Trust Center

Security

Technical security controls protecting your firm's data — documented and current.

Last reviewed: February 2026

All systems operational

How we protect your practice

Security isn't a feature — it's the foundation everything else is built on.

Attorney-Client Privilege

Data belongs to your firm. We never share, sell, or use it beyond providing the FirmFirst service. Full data export and deletion on demand.

Encryption

AES-256 encryption at rest, TLS 1.3 in transit. Application-level encryption for tokens, keys, and sensitive credentials.

Infrastructure Security

Hosted on Google Cloud Platform (us-central1). SOC 2 certified infrastructure. Data never leaves the United States.

Access Control

Role-based access with least-privilege principles. Multi-factor authentication required for all team members. Audit logging on every access.

Monitoring & Incident Response

24/7 automated monitoring. Defined incident response procedures. Breach notification within 72 hours per GDPR requirements.

Third-Party Vendor Security

All sub-processors sign DPAs and meet SOC 2 or equivalent standards. Vendor security reviewed annually.

Privacy by Design

GDPR and CCPA compliant. Data minimization — we collect only what's needed. No tracking beyond essential analytics.

Backups & Recovery

Daily automated backups. Point-in-time recovery capability. Disaster recovery procedures tested regularly.

Security controls

Data Protection

Encryption at rest
AES-256 encryption for all stored data
Encryption in transit
TLS 1.3 for all data transmission
Application-level secret encryption
Tokens, keys, and credentials encrypted separately
Daily automated backups
Point-in-time recovery capability

Access Management

Role-based access control
Permissions scoped to job function
Multi-factor authentication
Required for all personnel
Least-privilege access
Minimum necessary permissions by default
Access audit logging
All access events recorded and retained

Infrastructure

Google Cloud Platform
US data centers (us-central1)
Network segmentation
Isolated production environments
DDoS protection
Cloud-native DDoS mitigation
Automated vulnerability scanning
Continuous dependency and infrastructure scanning

Operational

Incident response plan
Documented procedures for security events
72-hour breach notification
Per GDPR requirements
Annual vendor security review
Sub-processor compliance verification
Employee security training
Mandatory onboarding and annual refresher

Compliance status

SOC 2 Type II

In Progress

Third-party audit of security, availability, and confidentiality controls.

Target: Q4 2026

GDPR

Compliant

Data Processing Agreements available. Right to access, rectification, erasure, and portability.

DPA available on request

CCPA

Compliant

California Consumer Privacy Act compliance for California-based prospects.

Effective since launch

ABA Model Rule 1.16

Compliant

Signal analysis and verification workflows help attorneys meet 'reasonable inquiry' obligations.

Aligned since launch

Questions about our security controls?

Contact our security team for documentation, pen test reports, or compliance questions.

Contact Security Team Full Trust Center