The short version: every call, every document, and every client name your firm puts into Alfredi is protected by industry-standard encryption, kept isolated from every other firm on the platform, accessed only by people you authorize, and logged so you can see exactly who did what.
If something here raises a question, write to hello@withalfredi.com. We answer everything.
What we encrypt, and how
In transit
Every connection to Alfredi uses TLS 1.3 over HTTPS. Anything moving between your firm’s browser, our servers, our database, and our sub-processors is encrypted end-to-end.
At rest
The Alfredi database uses AES-256 encryption on disk. Database backups are encrypted with the same standard. Document uploads are encrypted before they are stored.
Secrets
Your firm’s credentials, our integration keys, and our signing keys are stored in a managed secrets vault separate from the application code. No secrets live in the codebase, in our public Git history, or in any container image.
How we keep firms separate
Every record in Alfredi — every call, matter, document, conflict check, calendar event — is stamped with a firm ID at the database level. Every query is filtered by the requesting user’s firm before a single row is returned. This is enforced in two places: in the application code and in the data schema.
The result: it is structurally impossible for a user at Firm A to retrieve, view, or even count records belonging to Firm B. We test this isolation in our automated test suite on every code change.
Our internal architecture decision records (most recently ADR 0012) document the document-access control model end to end, including the gaps we identified and closed in May 2026.
How we control who can do what
Authentication
Every Alfredi user signs in with email and password. Session cookies are HttpOnly (not readable by JavaScript) and Secure (only sent over HTTPS). Login attempts are throttled to prevent credential-stuffing and brute-force attacks.
Authorization
Permissions are role-based. Partners can edit firm settings; staff cannot. Privileged document access (matter notes, retainer files, sensitive correspondence) sits behind a separate privilege gate above the regular permission check — and every download is logged with the user, timestamp, and IP.
Multi-factor authentication
Rolling out to all firm administrators. We will update this page when MFA enforcement goes from optional to required.
Super-administrator separation
Alfredi’s internal support team does not see firm data by default. The narrow cases where we need access (a debugging request from your firm) require an explicit super-administrator session with every action logged and visible to your firm’s primary contact.
Audit logging
For each firm, Alfredi retains a tamper-evident log of:
- Every sign-in and failed sign-in attempt
- Every document download
- Every change to firm settings, user permissions, or feature flags
- Every privileged action by Alfredi support staff
Logs are retained for 24 months and exportable on request.
Where your data lives
Region: Alfredi is hosted on Railway, US West region, on infrastructure inheriting SOC 2 Type II compliance at the provider level.
Canadian data residency: AWS Canada Central (ca-central-1) residency is on our roadmap. If your firm needs Canadian residency now, please write to us — we work with each firm on a case-by-case basis.
Sub-processors: the third parties that touch your data are listed below. We do not add a sub-processor without 30 days’ advance notice to existing customers.
| Sub-processor | Purpose | Region |
|---|---|---|
| Railway | Application hosting and Postgres database | US (Oregon) |
| Anthropic | Language model for call handling and intake reasoning | US |
| Twilio | Phone numbers, voice, SMS | US (Canadian numbers provisioned on request) |
| Vapi | Voice handling infrastructure | US |
| Microsoft Graph | Calendar & email access for firms on Microsoft 365 (only where your firm enables it) | Your firm’s M365 tenant region |
| Google Workspace | Calendar & email access for firms on Google Workspace (only where your firm enables it) | Your firm’s Google Workspace region |
| Resend | Transactional email delivery | US |
Integrations with your firm’s systems
Alfredi runs alongside whatever practice management system your firm uses — Clio, LEAP, MyCase, or none at all — with nothing to migrate. It also integrates directly with CosmoLex: when your firm connects it, Alfredi and CosmoLex exchange the matter-level information needed to keep your front desk and your case system in step — for example, a matter opened in CosmoLex is reflected in Alfredi.
That connection is opt-in and stays under your control. It runs on access your firm authorizes, the information it exchanges is encrypted in transit like everything else on the platform, and you can disconnect it at any time. On the demo we walk through exactly what the integration reads and writes for your firm before you turn it on.
How we handle vulnerabilities
We welcome reports from researchers and customers.
- Contact: hello@withalfredi.com
- Disclosure file: /security.txt (RFC 9116 format)
- Acknowledgment timeline: we acknowledge any responsibly-disclosed vulnerability within five business days, with a substantive response shortly after.
- No legal action against good-faith researchers who follow our disclosure policy.
How we handle a breach
We follow a written Incident Response Plan that meets the requirements of PIPEDA (federal) and Alberta PIPA. In summary:
- Detect and contain — typically within hours of a credible indicator.
- Assess scope — what was accessed, by whom, for how long.
- Notify — within 72 hours of confirmation, we notify the Office of the Privacy Commissioner of Canada and any affected firms. We provide affected firms with the facts they need to notify their own clients, in coordination with the firm’s privacy counsel.
- Recover — apply the permanent fix, rotate any compromised credentials, restore service.
- Post-mortem — written, blameless, shared with the firm within 14 days.
Where we are heading
Security is a roadmap, not a finish line — and we’d rather show you ours than overstate where we are. In order:
- Now: independent third-party penetration test; mandatory two-factor authentication for all firm administrators; a tabletop exercise of our incident response plan.
- Next: SOC 2 Type I readiness assessment, then a SOC 2 Type I report.
- After that: SOC 2 Type II report.
- On the roadmap: AWS Canada Central (ca-central-1) data residency.
As each milestone lands, this page updates with the date and the report or summary.
Questions? Anything not covered above — write to hello@withalfredi.com. For procurement and DPA review we have a sub-processor list, a data-processing addendum, and a security overview deck on file. Ask and we’ll send all three.
Walk through the specifics on the demo.
We dedicate the second half of any demo call to your firm’s security and confidentiality questions.