Security Overview

updated 10/07/2024

At TrueLaw, we take a comprehensive approach to security.

Our platform is built with multiple layers of protection, and we continuously adapt our security measures to meet evolving threats.

Infrastructure Security
TrueLaw AI's platform is deployed within a secure environment utilizing modern infrastructure and security services provided by Google Cloud Platform (GCP). We leverage GCP's security features and implement additional controls to protect our application and your data.

Access control
1. We enforce the principle of least privilege across our systems and services.
2. Multi-factor authentication is required for all employee access to production systems.
3. Access to customer data is strictly limited and logged.
4. Customer accounts are protected by strong password requirements and multi-factor authentication options.
5. We use secure session management techniques to protect user sessions.
6. Failed login attempts are monitored and rate-limited to prevent brute-force attacks.

Network and Host security
1. We use firewalls, network segmentation, and intrusion detection systems to protect our infrastructure.
2. Regular vulnerability scans and penetration tests are conducted to identify and address potential weaknesses.
3. We implement robust patch management processes to keep our systems up-to-date and secure.

Data Security
1. All connections to TrueLaw AI are encrypted using HTTPS.
2. We implement HTTP Strict Transport Security (HSTS) to ensure that browsers always use secure connections to our site.
3. Our SSL/TLS configuration is regularly updated to maintain strong security standards. All sensitive data is encrypted at rest and in transit using industry-standard encryption protocols.
4. We employ key and secret management best practices, including regular rotation of encryption keys.

Operational Security
1. All employees undergo comprehensive security training upon hiring and regularly thereafter.
2. We maintain detailed security policies and procedures, which are regularly reviewed and updated.
3. Changes to production systems go through a rigorous review and approval process.

Software Development Lifecycle
1. Security is integrated throughout our development process, including design reviews, code analysis, and security testing.
2. We maintain separate development, testing, and production environments to ensure the integrity of our production systems.
3. All code changes undergo peer review before being merged into the main codebase.

Incident Response and Monitoring
1. We have a dedicated team for security monitoring and incident response.
2. Our systems are continuously monitored for suspicious activities and potential security threats.
3. We maintain and regularly test an incident response plan to ensure rapid and effective response to any security incidents.

Compliance and Audits
1. Our security program is designed to meet industry standards and regulatory requirements.
2. We undergo regular third-party audits and maintain certifications such as SOC 2 Type II
3. Our compliance efforts are ongoing, with regular internal assessments and external validations.

Disaster Recovery and Business Continuity
1. We maintain a comprehensive disaster recovery plan, which is regularly tested and updated.
2. Our systems are designed with redundancy and failover capabilities to ensure high availability.
3. Data backups are performed regularly and stored securely in geographically diverse locations.

Vendor Management
1. We carefully vet all third-party vendors and require them to meet our security standards.
2. Regular security assessments are conducted on critical vendors to ensure ongoing compliance with our security requirements.

Customer Communication and Transparency
1. We are committed to transparency in our security practices and promptly communicate any relevant security information to our customers.
2. In the event of a security incident affecting customer data, we have processes in place for timely notification and response.

Privacy and Data Protection
1. We adhere to data minimization principles, collecting only the data necessary to provide our services.
2. Our privacy policies and data handling practices are designed to comply with relevant regulations such as GDPR and CCPA.
3. We provide mechanisms for customers to access, correct, and delete their personal data as required by applicable laws.
4. For more information visit https://www.truelaw.ai/privacy

Additional Security Measures
1. As a legal AI research lab, we implement specialized security measures to protect sensitive legal data and AI models.
2. Our AI models are developed with a focus on ethical AI practices, ensuring fairness and transparency in legal applications.
3. We employ advanced techniques to prevent AI hallucinations and ensure the accuracy of our legal AI tools.
4. For more information about our security practices or to report a security concern, please contact us at security@truelaw.ai.