTTPS automatically.

Automated Backups

Database point-in-time backups retained for 30 days. Full snapshots taken daily.

DDoS Protection

AWS Shield Standard protection on all public-facing infrastructure.

Access Control

Role-Based Access Control (RBAC)

Every user in LexBridge is assigned a role that determines exactly what they can see and do. Roles include:

Firm Admin Senior Lawyer Lawyer Paralegal Secretary Accountant Client (Portal)

Two-Factor Authentication

TOTP-based 2FA available for all users. Firm admins can mandate 2FA for all staff accounts.

Multi-Tenancy Isolation

Strict tenant isolation at the database level. No firm can access another firm's data β€” enforced by global Eloquent scopes.

Session Management

Sessions expire after inactivity. All sessions are invalidated on password change or logout.

Login Audit Log

Every login attempt is logged with IP address, device, and timestamp. Available to firm admins.

Application Security

CSRF Protection

All forms include CSRF tokens. Cross-Site Request Forgery attacks are blocked at the framework level.

SQL Injection Prevention

All database queries use parameterised statements via Laravel's Eloquent ORM. Raw queries are never used with user input.

XSS Prevention

All user-generated content is escaped on output. Content Security Policy headers restrict inline script execution.

Input Validation

All API endpoints and form submissions are validated and sanitised before processing.

Rate Limiting

Login endpoints are rate-limited to prevent brute-force attacks. API endpoints include request throttling.

Secure File Handling

Uploaded documents are scanned and stored with randomised names. Direct public access URLs are not exposed.

Compliance & Frameworks

UAE PDPL

Personal Data Protection Law compliance for mainland UAE operations

DIFC DP Law 2020

Full alignment with DIFC Data Protection Law for DIFC-registered firms

ADGM DPR

ADGM Data Protection Regulations compliance for ADGM entities

GDPR-Ready

GDPR-compatible controls for EU data subjects and EU-facing firms

OWASP Top 10

Development practices follow OWASP Top 10 security standards

AWS Well-Architected

Infrastructure reviewed against AWS Well-Architected Framework

Incident Response

1

Detection

Automated monitoring alerts our team to anomalous activity within minutes.

2

Containment

Affected systems are isolated. Impacted accounts are notified and secured.

3

Notification

Affected Firms are notified within 72 hours. Regulatory notification within legal timeframes.

4

Resolution

Root cause identified, patched, and documented in a post-incident report.

5

Review

Blameless post-mortem conducted. Controls improved to prevent recurrence.

Found a Security Issue?

We take vulnerability reports seriously and operate a responsible disclosure programme. If you discover a security issue, please email us before public disclosure. We will acknowledge your report within 48 hours and work to resolve it promptly.

security@lexbridge.io