Security
Built for what privileged material demands.
Law-firm data — client identifying information, matter content, trust ledger — is material that mishandling can end a firm. The studio treats it that way from day one.
1000×800 PNG. An abstract diagram or illustration — vault door, locked database icons over a Texas outline, or a clean architecture diagram. Calm, professional, NOT stock-photo cybersecurity.
security.hero.illustration
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest on Postgres and on the immutable off-site backup bucket. Passwords stored as bcrypt with cost factor 12 — never recoverable.
Row-level tenant isolation
Every tenant-scoped table carries an RLS policy that admits only the active tenant's rows. A cross-tenant query is unreachable, not just unauthorized.
Mandatory MFA
Every Firm User enrolls in time-based one-time password MFA on first login. SMS is intentionally not a second factor.
Role-based permissions
Owners + Office Admins manage roles. Every mutating endpoint is independently permission-gated, so a misconfigured UI can't grant access RLS would deny.
Auditable by default
Every successful create, update, and delete writes an audit row with actor, IP, user-agent, entity, and entity ID. Owners view the timeline under Firm Settings → Audit Log.
Backups + restore drills
Continuous point-in-time recovery plus daily snapshots copied to a separate immutable bucket. Test restores happen quarterly and are documented and signed off.
GLBA Safeguards alignment
Our controls map to the FTC Safeguards Rule (16 C.F.R. §314.4(a)–(h)) — qualified individual, written program, risk assessment, technical safeguards, testing, training, service-provider oversight, and incident response. The mapping is laid out in detail on the Security Practices legal document.
Texas §521.053 breach notification
When something happens we notify the affected firm without unreasonable delay, and in any event within 60 days, with what happened, what data was involved, what we're doing about it, and what the firm should do.
Responsible disclosure
Found a vulnerability? Email security@startmanaging-legal.com. We don't threaten or pursue researchers who act in good faith, who don't access data they aren't entitled to, and who give us a reasonable window to fix the issue before publicly disclosing it.
Want the full security review?
We hand prospects the architecture deck, the sub-processor list, and the GLBA mapping on the demo call.