Security

At Legal Robot, we know some of your most sensitive information is in legal documents. That is why we take the security and privacy of our users very seriously. This page details some of our security measures.

Application Integrity

We depend on Open Source Software like jQuery, Semantic-UI, Underscore.js, PDF.js, and more, but we prefer to control the origin of such software rather than load from a 3rd party Content Delivery Network (CDN). This helps us limit the number of 3rd party origins that we load content from. However, because we still load some 3rd party content, like fonts, we use several standard techniques to prevent the types of attacks that 3rd party origins expose. For example, we serve the X-XSS-Protection header and use a detailed Content-Security-Policy that explicitly lists trusted origins. Because we know that even trusted 3rd party origins could be compromised, we use Subresource Integrity (SRI) hashes on all 3rd party resources to ensure they are free from tampering.

We also serve other security headers like Access-Control-Allow-Origin, X-Frame-Options, and X-Content-Type-Options and encourage you to test them at SecurityHeaders.com or Mozilla Observatory

Data Centers

Legal Robot hosts our services on reputable cloud providers like Amazon Web Services and Digital Ocean. We use geographic redundancy and multi-cloud infrastructure to optimize performance and mitigate single points of failure.

The data centers we use are all certified to SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001:2013, and PCI-DSS and all comply with EU-U.S. Privacy Shield as well as Swiss-U.S. Privacy Shield.

Encrypted Data

Passwords: We never store or send passwords in clear text, we only store hashed and salted passwords (using bcrypt with a high difficulty factor). In other words: even if our database is compromised, your password is safe.

Documents: When you analyze a document with the Legal Robot App or website, sensitive data never leaves your device. Our software performs the analysis right on your device. Then, we encrypt everything using a key that only you have and store your encrypted data in your preferred cloud storage account. Your data is unreadable by hackers, governments, and even our own administrators.

Email: Most email is not very secure. Rather, it is similar to a postcard—anyone who handles it can read it. However, the Legal Robot service supports encrypted email using PGP (public key on Keybase.io). All of our shared inboxes, like [email protected], and most of our employees have published PGP keys on Keybase or SKS Key Servers.

Encrypted Traffic

All data exchanged with our website or app is transmitted over a secure connection (aka Transport Layer Security, TLS). TLS is the standard technology for establishing an encrypted connection between a web server and a browser. The secure link ensures that all data transfer remains private.

However, there are different types of TLS encryption and some provide better security. We will always provide the highest level of encryption that modern browsers will allow, at this time TLS 1.3. For more detail, check out the Qualys Labs SSL Report.

We take additional measures to ensure communication between our servers and your browser is trusted. For example, we limit the Certificate Authorities (CAs) that are allowed to issue TLS certificates for our domains using DNS Certificate Authority Authorization (CAA) records. We also attest to the validity of our DNS records by digitally signing our root zone with DNSSEC. Finally, we send the Expect-CT header to ensure that modern browsers will only trust certificates from CAs that publish Certificate Transparency logs, and we send the Strict-Transport-Security header with a long duration, included subdomains, and preloading so connections to our servers must always be secure.

Payments

We do not store any payment card information on our servers. Payment card information goes directly from the browser to Stripe, a company dedicated to secure payment processing on PCI-Compliant servers. For more information, check out Stripe's security policy.

Security Research

If you discover a vulnerability, we would love to discuss your findings and would be grateful for your report. As long as your research stays within the bounds of our Bug Bounty Policy, we welcome your interest and promise not to take legal action. In fact, Legal Robot was one of the first companies to offer an explicit safe harbor from DMCA, CFAA, and CDAFA for legitimate security research. To report a vulnerability, please use our HackerOne Bug Bounty Program.