Trust

Your clients' files, treated like clients' files.

Personal-injury work concentrates exactly the data nobody should leak, medical records, settlement amounts, opposing-counsel correspondence, client SSNs in intake forms. Here's how Lexboard handles it.

§I · Data isolation

The structural fix, not the marketing line.

Every record in Lexboard carries a firm_id. Postgres row-level security is enabled on every table; every read and every write is filtered against the caller's firm, sourced from a JWT claim, not from a request parameter. A developer who forgets a WHERE firm_id = ?in application code still cannot see another firm's data.

Service-role access is restricted to API routes that go through a firm-context helper. Background jobs (cron, webhook handlers, recurring task spawners) carry the firm context explicitly, no row leaves a firm boundary.

Cross-tenant integration tests run on every deploy: signed in as Firm A, the test suite asserts zero rows returned from Firm B fixtures. CI gates the deploy.

§II · Encryption

At rest, in transit, and in storage.

In transit: TLS 1.2+ for every connection. HSTS preload-eligible. No HTTP fallback in production.
At rest, database: AES-256 disk encryption on Supabase Postgres. Daily encrypted backups, point-in-time recovery up to 7 days on the production tier.
At rest, file storage: AES-256 on Supabase Storage. Signed-URL access only; bucket-level RLS mirrors database firm_id. URLs expire in 7 days.
Secrets: API keys (Stripe, Twilio, Gmail OAuth refresh tokens, AI sub-processor) stored encrypted in firm_integrations or environment variables; never logged.
Passwords: Never stored. Supabase Auth handles password hashing (bcrypt). Lexboard servers never see a plaintext password, even on signup.

§III · Access & permissions

Five firm roles, per-case scoping, audit log on every change.

Firm-wide roles. Admin, attorney, paralegal, staff, read-only. Each role gates a different set of capabilities , only attorneys can finalize a settlement; only admins can change firm settings or modify roles.

Per-case access. By default everyone in the firm sees every case. Toggle a firm-level setting to flip the default to assignees-only. Override per case, sensitive matters can be locked to assigned team only, even when the firm default is open.

Per-user override. A paralegal can be marked all-cases-visible regardless of firm default, or assignees-only regardless. Financial visibility (fees, costs, settlement amounts) is its own per-user toggle.

Audit log. Every permission change, every phase-gate override, every email sent, every document generated writes an immutable row with actor, timestamp, before/after JSON, and IP. Search the audit feed by entity or by user.

§IV · Compliance posture

What we are. What we're aligned with. What's on the roadmap.

SOC 2 Type II: Audit in progress. Type I attestation expected Q3 2026; Type II observation window currently running.; In progress
HIPAA: Business Associate Agreement available on request. Database, storage, and infra providers (Supabase, Vercel) operate under their own BAAs. Medical records flow through HIPAA-aware request and chronology workflows.; BAA available
ABA Model Rule 1.6 (confidentiality): Multi-tenant data isolation, encryption at rest and in transit, and access controls satisfy the duty of competence (Rule 1.1 Cmt. 8) and confidentiality (Rule 1.6) for cloud-hosted client data.; Aligned
State bar cloud-storage opinions: Reasonable-care standards from FL, CA, TX, NY ethics opinions are met. Specific opinions cited in the BAA addendum.; Aligned
GDPR / CCPA: Export and delete on request via firm admin. Data residency US-only at present; EU residency on the roadmap for 2026.; Supported

§V · Continuity

What happens when something breaks.

Uptime target 99.9%. Status page at status.lexboard.net with incident postmortems within 5 business days.

Backups. Database point-in-time recovery up to 7 days. Daily encrypted backups retained 30 days. File storage versioned for 30 days.

Disaster recovery. RPO 1 hour, RTO 4 hours. DR runbook tested quarterly.

Vendor exit. Full firm-data export available from the admin panel: cases, clients, documents, communications, ledger, and audit log as JSON + CSV. No lock-in.

Need to dig deeper?

We'll send the full security questionnaire (DDQ + SOC 2 update + data-flow diagram) to your firm's IT or compliance lead. Emailsecurity@lexboard.net.

Reporting a vulnerability

Send a description and reproduction steps to security@lexboard.net. We acknowledge within one business day. No bounty program yet — we send a bottle of bourbon and your name on the trust page.