Security

1. Overview

We design and operate the Service with controls aligned to the SOC 2 Trust Services Criteria (security, availability, and confidentiality). We are SOC 2 aligned, not SOC 2 certified. We have not completed a third-party SOC 2 Type I or Type II audit and do not publish an attestation report at this time.

Security measures include encrypted connections, role-based access, team-scoped data, comprehensive audit logging, and documented subprocessors for AI and communications features.

2. Infrastructure

The Service runs on managed cloud infrastructure operated by established providers. Primary components include:

• Vercel — Application hosting, serverless compute, and object storage (Vercel Blob) for firm documents and call recordings
• Neon — PostgreSQL database for application and audit data
• Stripe — Subscription billing and payment processing (card data is handled by Stripe, not stored on our servers)

Production data is hosted in the United States through these providers. Firms that enable integrations (for example Twilio, DocuSeal, or Dropbox) may send additional data to those vendors under the firm’s configuration.

3. Encryption

In transit: All connections to MyLawyerLink use TLS (HTTPS). API, web, and portal traffic is encrypted between your browser or app and our servers.

At rest: Data stored in Neon, Vercel Blob, and other infrastructure providers is encrypted at rest using those providers’ platform encryption. Passwords are not stored in plaintext.

Not end-to-end encryption: MyLawyerLink is a cloud practice-management platform, not a client-side E2EE messaging product. Authorized firm users and subprocessors (described below) can access data according to permissions, product features, and our agreements with those vendors.

4. Authentication and sessions

• Passwords are hashed with Argon2 before storage; we do not store plaintext passwords
• Authenticated sessions use cryptographically random tokens stored server-side; session identifiers in cookies are hashed
• Session cookies are HTTP-only to reduce cross-site exposure
• Sessions expire and are renewed according to our session policy

The client portal uses a separate authentication path from firm staff accounts. API keys for automation are scoped and auditable.

5. Access control

• Team scoping: Cases, clients, documents, and billing data are tied to a firm team; queries enforce team boundaries
• Role-based permissions: Team roles control which actions members can perform (view, create, update, delete) across modules
• Resource checks: API routes verify team membership and case/client access before returning or modifying data
• Client portal: Portal users access only the matters and documents their firm has exposed to them

6. Audit logging

We record security-sensitive and compliance-relevant actions in an AuditLog store, including authentication events, client and case changes, document access, billing operations, calendar feed access, and AI assistant usage. Each entry typically includes timestamp, user, action, entity, IP address, user agent, and success or failure status.

Authorized firm users can review audit history in the application. For a broader discussion of secure communication and logging, see our blog article Secure Communication with Clients.

7. AI-assisted features and subprocessors

Features such as Redwell (AI assistant), attachment text extraction, call and audio transcription, and AI-generated summaries send content to third-party subprocessors. Production large-language-model traffic is routed through the Vercel AI Gateway with team-wide Zero Data Retention (ZDR) on supported routes. Speech-to-text uses AssemblyAI, which is not on the ZDR gateway path.

Full detail on what is sent, which models are used, retention, and firm responsibilities is in our Privacy Policy (Section 6, “AI-Assisted Features”). Firms should not submit data they are not authorized to share with these vendors.

8. Subprocessors

We use the following categories of subprocessors to operate the Service. Vendor security documentation is published by each provider:

Additional analytics, monitoring, or integration vendors may process limited operational data. We do not sell personal information. See the Privacy Policy for legal disclosure categories.

9. Compliance posture

• SOC 2: Controls are designed to align with SOC 2 criteria; we are not currently SOC 2 certified
• HIPAA: We do not offer a Business Associate Agreement (BAA) by default. If your firm is subject to HIPAA, you are responsible for determining whether your use of AI-assisted or communication features is consistent with your obligations
• Attorney-client privilege: Technology supports confidentiality; firms remain responsible for ethics rules, client notice, and workflow choices

10. Incident response

We maintain internal procedures to investigate security and AI-related incidents, preserve evidence (including audit logs and message history where applicable), and coordinate with affected firms. If you believe there is an unauthorized access issue or a security incident involving your account, contact us immediately using the information below.

11. Data Processing Agreements and security inquiries

Law firms evaluating MyLawyerLink may request a Data Processing Agreement (DPA) or complete a vendor security questionnaire. Email us and include your firm name and the document or questionnaire you need:

• DPA request: mylawyerlink@mail.mylawyerlink.com (subject: “DPA Request”)
• Security questions: mylawyerlink@mail.mylawyerlink.com (subject: “Security Inquiry”)

For general product or billing questions, visit Contact us.

12. Related documents

• Privacy Policy
• Terms of Service
• Contact us