Compliance Overview

Our security posture, framework alignment, and roadmap — written honestly for law firms evaluating LegalsOne.

Effective Date: February 23, 2026

Honest compliance disclosure: LegalsOne is an early-stage platform. We are committed to transparency about what we have implemented, what we have not yet certified, and what our roadmap looks like. We do not make compliance claims we have not earned.

Our Security Posture

LegalsOne is built with security-first architecture from the ground up. Our foundational design decisions reflect enterprise security best practices:

  • Single-tenant architecture: Each law firm has a dedicated, isolated AWS environment. No shared databases or storage across firms.
  • Encryption everywhere: TLS 1.2+ in transit, AES-256/SSE-KMS at rest with firm-specific encryption keys.
  • Identity and access management: Role-based access control (RBAC), multi-factor authentication (MFA), principle of least privilege for all staff access.
  • Audit logging: Immutable audit logs of all user actions, access events, and administrative changes.
  • Network isolation: VPC isolation per tenant, WAF, DDoS protection, NetBird VPN for LegalsOne staff access.
  • Nightly encrypted backups: Cross-region redundancy with 30–90 day retention depending on plan.

For full technical detail, see our Security Controls page and Security Overview.

NIST & CIS Framework Alignment

LegalsOne's security program is designed with reference to two widely recognized industry frameworks:

  • NIST Cybersecurity Framework (CSF): Our controls map to the five NIST CSF functions — Identify, Protect, Detect, Respond, Recover — at applicable maturity levels for a company of our size.
  • CIS Controls: We have implemented priority controls from the CIS Critical Security Controls (formerly SANS Top 20), focusing on those most relevant to a cloud-native, single-tenant SaaS environment.

This alignment is self-assessed and not independently audited or certified. We include this to describe our design intent and security program structure.

SOC 2 Status

LegalsOne does not currently hold a SOC 2 certification. We understand this is a common requirement for enterprise law firm procurement, and we take this seriously.

Our current status:

  • We have implemented the technical controls that would be evaluated in a SOC 2 Type II audit
  • We are building toward a formal SOC 2 Type II examination — currently targeting completion within 18–24 months of our commercial launch
  • We are implementing the operational documentation (policies, procedures, evidence collection) required to support a successful audit

Enterprise customers who require a current SOC 2 report should note our timeline. We are happy to provide our security documentation package (policies, architecture overview, control descriptions) as a substitute pending certification.

HIPAA

LegalsOne is a legal operations platform, not a healthcare platform. We do not actively market to healthcare-focused law practices or position ourselves as a HIPAA-ready system.

However, we recognize that some law firms handle Protected Health Information (PHI) as part of personal injury, medical malpractice, or healthcare regulatory matters. For such firms:

  • LegalsOne's single-tenant architecture, encryption standards, access controls, and audit logging are consistent with general HIPAA technical safeguard requirements
  • We can execute a Business Associate Agreement (BAA) upon request from Enterprise-tier customers who require one
  • Firms handling PHI remain responsible for their own HIPAA compliance program; LegalsOne does not certify HIPAA compliance

Enterprise customers requiring a BAA should contact legal@legalsone.com.

GDPR & International Data Protection

LegalsOne primarily serves US-based law firms. However, we process data as a data processor on behalf of our customers, and some firm data may involve EU/EEA data subjects.

  • Our Data Processing Agreement reflects GDPR processor obligations
  • We support Standard Contractual Clauses (SCCs) for international data transfers where required
  • We maintain a subprocessor list and provide 14-day advance notice of subprocessor changes
  • We support data subject rights requests within required timeframes

Attorney Ethics & Bar Rules

Technology competence is increasingly recognized as an obligation under Model Rule 1.1 (Competence) and its equivalents. LegalsOne is designed to support, not substitute for, a law firm's own technology risk assessment and duty of competence.

We recommend that firms conduct their own technology due diligence when selecting any vendor, including evaluation of our security documentation. We are transparent about both our capabilities and our limitations.

See our Professional Disclaimer for more on LegalsOne's relationship to legal practice.

Certifications & Compliance Roadmap

  • Currently implemented: NIST/CIS-aligned controls, GDPR-ready DPA, encryption at rest and in transit, single-tenant isolation, RBAC + MFA, audit logging, nightly backups
  • In progress: SOC 2 Type II readiness program, formal penetration testing schedule
  • Planned: SOC 2 Type II examination (within 18–24 months of commercial launch), published penetration test summary (annually)

Contact

Security and compliance inquiries: security@legalsone.com