Home  /  Security & data handling
Security & data handling

How we protect your firm’s data.

Law firms carry higher security obligations than almost any other industry. We built Alfredi knowing that on day one. This page is the long answer.

The short version: every call, every document, and every client name your firm puts into Alfredi is protected by industry-standard encryption, kept isolated from every other firm on the platform, accessed only by people you authorize, and logged so you can see exactly who did what.

If something here raises a question, write to hello@withalfredi.com. We answer everything.

What we encrypt, and how

In transit

Every connection to Alfredi uses TLS 1.3 over HTTPS. Anything moving between your firm’s browser, our servers, our database, and our sub-processors is encrypted end-to-end.

At rest

The Alfredi database uses AES-256 encryption on disk. Database backups are encrypted with the same standard. Document uploads are encrypted before they are stored.

Secrets

Your firm’s credentials, our integration keys, and our signing keys are stored in a managed secrets vault separate from the application code. No secrets live in the codebase, in our public Git history, or in any container image.

How we keep firms separate

Every record in Alfredi — every call, matter, document, conflict check, calendar event — is stamped with a firm ID at the database level. Every query is filtered by the requesting user’s firm before a single row is returned. This is enforced in two places: in the application code and in the data schema.

The result: it is structurally impossible for a user at Firm A to retrieve, view, or even count records belonging to Firm B. We test this isolation in our automated test suite on every code change.

Our internal architecture decision records (most recently ADR 0012) document the document-access control model end to end, including the gaps we identified and closed in May 2026.

How we control who can do what

Authentication

Every Alfredi user signs in with email and password. Session cookies are HttpOnly (not readable by JavaScript) and Secure (only sent over HTTPS). Login attempts are throttled to prevent credential-stuffing and brute-force attacks.

Authorization

Permissions are role-based. Partners can edit firm settings; staff cannot. Privileged document access (matter notes, retainer files, sensitive correspondence) sits behind a separate privilege gate above the regular permission check — and every download is logged with the user, timestamp, and IP.

Multi-factor authentication

Rolling out to all firm administrators. We will update this page when MFA enforcement goes from optional to required.

Super-administrator separation

Alfredi’s internal support team does not see firm data by default. The narrow cases where we need access (a debugging request from your firm) require an explicit super-administrator session with every action logged and visible to your firm’s primary contact.

Audit logging

For each firm, Alfredi retains a tamper-evident log of:

Logs are retained for 24 months and exportable on request.

Where your data lives

Region: Alfredi is hosted on Railway, US West region, on infrastructure inheriting SOC 2 Type II compliance at the provider level.

Canadian data residency: AWS Canada Central (ca-central-1) residency is on our roadmap. If your firm needs Canadian residency now, please write to us — we work with each firm on a case-by-case basis.

Sub-processors: the third parties that touch your data are listed below. We do not add a sub-processor without 30 days’ advance notice to existing customers.

Sub-processorPurposeRegion
RailwayApplication hosting and Postgres databaseUS (Oregon)
AnthropicLanguage model for call handling and intake reasoningUS
TwilioPhone numbers, voice, SMSUS (Canadian numbers provisioned on request)
VapiVoice handling infrastructureUS
Microsoft GraphCalendar & email access for firms on Microsoft 365 (only where your firm enables it)Your firm’s M365 tenant region
Google WorkspaceCalendar & email access for firms on Google Workspace (only where your firm enables it)Your firm’s Google Workspace region
ResendTransactional email deliveryUS

Integrations with your firm’s systems

Alfredi runs alongside whatever practice management system your firm uses — Clio, LEAP, MyCase, or none at all — with nothing to migrate. It also integrates directly with CosmoLex: when your firm connects it, Alfredi and CosmoLex exchange the matter-level information needed to keep your front desk and your case system in step — for example, a matter opened in CosmoLex is reflected in Alfredi.

That connection is opt-in and stays under your control. It runs on access your firm authorizes, the information it exchanges is encrypted in transit like everything else on the platform, and you can disconnect it at any time. On the demo we walk through exactly what the integration reads and writes for your firm before you turn it on.

How we handle vulnerabilities

We welcome reports from researchers and customers.

How we handle a breach

We follow a written Incident Response Plan that meets the requirements of PIPEDA (federal) and Alberta PIPA. In summary:

  1. Detect and contain — typically within hours of a credible indicator.
  2. Assess scope — what was accessed, by whom, for how long.
  3. Notify — within 72 hours of confirmation, we notify the Office of the Privacy Commissioner of Canada and any affected firms. We provide affected firms with the facts they need to notify their own clients, in coordination with the firm’s privacy counsel.
  4. Recover — apply the permanent fix, rotate any compromised credentials, restore service.
  5. Post-mortem — written, blameless, shared with the firm within 14 days.

Where we are heading

Security is a roadmap, not a finish line — and we’d rather show you ours than overstate where we are. In order:

As each milestone lands, this page updates with the date and the report or summary.

Questions? Anything not covered above — write to hello@withalfredi.com. For procurement and DPA review we have a sub-processor list, a data-processing addendum, and a security overview deck on file. Ask and we’ll send all three.

Walk through the specifics on the demo.

We dedicate the second half of any demo call to your firm’s security and confidentiality questions.

Book a demo

Last updated: 2026-06-14 · Responsible disclosure: /security.txt