Reflekt Legal Security Policy

Last Updated: May 2025

At Reflekt Legal, we take the security of our platform and the protection of our customers' data seriously. This document outlines the technical and organizational measures we employ to safeguard information processed by our application.

Infrastructure & Hosting

• Our application is hosted on Google Cloud Platform (GCP) with separate deployments for US and Canadian jurisdictions.

• Production environments are containerized using Docker and deployed with infrastructure-as-code practices.

• Base images are regularly rebuilt from the latest patched upstream sources and scanned for known OS-level vulnerabilities.

Encryption

In Transit

All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher. HTTPS is required for all production traffic. Webhook endpoints are validated to require HTTPS.

At Rest

Data stored in our databases and cloud storage is encrypted at rest using GCP's default encryption (AES-256).

Secrets Management

Application secrets and API credentials are stored as environment-injected variables using Pydantic SecretStr fields, which prevent accidental exposure in logs or error outputs. Secrets are never committed to source control.

Authentication & Session Management

• User passwords are hashed using bcrypt via passlib's CryptContext with automatic algorithm deprecation handling.

• Authentication is handled via stateless JSON Web Tokens (JWT) signed with HS256. Access tokens have configurable time-to-live (TTL) expiration.

• Refresh tokens are persisted server-side and validated against both the JWT signature and the stored database record on each refresh request.

• No sensitive authentication data is stored in browser cookies.

Access Control

Role-Based Access Control (RBAC)

Users are assigned roles (Manager, Support, etc.) scoped to specific projects. Route-level enforcement restricts endpoints to authorized roles.

Multi-Tenancy Isolation

All data access is scoped by project membership. Database queries join against a project membership table to verify authorization before returning any data. Users cannot access data belonging to projects they are not members of.

Third-Party OAuth

Integrations with external platforms (e.g., Clio) use OAuth 2.0 Authorization Code Flow with support for PKCE. OAuth tokens are stored securely and refreshed automatically.

Application Security

• SQL Injection: All database interactions use SQLAlchemy ORM with parameterized queries. No raw SQL string concatenation is used.

• Input Validation: All API request bodies are validated through Pydantic schema models, rejecting malformed or unexpected input.

• CSRF: The application uses Bearer token authentication via HTTP headers rather than cookies, which is inherently resistant to cross-site request forgery attacks.

• Rate Limiting: Authentication and sensitive endpoints are protected by rate limiting (slowapi) on a per-IP basis to prevent brute-force attacks.

• Dependency Management: All Python dependencies are pinned to specific versions via a compiled lockfile. Dependencies are reviewed and updated regularly to address known vulnerabilities.

Vulnerability Management

We monitor CVE databases and security advisories for vulnerabilities affecting our dependencies and infrastructure.

Remediation Timelines

• Critical / High severity: 7 days

• Medium severity: 30 days

• Low severity: 90 days

Security researchers can report vulnerabilities by contacting [email protected].

Monitoring, Logging & Auditing

• Error Monitoring: Application errors are tracked in real-time via Sentry.

• Structured Logging: All application logs are structured (JSON) and shipped to Google Cloud Logging for centralized analysis and retention.

• AI Observability: LLM interactions are traced and logged via Logfire and LangSmith for auditability and performance monitoring.

• Metrics: Application performance and availability metrics are collected via Prometheus.

• Audit Trails: Security-relevant events including login attempts and lead lifecycle events are recorded in dedicated audit tables with timestamps and metadata.

AI & Data Processing

• Our AI-powered features use OpenAI as the LLM provider for real-time conversation handling.

• Customer data is processed transiently by the LLM provider during intake conversations and is not used to train or fine-tune models, per our enterprise API agreements.

• AI inputs and outputs are logged for quality assurance and auditability.

• Personal data processed by AI is limited to what is necessary for the intake conversation: names, contact information, and conversation content.

Data Residency

• The application is deployed as separate instances for US and Canadian jurisdictions (us-app.reflektlegal.ai and ca-app.reflektlegal.ai), each with its own database and infrastructure.

• Third-party API calls are routed to region-appropriate endpoints where supported.

Incident Response

• We maintain a documented incident response procedure covering identification, containment, eradication, recovery, and post-incident review.

• In the event of a data breach affecting customer data, affected customers will be notified in accordance with applicable legal requirements.

• Security incidents can be reported to [email protected].

Subprocessors

The following third-party services process data as part of our platform operations:

Compliance

• We process Canadian personal information in accordance with PIPEDA (Personal Information Protection and Electronic Documents Act).

• For US users, we comply with applicable state privacy laws including CCPA (California Consumer Privacy Act).

• Data processing is limited to what is necessary for the services provided, and users may request access to or deletion of their personal data.

Contact

For security-related inquiries or to report a vulnerability: [email protected]