Security

1. Scope

This document covers the security controls applied to the LegiScore platform operated by LawyerDesk Advocacy Pvt Ltd: the web application, the mobile application, the backend services, the document-storage layer, and the support tooling used to maintain the service.

This page is descriptive, not contractual. Binding commitments live in the Terms and Conditions, Privacy Policy, and any signed Master Services Agreement.

2. Data Residency

• Primary data store: Hosted on India-region servers.
• Document and report storage: Hosted on India-region object storage.
• Application and worker services: Hosted on India-region infrastructure.
• Transactional email delivery: Hosted on India-region servers.
• Third-party AI analysis: Performed via globally distributed API endpoints. Inputs are processed in transit and not retained by the providers per their data-processing agreements.
• Advertising and analytics pixels: Sent to the relevant ad platforms over their global networks. Consent controls are documented in the Cookie Policy.

3. Authentication and Access Controls

• End-user sign-in: Phone-first one-time-password (OTP). No passwords are stored, hashed, or transmitted for end-user accounts.
• Sessions: Short-lived signed session tokens, refreshed on a rolling window; secure storage on the client.
• Route protection: Authenticated routes are gated at the edge and re-validated on every backend call.
• Row-level data isolation: Database-level policies ensure each user account can only read or modify rows it owns. This is enforced by the database itself, not just by the application layer.
• Privileged operations: Internal operational endpoints require additional out-of-band authentication that is never exposed to end users.
• Operator access: Production credentials are not held by individual operators. Access is gated through provider dashboards with multi-factor authentication enforced.

4. Encryption

• In transit: Modern TLS (1.2 or higher) on all client-server, server-server, and server-third-party traffic. HTTP is redirected to HTTPS.
• At rest: Data at rest is encrypted by the underlying cloud-storage layer using industry-standard ciphers.
• Honest scope note: We rely on the cloud providers' default at-rest encryption. We do not currently operate customer-managed keys (CMK / BYOK) or our own Hardware Security Module. Customers requiring CMK should contact us before signing.

5. Application Security

• Rate limiting: Per-source rate limits with automatic time-bounded blocks on abuse. Thresholds are tuned over time and not published.
• Attack-pattern detection: The backend inspects requests for known reconnaissance and injection patterns and automatically blocks offending sources.
• Content Security Policy: A strict CSP header on web responses with an allowlist of trusted sources for scripts, styles, and pixels.
• Anti-bot for sign-up: Phone-based OTP combined with abuse-signal correlation prevents mass automated account creation.
• CAPTCHA: Used on workflows that interact with third-party portals subject to bot abuse.
• Input validation: Typed schema validation on every backend endpoint; parameterised queries for all database calls (no raw SQL on user input).
• Dependency hygiene: Vulnerability advisories from upstream package ecosystems are reviewed and patched on a regular cadence.

6. Secret Management

• Production credentials (database connections, third-party API keys, signing keys, payment-gateway credentials) are held in a dedicated secret store, not in source control.
• The frontend code only sees keys explicitly marked as publishable; service-role credentials remain server-side.
• Sensitive credentials rotate on a defined schedule and after any suspected exposure.
• Pre-commit and CI checks block common secret-leak patterns from being committed to the repository.

7. Monitoring and Incident Response

• Error monitoring: Application errors and security events are forwarded to a managed observability platform; stack traces are scrubbed of sensitive parameters before transmission.
• Logging: Structured logs flow to a centralised log stream; security events (rate-limit blocks, attack-pattern hits, privileged actions) are tagged for triage.
• Audit trail: User-facing state changes (case status, acknowledgement events, payment events, document uploads) are written to append-only audit records for post-incident reconstruction.
• Breach response: On confirmed personal-data breach, we commit to a 72-hour notification window to affected users and to the Data Protection Board of India as required by the Digital Personal Data Protection Act, 2023. See the Privacy Policy for the full mechanism.
• Honest scope note: We do not currently operate a 24/7 staffed security operations centre. Coverage is provided by the engineering team during business hours, with paging for critical alerts outside business hours.

8. Backups and Disaster Recovery

• Database backups: Automated daily backups with point-in-time recovery within the retention window of the underlying managed service.
• Object storage: Versioning enabled where the underlying storage layer supports it.
• Honest scope note: We do not currently maintain regular off-cloud cold backups or cross-region replication beyond what the managed cloud layer provides by default. Enterprise customers with stricter recovery-point or recovery-time objectives should contact us.

9. Third-Party Vendors

We rely on a small set of established cloud and SaaS vendors for hosting, payments, observability, and AI processing. Each vendor carries its own security attestations (ISO 27001, SOC 2, PCI DSS, etc.) as applicable to its service. We do not publish the specific vendor list on this page. Enterprise customers conducting a security review can request the full vendor inventory and attestations under NDA.

10. Compliance Posture — What We Are and What We Are Not

We are precise about this so that you do not have to guess.

• Digital Personal Data Protection Act, 2023 alignment: Data-handling practices have been aligned with the DPDP Act, 2023. A named Grievance Officer is published in the Privacy Policy. We are not "certified" against the Act because no certification scheme has yet been notified by the Data Protection Board of India.
• Information Technology Act, 2000: We comply with applicable provisions of the IT Act and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. A Grievance Officer is published.
• ISO 27001: Not certified.
• SOC 2 (Type I or II): Not attested.
• GDPR (formal certification): Not certified. Practices broadly mirror GDPR principles (data minimisation, purpose limitation, lawful basis, data-subject rights). We do not market the platform to EEA residents and do not represent ourselves as a GDPR-compliant data controller.
• PCI DSS: Not directly applicable. LegiScore does not store, process, or transmit raw cardholder data; payments are handled entirely by a PCI-compliant payment-gateway provider.
• HIPAA, FedRAMP, HITRUST: Not applicable. The platform is not designed for protected health information, US federal government workloads, or US healthcare data.

11. Responsible Disclosure

If you discover a security vulnerability in the LegiScore platform, please report it before publishing or exploiting it.

• Where to report: Email [email protected] with the subject line [SECURITY] and a technical description of the vulnerability, steps to reproduce, and any proof-of-concept.
• Acknowledgement SLA: 5 business days.
• Safe harbour: Good-faith security research that (a) does not access user data beyond what is necessary to demonstrate the vulnerability, (b) does not degrade service for other users, and (c) does not publish details for 90 days after the report will not result in legal action or account suspension. Aggressive or destructive testing voids the safe harbour.
• Bug bounty: Not currently operated. Reporters may be acknowledged publicly with their consent once an issue is fixed.

12. Enterprise Customers

Customers with stricter security, residency, or audit requirements — custom data-processing agreements, customer-managed keys, regional data isolation, audit-log export, IP allowlisting, single-sign-on, vendor attestations, and similar — should contact us before signing. Some of these are available today; others are on the roadmap. We will tell you honestly which is which under NDA.

13. Updates to This Page

This page is updated when our security posture materially changes. The Last Updated date at the top reflects the most recent revision. Material changes are also announced in the public changelog.

14. Contact

• Security: [email protected]
• General: +91 6262 868600
• Grievance Officer (data-protection complaints): [email protected]