Security at LawLyft

How we protect your data

Last updated: May 14, 2026

LawLyft handles privileged communications between clients and lawyers. Confidentiality, integrity, and availability of that data are core product requirements — not afterthoughts. This page summarizes the technical controls we operate today.

Controls at a Glance

TLS 1.3 in transit

All traffic encrypted with modern TLS, HSTS-enforced. Automatic certificate rotation.

AES-256 at rest

Database and file storage encrypted at rest with managed keys and per-tenant isolation.

Breach-checked passwords

Every password is checked against the Have I Been Pwned breach corpus before acceptance (k-anonymity, password never leaves your browser).

Rate limiting

Per-IP rate limits on login, signup, password reset, data export, and public form endpoints to defeat brute-force and abuse.

Audit logging

Tamper-evident audit log for authentication, privacy events, admin actions, and security-relevant operations.

Role-based access

Strict role separation between client, lawyer, firm admin, corporate, and platform admin. Server-side enforcement on every privileged route.

Email integrity

SPF/DKIM/DMARC aligned. Bounce and complaint events fed back into a suppression list to prevent abuse and protect deliverability.

Probe defense

Public lookup routes validate ID format and rate-limit invalid lookups per-IP to defeat enumeration attacks.

1. Transport Security

All HTTP traffic served over TLS 1.3 with strong cipher suites; weaker protocols rejected at the edge.
HSTS is enforced site-wide, instructing browsers to never downgrade to plain HTTP.
TLS certificates are automatically rotated by our edge provider with no manual key handling.
Internal service-to-service traffic stays inside a private network and never traverses the public internet in cleartext.

2. Data at Rest

The application database is encrypted at rest with AES-256 using keys managed by our cloud database provider.
File uploads (documents, intake attachments) are stored in encrypted object storage with signed-URL access control.
Backups are encrypted, retained on a rolling window, and tested for restore integrity.
Sensitive fields (password hashes, verification artifacts) are isolated from general application logs.

3. Authentication

Password policy

Minimum 12 characters, with required character-class diversity
Common-password blocklist rejects predictable choices
Every password checked against the Have I Been Pwned breach corpus via k-anonymity — only a short hash prefix leaves your browser; the full password is never transmitted
Passwords stored as bcrypt hashes with a per-password salt

Session security

Stateful login events recorded with device, IP, and start/end timestamps
Single-session enforcement — a fresh login revokes prior sessions
Sessions revoked on password change, account deletion, or admin-initiated logout
Email and phone ownership verified before account activation

4. Access Controls

Role-based access control across five distinct roles: client, lawyer, firm admin, corporate, and platform admin.
Every privileged API route re-checks the caller's role on the server — UI guards are never the only gate.
Firm and corporate workspaces enforce strict tenant isolation: members cannot read or modify data outside their workspace.
Internal admin access is limited to a small operations group, gated by a separate ADMIN role and audit-logged.
Production database access is restricted to a short list of operators and is not used for routine support — support flows go through the application.

5. Payment Security

Payments are processed through a PCI DSS Level 1 payment processor.
Card numbers, CVV codes, and full bank account numbers never touch LawLyft servers — they are captured directly by the payment processor's tokenization layer in the browser.
LawLyft stores only opaque tokens used to authorize future charges or payouts; the original payment instrument is never recoverable from our database.
Payment webhooks are signature-verified on receipt, with strict timestamp-skew protection to defeat replay.
Refunds and chargebacks are reconciled against immutable audit log entries.

6. Application Defenses

Rate limiting

Per-IP rate limits are applied on every abuse-prone endpoint, including:

Login, signup, password reset, change password
Verification code request and verification polling
Contact form, newsletter, referral submission
AI assistant calls and document analysis
Privacy data export and account deletion

Probe defense

Public lookup routes (lawyer profile, availability) validate that requested IDs conform to our identifier format before any database query, and rate-limit invalid lookups per IP. This defeats sequential or random enumeration attempts and reduces wasted database work.

Input validation

File uploads are size- and MIME-type-checked, with the actual content sniffed — not trusted from headers alone
Storage quotas reserved before upload completes to prevent time-of-check/time-of-use abuse
Database queries use parameterized statements via the ORM — no string-interpolated SQL
User-generated content is escaped on render to prevent stored cross-site scripting

7. Audit Logging

Security-relevant events are written to a structured audit log indexed by actor, action, target, and timestamp. The log captures, at minimum:

Authentication events — login, logout, failed password attempts, password resets
Privacy events — data export requests, account deletion requests
Admin actions — role changes, suppressions lifted, manual user actions
Payment events — checkout, refund, dispute
Email integrity events — hard bounce, spam complaint

Logs are retained for a rolling window appropriate to incident investigation and dispute reconciliation. Operators cannot edit historic audit log rows.

8. Email Integrity

Outbound email is signed with DKIM, aligned via SPF, and policed by DMARC.
Hard bounces and spam complaints are received via signature-verified webhooks and automatically added to a suppression list.
The suppression list is consulted before every outbound send — addresses that previously bounced or complained are not retried.
Admins can lift a suppression with a documented reason; the lift itself is audit-logged.

9. Data Subject Rights

Users can exercise their privacy rights directly from in-product Settings — no email back-and-forth required:

Right of access (GDPR Art. 15 / CCPA): Download a structured JSON export of all data we hold about your account.
Right of erasure (GDPR Art. 17): Delete your account in-product. Personal identifiers are removed; data we are legally required to retain (financial records, audit trail) is anonymized.
Right to rectification: Edit your profile and contact information at any time.

See our Privacy Policy for the full scope of data handling.

10. Vulnerability Disclosure

Found something?

We welcome reports from the security research community. Email trust@lawlyft.com with reproduction steps and the subject line "Security Disclosure." We'll acknowledge within 2 business days.

Safe harbor

We will not pursue legal action against researchers who:

Make a good-faith effort to avoid privacy violations, data destruction, or service degradation
Only interact with accounts you own or have explicit permission to access
Give us reasonable time to remediate before public disclosure
Do not exploit findings beyond what is necessary to demonstrate the issue

Out of scope

Self-XSS and clickjacking on pages without sensitive state-changing actions
Missing security headers without a demonstrable impact
Social engineering of LawLyft employees or contractors
Denial-of-service attacks or volumetric testing
Reports from automated tools without manual validation

11. Security Contact

Security disclosures, compliance, legal: trust@lawlyft.com

Abuse reports: abuse@lawlyft.com

Mail-server contact: postmaster@lawlyft.com

View Compliance Privacy Policy

Security is a process, not a product. This page reflects the controls operating today and is updated as our posture evolves.