Where we stand on compliance
Last updated: May 14, 2026
This page documents the regulatory frameworks we currently operate under, the third-party attestations we rely on, and our roadmap for additional audits. We aim for straightforward honesty over marketing claims — every "Live" item is in production today.
Status Legend
1. Data Protection
GDPR (EU)
LiveRight of access (Art. 15) and right of erasure (Art. 17) via self-service in-product flows. Lawful basis documented per processing activity.
CCPA / CPRA (California)
LiveSame data-export and deletion mechanisms satisfy CCPA "right to know" and "right to delete." Do-not-sell honored by default — we do not sell personal data.
PIPEDA (Canada)
LivePrivacy policy maps consent, access, and correction obligations. Same in-product self-service flows apply.
2. Payment Compliance
PCI DSS
LiveCard data is captured and tokenized by our PCI DSS Level 1 payment processor. LawLyft systems never see card numbers, CVVs, or full bank account numbers — placing us under the SAQ-A scope (the smallest PCI surface).
3. Legal Industry Standards
LawLyft is a technology platform, not a law firm. We do not provide legal services or advice; we connect clients to independent licensed attorneys. The following standards apply to platform conduct and the lawyers operating within it.
Attorney–Client Privilege
LiveClient–lawyer communications are scoped to the participating parties; platform staff do not access privileged content as part of normal operations.
State Bar Advertising Rules
LiveLawyer profiles are reviewed to align with ABA Model Rule 7.1–7.3 and state-bar advertising requirements. Lawyers self-attest to their licensing status; verification is performed before profile publication.
Conflict of Interest Disclosures
LiveBooking flow surfaces a conflict-check prompt and a record of relationships is retained for the engaging lawyer.
4. Audit Roadmap
We follow a customer-pull approach to third-party attestations rather than pursuing every certification speculatively. If your procurement process requires a specific audit not listed below, contact us — we will work with you to scope the timeline and prioritize accordingly.
SOC 2 Type I
PlannedPoint-in-time independent attestation by a licensed CPA firm covering Security, Availability, and Confidentiality trust criteria.
~3 month engagement once initiated
SOC 2 Type II
PlannedContinuous-observation report covering a 6–12 month window. Begins after Type I and the controls environment has stabilized.
~12 month observation window
ISO/IEC 27001
PlannedInternational information security management system certification. Pursued when international (UK/EU) enterprise demand justifies the engagement.
6–12 month implementation + audit
HIPAA Business Associate readiness
PlannedOnly relevant where lawyers handle Protected Health Information (e.g. medical malpractice). BAA available for qualifying customer workspaces on request.
Engagement-specific
5. Subprocessors
We rely on a small set of subprocessors to operate the platform. Each is bound by a Data Processing Agreement and is selected for an existing strong compliance posture (SOC 2, ISO 27001, PCI DSS, or equivalent, as applicable to their service).
| Category | Purpose | Region |
|---|---|---|
| Cloud hosting | Application runtime, edge network, TLS termination | US (primary), Global edge |
| Managed database | Primary application database with at-rest encryption and backups | US |
| Object storage | Document and file uploads with encrypted-at-rest storage | US |
| Payment processor | Tokenized card capture, payouts, dispute handling | US, Global |
| Transactional email | Account verification, notifications, password resets | US |
| Video conferencing | Optional consultation video calls (via lawyer-hosted Google Meet) | US, Global |
| Analytics & error monitoring | Aggregate usage analytics and error telemetry | US |
Specific vendor identities are disclosed to enterprise customers under NDA. We notify customers of material changes to our subprocessor list.
6. Data Processing Agreements
A Data Processing Agreement (DPA) is available for customers who require one as part of their GDPR, UK GDPR, or CCPA program. Our standard DPA includes:
- Processing scope, duration, and purposes
- Subprocessor flow-down obligations
- Standard Contractual Clauses (SCCs) for international transfers
- Security commitments mirroring our Security page
- Breach notification timelines and process
- Data return and deletion at contract end
To request a DPA, email trust@lawlyft.com with your legal entity and primary contact, and the subject line "DPA Request."
7. Documentation Requests
The following documents are available on request — most under NDA:
- Security overview deckPublic
- Privacy program summaryPublic
- Standard DPA (with SCC annex)Public
- Subprocessor list with vendor identitiesUnder NDA
- Penetration test summary (when available)Under NDA
- Architecture and data-flow diagramsUnder NDA
- Business continuity & DR overviewUnder NDA
- Vendor security questionnaire (CAIQ / SIG-Lite)Under NDA