Security

Security by Design

VeriLex was built with security as a foundational requirement, not an afterthought. Law firms handle sensitive data, and our platform is designed to respect that responsibility.

Our Security Principles

  • Least-privilege access at every layer.
  • Firm-level data isolation by default.
  • Server-side enforcement of sensitive operations.
  • Auditability and traceability for key actions.
  • Incremental hardening as the platform scales.

Access Control & Permissions

Access is scoped to a firm and refined by role (Admin, Attorney, Staff). Permissions are enforced at the database layer using Row Level Security, and the UI mirrors those rules so there is no security by UI only.

Data Isolation & Firm Boundaries

Each firm’s data is logically isolated. Users cannot access information outside their firm, and queries are automatically scoped by firm membership with server-side enforcement.

Document Security

Documents are stored in private buckets, access is validated against firm membership, and we do not expose public document URLs. Uploads and downloads are mediated through server endpoints.

Server-Side Enforcement

Sensitive writes are handled server-side. Client apps do not get direct write access to protected tables, reducing attack surface and accidental exposure.

Authentication & Account Security

Authentication is handled through Supabase Auth with email-based verification and recovery flows. Sessions are managed with expiration and refresh, and firm access is invite-only during beta.

What This Does — and Does Not — Mean

VeriLex is not yet SOC 2 certified. Our security posture reflects the current architecture and continues to evolve as the platform grows.

Security Roadmap

Planned work includes continuous hardening, expanded audit logging, and formal compliance pathways (including SOC 2) as the platform matures.

Have security questions?

Share Feedback