Security & Privacy

All data moving between your browser and the Platform is encrypted over TLS 1.2 or higher (HTTPS). Unencrypted connections are refused at the edge.

All case records, documents, statements, testimonies, analyses and uploaded files are encrypted at rest using AES-256 on managed database and object storage.

Passwords are never stored in plain text. We hash every password with bcrypt (cost factor 12) and one-time verification codes are stored as single-use hashes with short expiry windows.

TLS certificates are renewed automatically and the Platform enforces HSTS for all sessions.

Your matters live behind a hard ring-fence designed around how a law firm actually works:

• Matter isolation. Every record is scoped to a case, and every case is scoped to the instructing firm. Database queries are checked at the application layer against the signed-in user before any row is returned.
• Legal team vs client-portal roles. Clients invited to a matter through the client portal only see documents and messages their legal team has explicitly shared with them. Internal strategy notes, cross-examination plans, credibility assessments and draft pleadings are never visible to client-portal users.
• Private collaborators. Collaborators added to a matter as “private” are not listed to other team members \u2014 useful for counsel and expert witnesses whose involvement must remain confidential.
• Work-product protection. AI-generated drafts are stored as pending work-product against the attorney who requested them, pending attorney review and sign-off. Nothing is surfaced as final without that review.

The ring-fence is enforced by the application for every request \u2014 it is not a setting that can be disabled from the UI.

Your matters are never used to train any AI model.

• When the Platform calls an AI model on your behalf (for example, to draft cross-examination questions or to analyse a contradiction), the request is sent under a contractual zero-retention, no-trainingarrangement with the AI provider.
• Before leaving the Platform, identifying details are redacted and replaced with stable placeholders where possible (client names, ID numbers, bank account numbers, case numbers). The model sees the legal problem, not your client’s personal information.
• AI providers do not retain prompts, responses or any derived logs from Platform traffic, and cannot use that traffic to fine-tune general-purpose models.
• The Platform itself does not operate its own training pipeline against customer data. We do not assemble datasets from matters, documents, messages, or cross-examination notes.

LegalCaseManager is built to support your firm’s obligations under the Protection of Personal Information Act 4 of 2013 (POPIA) as a responsible party. In the relationship between your firm (responsible party) and LegalCaseManager (operator), we process personal information only on the documented instructions that arise from your use of the Platform.

• Lawful processing. Personal information is processed for the specific, explicitly defined purpose of running your matter — managing witnesses, statements, testimonies, analyses and communications for your instructed cases.
• Minimisation. You choose what goes into a matter. The Platform does not harvest information from outside that matter, and does not sell, rent or profile personal information.
• Security safeguards. The controls set out in sections 1, 5, 6, 7 and 8 of this page are our Section 19 safeguards — appropriate, reasonable technical and organisational measures to prevent loss, damage, destruction and unauthorised access.
• Data subject rights. Firms can export, correct, or delete the personal information of a data subject on request. Soft-deleted records can be restored by an authorised firm administrator during the retention window; permanent purge occurs after the retention window or on explicit written instruction.
• Breach notification. Any compromise to the security or integrity of personal information is reported to affected firms without undue delay, together with the information required under POPIA Section 22 so that onward notification to the Information Regulator and data subjects can be made.

The full POPIA statement, including the Information Officer contact details and lawful basis mapping, is set out at /popia-compliance.

Every action that touches a matter is written to an append-only audit log:

• Sign-in, sign-out and device-session events
• Record creation, modification, soft-delete and restoration
• AI calls — including when a call was blocked by a guardrail and why
• Document views, downloads and exports
• Collaborator invitations, role changes and revocations
• Administrative actions (user activation, deactivation, record restoration)

Each entry captures the actor, the resource, the timestamp and the outcome. Audit entries cannot be edited or removed through the application, and they are retained for a minimum of 12 months so that the trail is available for a professional complaint, a disciplinary review, or a court-ordered forensic inspection.

Firm administrators with the audit-log role can filter and export the log as CSV from within the Platform.

Access to data is controlled by the role each user holds on a matter:

• Attorney / instructing lawyer. Full access to the matter, its witnesses, documents, analyses, AI drafts, cross-examination notes and settings. Can invite collaborators and clients.
• Paralegal. Full working access to the matter for preparation purposes. Can add witnesses, statements, testimonies, documents and analyses, but cannot change billing or firm-level settings.
• Legal-team collaborator. Works on the matter alongside the attorney with scoped access. Private collaborators are hidden from other team members so that the composition of the team cannot be inferred.
• Client portal user. Sees only what has been explicitly shared with them — typically, summaries, calendar items, documents marked as client-visible, and the message thread with their legal team. Internal strategy, credibility assessments and work-product remain hidden.

Every data-fetching API double-checks the caller’s role against the matter before returning results. A user without a role on a matter cannot see that the matter exists.

Every sign-in requires a second factor. After a valid email and password, we send a one-time code to the registered email address. The code is short-lived, single-use, and is checked against a hashed copy — never compared in plain text.

• Device sessions. Each successful sign-in creates a named device session (device, browser, first-seen timestamp, last-seen timestamp). You can review and revoke any active session from your account settings, which immediately invalidates that session everywhere.
• Session limits. Active concurrent device sessions are capped according to your plan; the oldest session is revoked automatically when the cap is exceeded.
• Idle timeout. Sessions expire after a period of inactivity. Returning after the idle window requires a fresh sign-in and a fresh one-time code.
• Account lock-out. Repeated failed sign-in attempts trigger rate limiting and, if sustained, a temporary account lock. Lock events are written to the audit log and surface to firm administrators.
• Deactivation. A firm administrator can deactivate a user at any time — for example, when a collaborator leaves the firm — which immediately denies new sign-ins and invalidates every active session for that user.

LegalCaseManager runs on managed, production-grade cloud infrastructure with enterprise certifications (including ISO 27001 and SOC 2 reporting from the underlying providers). The Platform is deployed as a closed, single-purpose application:

• Isolated application tier. The application runs in a hardened runtime with no open admin ports, no interactive shell access from the public internet, and no direct file-system access to customer data for end users.
• Dedicated database. A managed PostgreSQL database holds the matter data. Database credentials live in a secrets store, never in source code. Connection pools are short-lived and access is restricted to the application tier.
• Object storage. Uploaded documents are written to encrypted, private object storage. Public links are never generated; downloads go through signed, short-lived URLs scoped to the requesting user and matter.
• Continuous backups. Point-in-time database backups are retained for disaster recovery and are themselves encrypted at rest. Backups remain within the same regional boundary as the primary database.
• South African deployment. Customer-facing traffic is served from the legalcasemanager.co.za and legalmind.co.za domains under TLS, over a configuration designed for South African clients and South African legal practice.
• Patch cadence. Dependencies are monitored for security advisories and patched on a rolling basis. Critical vulnerabilities are remediated out-of-band.

Infrastructure providers who necessarily process data to host the Platform (hosting, managed database, object storage, email delivery) are bound by written confidentiality and data-processing obligations. They do not have a legal right to read, repurpose or train on your matter data.