Security at Legal Diary

Data in transit between your device and our servers is encrypted using TLS 1.2 or higher. Data at rest in our database, file storage, and backups is encrypted using AES-256.

Accounts are protected by email and password. We require strong passwords (minimum eight characters with mixed case and a digit) and offer email-based password reset. Multi-factor authentication is on the product roadmap for paid plans.

Workspaces enforce role-based access: only members of a firm can see that firm’s matters, clients, and documents. Client accounts only see the matters they are explicitly invited to. Inside our company, production data access is limited to a small group of engineers under signed confidentiality agreements; every privileged access is logged.

Legal Diary runs on Google Cloud Platform, primarily in the Singapore (asia-southeast1) region. We use managed services from Google Firebase for authentication, database (Firestore), and serverless compute. Google’s underlying infrastructure is certified to ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, and SOC 3.

Workspace data is automatically backed up daily with point-in-time recovery for the last seven days. Backups are stored encrypted, in multiple geographic zones, with access restricted to break-glass recovery operations.

We follow secure development practices: code review on every change, dependency scanning, content security policies, secure cookie defaults, CSRF protections, and rate limiting on authentication endpoints. Production deploys are auditable and reversible.

Legal Diary does not store payment card numbers. Payments on paid plans are handled by PCI-DSS-compliant payment processors. We receive only a token and the last four digits of the card for billing reference.

You own your data. We do not use the contents of your matters, documents, or messages to train AI models. Full details are in our Privacy Policy.

If we discover a security incident affecting your data, we will investigate, contain, and remediate it without undue delay, and notify affected users by email and in-app notice within the timeframes required by applicable law. We learn from every incident and publish a public summary where it materially affects users.

If you believe you have found a security vulnerability, please email info@LegalDiary.app with a description of the issue and steps to reproduce. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and respond. We will acknowledge your report within five business days and keep you informed as we work on a fix.

For security questions, audit requests, or due-diligence questionnaires, email info@LegalDiary.app.