Trust & Security

    Built on enterprise security standards, from day one.

    LegalInk AI safeguards how India's most trusted firms work with sensitive legal data.

    Trust at a glance

    Encryption

    TLS 1.2+ in transit, AES-256 at rest. All traffic terminates at hardened edge endpoints.

    Authentication

    Email verification, Google OAuth 2.0, role-based access control across team workspaces.

    Hosting

    Supabase enterprise infrastructure (Tokyo region). India (Mumbai) data residency on roadmap.

    Privacy

    DPDP-aligned data practices. Customer drafts and uploads are never used to train AI models.

    Security architecture

    Data handling

    Drafts, uploads, and chat transcripts are stored in isolated tenant rows protected by row-level security policies. Files are processed in-memory for AI generation and are not retained by upstream model providers. We retain only what is required to render your dashboard and history; users can purge any draft at any time.

    Access controls

    Application access is gated by Supabase Auth with email verification, Google OAuth, and password complexity rules. Database access is restricted by RLS — users can only read and write their own rows; team members access only their organization's data via security-definer functions. Administrative access is limited to authorized LegalInk personnel and is logged.

    Audit & monitoring

    Enterprise workspaces maintain an append-only audit log covering 22 action types — logins, logouts, invitations, role changes, draft generation, version saves, letterhead changes, template publishes, plan modifications, and more. Every auth event captures IP address and user agent. Draft version history is preserved indefinitely for manual saves and 30 days for autosaves. Application errors are captured server-side with PII redacted before storage.

    Incident response

    Security incidents are triaged by our security team within 24 hours of discovery. Affected customers receive direct notification with scope, timeline, and remediation. We will publish a written post-mortem for any incident affecting customer data within 7 days.

    Subprocessors

    We publish the full list of third-party service providers we engage to deliver LegalInk AI. Updated with 30 days' notice for Enterprise customers.

    Document Retention

    How long we retain different categories of customer data, and your rights to require earlier deletion. DPDP-aligned, with statutory minimums called out openly.

    Data Rights

    How to exercise your rights under §11, §13, and §14 of the Digital Personal Data Protection Act, 2023. Access, correction, erasure, grievance, nomination.

    Service Level Agreement

    Uptime commitments, response and resolution targets by severity, service credits, and maintenance windows for Enterprise customers.

    Role-Based Access Control

    The four-role hierarchy used in Enterprise workspaces, with a complete capability matrix covering billing, members, content, audit, and personal data rights.

    Data Processing Addendum

    The DPA that governs LegalInk's processing of customer personal data. DPDP-aligned. Available to download, with counter-signature on request for Enterprise customers.

    Compliance Questionnaire

    42 detailed answers covering data protection, security architecture, hosting, sub-processors, incident response, certifications, AI governance, and customer rights. The single source we point enterprise reviewers to.

    Privacy FAQ

    15 user-facing questions covering what data we collect, how we use it, who can read your drafts, how to export or delete your data, and your rights under DPDP 2023.

    Incident Response Policy

    Operational policy governing 72-hour breach notification, severity classification, customer communication, post-mortem reporting, and regulatory notification posture.

    Compliance roadmap

    Honest milestones. We will update this page as each is completed.

    1. Q2 2026 ✓

      DPDP §11 compliance package published — data rights procedures, DPA, subprocessor list, and compliance questionnaire live at /trust

    2. Q3 2026

      SOC 2 Type 1 audit initiated

    3. Q4 2026

      ISO 27001 readiness + India data residency (Mumbai region)

    4. 2027

      SOC 2 Type 2 attestation

    Common questions

    Have a specific compliance question?

    Talk to our team. We answer compliance and security questionnaires honestly, in writing, within 48 hours.