Security Policy

Defense in Depth

LegalMate employs a "defense in depth" strategy and to information security. Multiple layers of security controls work together to prevent an attacker from escalating unauthorized control. Redundant controls provide secondary and tertiary layers of defense, preventing full-scale system compromise in the event of an exploited vulnerability in any given layer.

At LegalMate, this is accomplished via network firewalls, industry standard encryption, secure development practices, access controls, and disclosure.

Network Security

Cloud Hosting

LegalMate utilizes cloud computing to host all components of our technical infrastructure. Our strategy does not allow for on-prem or hybrid hosting solutions. LegalMate uses the Heroku platform ( as a hosting provider.

Cloud Service Provider

LegalMate applications run on the Heroku Platform ( for cloud hosting services. Heroku regularly performs audits and maintains PCI, HIPAA, ISO, and SOC compliance. Learn more by visiting the Heroku and Compliance center.


Firewalls are used to restrict access to LegalMate systems from external networks, as well as between systems internally. All access is denied by default, and only explicitly allowed ports and protocols are allowed based on business need. Systems are assigned a security group, restricting access to only the ports and protocols required for the system's specific function.

DDoS Mitigation

LegalMate infrastructure utilizes DDoS mitigation provided by Heroku Platform ( Mitigation techniques include TCP Syn cookies, connection rate limiting, as well as maintaining multiple backbone connections and internal capacity that exceeds Internet carrier supplied bandwidth. Heroku Platform team monitors network events and enables DDoS mitigation controls when needed.

Port Scanning

Port scanning is prohibited and reported incidents are investigated by Heroku Platform infrastructure provider. Attempted port scans result in network blacklist and revoked access.

Data Security

Application Security

LegalMate Inc applications run in isolated environments, preventing access to other running applications or areas of the system. Application containers are provided via LXC, isolating processes, memory, and file system usage. Host-based firewalls restrict applications from establishing local network connections.

Encrypt Data in Transit

All LegalMate services enforce the use of Transport Layer Security (TLS) 1.2 or higher both over the Internet and for internal network traffic. Attempts at connections with TLS < 1.2 will result in network request rejections.

Encrypt Sensitive Data at Rest

All LegalMate data is encrypted at rest with AES-256, block-level storage encryption via Amazon EBS. Encryption keys are managed by Amazon.

Database backups are stored in encrypted S3 buckets in the US region.

Secure Development Practices

Applications developed at LegalMate are required to undergo internal security audit led by our Chief Technology Officer prior to the release of any major changes.

Developers at LegalMate are required to complete Security training as part of their employee training experience, and in addition receive periodic security training material updates as a part of normal operations. Security training emphasizes OWASP Top 10 Web Application Security Risks, as well as employing principles of defense in depth and privacy by design.

Development Stages

Developers at LegalMate utilize a defined Build and Release Process which details our continuous integration and deployment (CI/CD) pipeline and procedures.

Changes are deployed in isolated "review apps" which have their own database, cache, and other resources. Once changes are approved and merged into the main branch, main is automatically deployed to our Staging environment (

After successful testing in Staging, the build will be promoted to Production (

Quality Checks

Unit tests, integration tests, auto-formatting, and static code reviews are all required before merging and promotion of changes to production.

Version control

LegalMate Inc utilizes git source control management system, and GitHub for hosted access. The HEAD commit of the main branch in git is always in a deployable state.


Releases are built on the build server, resulting in a releasable artifact (a "slug"), which can be deployed to any configured application environment.

The LegalMate IT Operations team uses Heroku Pipelines to manage deployment stages. Build artifacts are "promoted" from Staging to Production without requiring the application to be rebuilt. Build promotions are initiated in LegalMate Slack channel #engineering so that the LegalMate operations team is aware of relevant changes as they happen.

Database Access

Customer data is stored in access-controlled databases, requiring unique username and password. Database connections require SSL encryption.

Security Monitoring

Supply Chain Security

We use Dependabot automated scanning and alerts to continuously monitor LegalMate technical dependencies.

This automated scanning provides continuous dependency vulnerability monitoring drawing from the GitHub Advisory Database, itself a curated list of security vulnerabilities composed of the National Vulnerability Database, the npm Security advisories database, security advisories reported on GitHub, and additional machine learning and human review methods.

Vulnerability Management

Severity Levels

LegalMate uses the industry-standard Common Vulnerability Scoring Systems (CVSS), Section 5 to score security vulnerabilities:

  • Low
  • Moderate
  • High
  • Critical


Security vulnerabilities can be reported to

Vulnerabilities will be reported to each account's administrator via the email address on file.


Vulnerabilities are patched in a timely manner, in accordance with their severity level. Time-lines given are respective to vulnerability report (or discovery) date:

Low - No specified time-line (discretionary)

Moderate - Up to 1 month

High - Up to 2 weeks

Critical - Up to 48 hours

Access Management

Access to Customer Data

LegalMate staff do not use or interact with customer data as part of normal operations. There may be cases where LegalMate staff is required to access customer data at the request of the customer for support purposes or where required by law. Access to customer data is controlled, and requires customer or governmental mandate, reason for access, a log of actions taken by staff, and logging of start and end times.

Access Controls

Only authorized individuals that have a clear and justified business need have access to any end user data. Access controls lists are maintained via an Access Control Lists document securely stored in Google Cloud. The ACL document is only modifiable by the Information Security Officer (Anson MacKeracher,

Access is granted on a need-to-have basis, and requires a defined business need. Access requests are reviewed, adjudicated, granted, or revoked by LegalMate's Information Security Officer (Anson MacKeracher).


LegalMate employees are required to use username/password authentication, and to enable multi-factor authentication (also called two-factor authentication, or 2FA), where possible. Services which allow enforcement of 2FA are configured to require it.

In particular, employee identity management (Google) and cloud hosting provider (Heroku) both enforce 2FA.


We take steps to protect the privacy of our customers and protect the data stored within LegalMate infrastructure.

Limiting Collected Data

LegalMate follows the "principle of least privilege", limiting the collection of data to only that which is required for the operation of the service. Information is collected by fair and lawful means, with the consent of the data-providing party.

Limiting Use and Disclosure

Unless the individual consents otherwise, personal information can only be used or disclosed for the purposes for which it was collected.

Browser Technology, Anti-CSRF

LegalMate enforces TLS >= 1.2, requiring HTTPS connections to all LegalMate web properties. For additionally security, HTTP Cookies make use of the Http-only attribute, as well as the Secure attribute.

LegalMate utilizes the synchronizer token pattern to protect against CSRF.


Session data is not stored on client devices, and instead in secure session storage within LegalMate infrastructure. Sessions expire after 12 hours of inactivity.

Bring Your Own Device (BYOD)

All employees of LegalMate must utilize corporate-provided hardware and devices to carry out business and/or technical operations, and are not allowed to use their own personal devices for such tasks. Hardware devices are provided by LegalMate to all staff for such purposes.

This applies to full- and part-time employees, as well as contractors.