Incident Response & Breach Notification Policy
How LegalsOne detects, responds to, and communicates security incidents. This policy applies to all customer environments and LegalsOne's internal systems.
Effective Date: February 23, 2026
1. Scope
This policy covers security incidents involving the LegalsOne platform, including unauthorized access to customer environments, exposure of personal data, and system compromise. It describes LegalsOne's internal incident response process and its obligations to notify customers of confirmed data breaches.
As data controller, each subscribing law firm is responsible for its own breach notification obligations to data subjects, state attorneys general, and other regulatory bodies under applicable law (e.g., GDPR, CCPA, state breach notification laws). LegalsOne will provide timely information to support the firm's compliance with those obligations.
2. Detection & Triage
LegalsOne detects potential security incidents through:
- Infrastructure monitoring: AWS CloudWatch alerts on anomalous system activity, resource spikes, or access patterns;
- Audit log review: Automated anomaly detection on login events, failed authentication attempts, and unusual data access patterns;
- Vulnerability disclosure reports: Responsible disclosures submitted via our Vulnerability Disclosure Policy;
- Customer reports: Incidents reported directly by firm administrators via security@legalsone.com;
- Third-party threat intelligence: Alerts from AWS security services and relevant ISACs.
Upon detection of a potential incident, the LegalsOne operations team initiates a triage process to determine whether the event represents an actual security incident or a false positive. Initial triage is completed within 4 hours of detection during business hours, and on a best-effort basis outside business hours for critical events.
3. Incident Classification
| Severity | Description | Response Time |
|---|---|---|
| Critical | Active breach, exfiltration of customer data, ransomware, or complete service unavailability | Immediate escalation; all hands |
| High | Unauthorized access with limited scope; major feature unavailability; significant vulnerability confirmed | Within 2 hours of confirmation |
| Medium | Suspected unauthorized access (unconfirmed); minor feature impairment; potential vulnerability not yet confirmed | Within same business day |
| Low | Minor anomaly, informational alert, no customer data exposure | Within 3 business days |
4. Response Process
LegalsOne's incident response follows these phases:
- Identification: Alert received, triage initiated, incident confirmed or ruled out.
- Containment: Immediate steps to limit the scope and impact of the incident. May include isolating affected systems, revoking compromised credentials, or blocking malicious network traffic.
- Eradication: Remove the root cause (e.g., patch a vulnerability, remove malware, remove unauthorized access).
- Recovery: Restore affected systems to normal operation using clean backups or rebuilds. Validate integrity before returning systems to production.
- Notification: Notify affected customers per Section 5 of this policy.
- Post-Incident Review: Conduct a root cause analysis and implement remediation measures to prevent recurrence.
5. Notification to Customers
In the event of a confirmed Security Incident that involves unauthorized access to or disclosure of Customer Content or personal data, LegalsOne will:
- Notify the affected firm's primary administrator by email within 72 hours of confirming that a Security Incident has occurred;
- Provide initial notification with all known information at the time, including the nature of the incident, estimated scope, and immediate containment steps taken;
- Provide supplemental notifications as additional information becomes available;
- Designate a primary point of contact for the affected firm during the incident response period.
Notification will include, to the extent then known or determinable:
- A description of the nature of the incident
- The categories of personal data affected
- The approximate number of data subjects affected (if determinable)
- The likely consequences of the incident
- Measures taken or proposed to address the incident and mitigate harm
Where LegalsOne cannot determine with certainty whether a Customer's data was affected, LegalsOne will err on the side of notification.
6. Customer Obligations
Law firm customers bear independent obligations to notify affected data subjects, regulatory authorities, and third parties under applicable state and federal law. LegalsOne's notification to the firm does not constitute a determination that regulatory notification is required; that determination rests with the firm and its counsel.
Customers are encouraged to have a breach response plan in place that includes a designated contact for receiving LegalsOne's notifications and a process for escalating to firm leadership and legal counsel.
7. Post-Incident Review
Following resolution of every Critical or High severity incident, LegalsOne conducts an internal post-incident review ("postmortem") within 14 days. The postmortem identifies the root cause, timeline, contributing factors, and remediation actions. A summary of findings (appropriately scoped to avoid security disclosures) will be made available to affected customers upon request.
8. Reporting an Incident
To report a suspected security incident involving your firm's environment:
- Email: security@legalsone.com (monitored during business hours; critical incidents are escalated by on-call)
- General contact: legalsone.com/contact
To report a security vulnerability, see our Vulnerability Disclosure Policy.