Your clients trust you with their most sensitive information. We make sure that trust is never broken — with multiple layers of security built specifically for legal practices.
From the moment an attorney logs in to the last document download, every interaction is protected by layered security controls.
TOTP-based MFA (RFC 6238) compatible with Google Authenticator, Authy, and any standard authenticator app. Required on every login — no exceptions. Trusted device support with 7-day sessions for reduced friction.
30-minute inactivity timeout with a 1-minute warning banner before expiry. Sessions are database-tracked (not just cookies), so logout is instant and complete. New logins automatically invalidate all prior sessions across all devices.
5 failed login attempts triggers a 15-minute account lockout. CAPTCHA signal activates after 3 failed attempts. Rate limiting (10 requests/min) applied to all authentication endpoints including login, MFA, and password reset.
Passwords are never stored in plaintext. AccidentOS uses bcrypt with salt rounds for one-way hashing — the industry standard. Even if the database were compromised, passwords remain unrecoverable.
Every meaningful action is logged: case access, AI feature usage, credit transactions, document activity, login attempts (successful and failed), and admin actions. Logs are append-only and immutable via database rules — nothing gets deleted.
Strict separation between attorney, admin, and read-only roles. Each role has defined permissions that cannot be escalated without explicit admin action. Admin panels require a separate, hardened 2-step authentication flow.
Attorneys can only access their own cases, clients, and data. Row-level access controls are enforced at the database layer — not just the application layer — so there's no path to cross-account data access.
Per-account rate limiting on all API endpoints. Input sanitization via XSS prevention libraries on every field. CORS enforced with a strict origin allowlist. Request body size limited to 15MB to prevent abuse.
All responses include: HSTS (force HTTPS), X-Frame-Options (prevent clickjacking), X-Content-Type-Options (prevent MIME sniffing), and Content Security Policy. Managed via Helmet.js with legal-app-appropriate configuration.
All webhook integrations are secured with HMAC-SHA256 signed API keys. Unsigned or incorrectly signed requests are rejected before processing. Each integration has its own key that can be rotated independently.
All OAuth tokens and sensitive integration credentials are encrypted at rest using AES-256-GCM — the same encryption standard used by the US government and financial institutions. Keys are environment-isolated and never stored with data.
Security isn't a single feature — it's layered controls that fail safely. If one layer is compromised, the others hold.
Passwords use bcrypt. OAuth tokens use AES-256-GCM. Keys live in environment variables, never in the database.
JWTs on every API call. Row-level isolation at the database. No attorney can query outside their own data — enforced in SQL, not just app logic.
Database-tracked sessions mean logout is real. Stolen tokens from expired sessions are worthless. Inactivity timeouts protect unattended workstations.
Rate limiting and lockouts stop brute force. Input sanitization stops injection attacks. CORS + CSP stop cross-origin exploits.
Full audit trail for every action. Immutable logs stored for 7 years. Attorneys can prove exactly who accessed what, when, and from where.
Technical details for your compliance team, IT department, or security-conscious clients.
Every meaningful action in AccidentOS is captured in the audit log — automatically, without any configuration.
Successful logins, failed attempts, MFA verifications, and session terminations — all with timestamp and IP address.
Every time a case record is opened, modified, or exported. Who accessed it, when, and what changed.
All AI-powered actions — lead scoring, document analysis, auto-responses — are logged with inputs and outputs for review.
Every credit purchase, spend, and transfer is recorded with full context. Complete financial audit trail.
Document uploads, downloads, and deletions — all tracked. Know exactly when a document was accessed and by whom.
All admin panel activity — user management, configuration changes, report generation — is captured in a separate admin audit log.
Logs are stored for a minimum of 7 years — meeting or exceeding most state bar association record-keeping requirements for legal practices. Logs are append-only and immutable via database-level rules.
Send this page to any client who asks about data security. Every protection on this page is live and active in your AccidentOS account today.