
SOC 2
Security program readiness
Controls, evidence collection, vendor governance, and operating cadence are being prepared for independent assessment.
Welcome to Lawpath's Trust Center, where our commitment to data privacy and security is central to how we operate. Lawpath provides legal technology that helps businesses create, manage, and progress legal work with confidence.
This Trust Center offers insight into our security practices, including the controls, policies, compliance programs, and subprocessors that support our platform. You can explore our compliance roadmap, review our control catalog, and understand how we safeguard customer data.
For security documentation, assurance requests, or updates on our compliance initiatives, contact our security team.
Program status
SOC 2
Readiness and evidence collection underway
ISO 27001:2022
ISMS alignment and control ownership underway
Compliance
Lawpath is building toward independent assurance across widely recognized security and information security management standards.

Security program readiness
Controls, evidence collection, vendor governance, and operating cadence are being prepared for independent assessment.

Information security management system
Policy framework, risk treatment, control ownership, and continuous improvement practices are being aligned to the 2022 standard.
Resources
Security, privacy, and operational policies available to customers and partners during security review.
Controls
A mapped set of 130 control objectives across 14 security, privacy, compliance, and operational resilience categories.
01
Governance, privacy, and security controls for AI-assisted product and operational workflows.
AI governance aligned to ISO/IEC 42001
Administrator control over AI features
AI activity audit logging
Global AI governance coverage
Periodic AI governance reviews
AI data handling and training restrictions
Built-in prompt redaction and moderation
ISO/IEC 42001-aligned AI risk management
02
Internal governance practices that define ownership, risk treatment, incident handling, and continuous improvement.
Annual risk assessment
Annual risk assessment and review
Formal security policies
Semi-annual risk reviews
Incident response plan
Incident response procedures
Internal security audits and monitoring
Post-incident root cause analysis
Cybersecurity insurance
Role-based responsibilities and accountability
03
Identity, authentication, authorization, and access review controls for customer-facing and internal systems.
Multi-factor authentication
Multi-factor authentication for all systems
Role-based access control
Single sign-on integration
Just-in-time privileged access
Automated access reviews
Biannual access reviews
Account lockout and session timeout
04
Data lifecycle safeguards for classification, encryption, backup, retention, deletion, and privacy-by-design practices.
Encryption at rest
Data classification and handling
Encryption in transit
Encryption at rest and in transit
Data classification program
Customer-controlled encryption keys
Backup encryption and replication
Secure data retention and disposal
Data protection by design and default
Secure data deletion
05
Layered cloud, network, host, and perimeter safeguards that reduce exposure and improve resilience.
Web application firewall
Cloud infrastructure with strong regional controls
Network segmentation and DMZ
Network segmentation and firewalls
Web application firewall and DDoS protection
Infrastructure as code with CIS benchmarks
Default-deny security groups
Continuous vulnerability and patch management
Annual penetration testing
Intrusion detection and monitoring
06
Secure software development practices embedded across design, implementation, testing, release, and external validation.
Secure software development lifecycle
Secure development lifecycle policy
Separation of development and production environments
Static code and dependency scanning
Peer code reviews
Automated dependency and secret scanning
Third-party penetration testing
Annual third-party penetration testing
Public bug bounty program
Bug bounty program
07
Continuity planning, backup, replication, restoration, and recovery controls for major disruption scenarios.
Documented disaster recovery plan
Disaster recovery policy with defined RTO / RPO
Automated backups and snapshots
Automated, encrypted backups with multi-region storage
Annual disaster recovery testing
Defined recovery time and point objectives
Multi-region replication
99.5% uptime service-level agreement
Business continuity framework based on ISO 22301
08
People-focused controls for onboarding, training, acceptable use, secure development awareness, and offboarding.
Pre-employment background checks
Mandatory background checks
Annual security awareness training
Security awareness training
Secure coding training
Acceptable use and confidentiality agreements
Terminations and offboarding controls
Progressive disciplinary policy
Certification reimbursement program
Disciplinary procedures for policy violations
09
Facility, visitor, surveillance, media handling, and environmental safeguards for office and operational locations.
Badge and biometric access controls
Badge-based access control and visitor management
Video surveillance and retention
CCTV surveillance
Visitor management and logging
Physical media and device protection
Fire detection and suppression systems
Fire suppression and environmental controls
Secure media disposal
10
Independent assurance, regulatory alignment, internal reviews, and transparent privacy practices.
SOC 2 Type II certification
ISO/IEC 27001:2022 certification
ISO / IEC 27001:2022 certification
SOC 2 Type II and SOC 3 attestation
AI governance alignment with ISO/IEC 42001:2023
GDPR, CCPA, and privacy regulation alignment
Vendor due diligence and compliance management
Cyber Essentials certification
Annual internal control reviews
Privacy policy transparency and data subject rights
11
Vendor due diligence, contractual protections, ongoing reassessment, inventory, and subprocessor notification controls.
Vendor due-diligence assessments
Due diligence and onboarding assessments
Annual vendor re-evaluation
Annual review and reassessment of vendors
Contractual data protection agreements
Non-disclosure agreements
Centralized vendor inventory
Published subprocessor list and notification process
Contractual security obligations
12
Managed endpoint controls for inventory, encryption, malware protection, patching, screen lock, and removable media use.
Mobile device management
Device inventory and management
Disk encryption
Antivirus and endpoint protection
Full disk encryption for endpoints
Next-generation antivirus and EDR
Forced operating system updates
Automatic screen lock and clear desk policy
Removable media restrictions
13
Change request, approval, testing, deployment, rollback, segregation, and configuration review controls.
Infrastructure as code change process
Formal change management policy
Infrastructure as code for deployments
Automated rollback plans
Automated testing and rollback plans
Segregated environments
Separation of duties for code changes
Continuous configuration reviews
Comprehensive testing standards
14
Centralized logging, security alerting, privileged activity review, intrusion detection, integrity monitoring, and SIEM controls.
Centralized log aggregation
Centralized log collection and retention
Security operations center monitoring
Continuous security monitoring
Audit logging and privileged access monitoring
IDS / IPS coverage
File integrity monitoring
Integration with security event and information management (SIEM)
Automated alerting and ticketing
Security
The security program is organized around practical controls that protect customer data and support resilient operations.
Customer data is protected with modern encryption practices for transmission and storage.
Access is governed by least-privilege principles, role-based permissions, and periodic review.
Code changes move through review, testing, and release controls before production deployment.
Operational telemetry, audit trails, and alerts support investigation and response workflows.
Subprocessors are reviewed for security, privacy, and business criticality before use.
Security events are triaged through defined escalation, containment, communication, and remediation steps.
Subprocessors
Lawpath uses the following third-party providers to deliver, operate, support, and improve its services.
AWS
Cloud hosting, storage, and infrastructure operations.
Application data, account data, operational logs
AWS Asia Pacific (Sydney), Australia
Stripe
Payments, invoicing, and billing workflows.
Billing contacts, payment metadata, transaction records
Global infrastructure
Business email, calendars, files, and collaboration.
Business contact data, support communications, documents
Global infrastructure
Intercom
Customer support messaging, help desk, and customer communications.
Contact details, support conversations, message metadata
Global infrastructure
Salesforce
Customer relationship management and customer operations.
Customer contacts, company records, sales and support notes
Global infrastructure
Twilio
Communications, messaging, and notification delivery.
Contact details, message metadata, delivery events
Global infrastructure