Security Statement

LegalCaseManager is designed as a closed, secure information system purpose-built for handling sensitive legal case data. We implement multiple layers of security to protect the confidentiality, integrity, and availability of your information.

Data in Transit: All communications between your browser and our servers are encrypted using TLS 1.2+ (HTTPS). No unencrypted connections are accepted.

Data at Rest: All data stored in our databases and file storage systems is encrypted at rest using AES-256 encryption.

Passwords: User passwords are never stored in plain text. They are hashed using bcrypt with a cost factor of 12 before storage.

• Authentication: All users must authenticate via email and OTP (One-Time Password) verification on every login
• Device Sessions: Active device sessions are tracked and limited based on subscription plan
• Role-Based Access: Admin functions are restricted to authorised administrators only
• Case-Level Isolation: Users can only access their own cases and data. Collaborators have restricted, read-limited access
• Session Timeouts: Database connections use short idle timeouts to minimise exposure

All significant actions within the platform are logged to a comprehensive audit trail:

• Record creation, modification, and deletion events
• User login and logout timestamps
• Device session creation and termination
• Data export requests and approvals
• Administrative actions (user activation/deactivation, record restoration)

Audit logs are retained for a minimum of 12 months and are available for forensic investigation if required.

LegalCaseManager implements strict multi-tenant data isolation:

• Every database query is scoped to the authenticated user’s ID
• Cross-user data access is architecturally prevented at the application layer
• Collaborators have strictly limited, read-only access to shared cases only
• File storage uses per-user prefixes to prevent cross-user file access

To prevent accidental or malicious permanent data loss:

• All deletions are “soft-deletes” — records are marked as archived rather than permanently removed
• Archived records can be restored by administrators via the Admin Dashboard
• All deletion actions are recorded in the audit log with the user identity and timestamp
• Permanent data purge occurs only after a defined retention period or explicit written request

Unauthorised access to this system is prohibited.

Any person who intentionally and without authority accesses, intercepts, or interferes with data in this system may be prosecuted under:

• Cybercrimes Act 19 of 2020 — Sections 2 (unlawful access), 3 (unlawful interception), 4 (unlawful acts in respect of software or hardware tool), 5 (unlawful interference with data or computer program)
• Electronic Communications and Transactions Act 25 of 2002
• Protection of Personal Information Act 4 of 2013

We reserve the right to investigate suspected unauthorised access and to cooperate with law enforcement agencies.

To report a security vulnerability or incident:

Email: [email protected]

Subject line: [SECURITY] — followed by a brief description

We commit to acknowledging security reports within 48 hours and providing a substantive response within 7 business days.