Trust center liveLast updated July 1, 2026

Lawpath Trust Center

Welcome to Lawpath's Trust Center, where our commitment to data privacy and security is central to how we operate. Lawpath provides legal technology that helps businesses create, manage, and progress legal work with confidence.

This Trust Center offers insight into our security practices, including the controls, policies, compliance programs, and subprocessors that support our platform. You can explore our compliance roadmap, review our control catalog, and understand how we safeguard customer data.

For security documentation, assurance requests, or updates on our compliance initiatives, contact our security team.

View subprocessors

Program status

In progress

Active

SOC 2

Readiness and evidence collection underway

In progress

ISO 27001:2022

ISMS alignment and control ownership underway

In progress

Compliance

Compliance programs

Lawpath is building toward independent assurance across widely recognized security and information security management standards.

SOC 2 badge

SOC 2

Security program readiness

In progress

Controls, evidence collection, vendor governance, and operating cadence are being prepared for independent assessment.

ISO 27001:2022 badge

ISO 27001:2022

Information security management system

In progress

Policy framework, risk treatment, control ownership, and continuous improvement practices are being aligned to the 2022 standard.

Resources

Policy library

Security, privacy, and operational policies available to customers and partners during security review.

HR Security Procedure

Policy

PHI Data breach Notification Procedure

Policy

Organization of Information Security Policy

Policy

Data Breach Notification Policy

Policy

Encryption Policy

Policy

Communications & Network Security Policy

Policy

Network Security Procedure

Policy

Asset Management Procedure

Policy

Vendor Management Procedure

Policy

Acceptable Usage Policy

Policy

Operations Security Procedure

Policy

Business Continuity & Disaster Recovery Policy

Policy

System Acquisition and Development Lifecycle Policy

Policy

Access Control Procedure

Policy

SDLC Procedure

Policy

Compliance Procedure

Policy

Endpoint Security Policy

Policy

Operation Security Policy

Policy

Vendor Management Policy

Policy

HR Security Policy

Policy

Controls

Control catalog

A mapped set of 130 control objectives across 14 security, privacy, compliance, and operational resilience categories.

01

AI governance

Governance, privacy, and security controls for AI-assisted product and operational workflows.

8 controls

AI governance aligned to ISO/IEC 42001

Administrator control over AI features

AI activity audit logging

Global AI governance coverage

Periodic AI governance reviews

AI data handling and training restrictions

Built-in prompt redaction and moderation

ISO/IEC 42001-aligned AI risk management

02

Internal security procedures

Internal governance practices that define ownership, risk treatment, incident handling, and continuous improvement.

10 controls

Annual risk assessment

Annual risk assessment and review

Formal security policies

Semi-annual risk reviews

Incident response plan

Incident response procedures

Internal security audits and monitoring

Post-incident root cause analysis

Cybersecurity insurance

Role-based responsibilities and accountability

03

Access control

Identity, authentication, authorization, and access review controls for customer-facing and internal systems.

8 controls

Multi-factor authentication

Multi-factor authentication for all systems

Role-based access control

Single sign-on integration

Just-in-time privileged access

Automated access reviews

Biannual access reviews

Account lockout and session timeout

04

Data security

Data lifecycle safeguards for classification, encryption, backup, retention, deletion, and privacy-by-design practices.

10 controls

Encryption at rest

Data classification and handling

Encryption in transit

Encryption at rest and in transit

Data classification program

Customer-controlled encryption keys

Backup encryption and replication

Secure data retention and disposal

Data protection by design and default

Secure data deletion

05

Infrastructure security

Layered cloud, network, host, and perimeter safeguards that reduce exposure and improve resilience.

10 controls

Web application firewall

Cloud infrastructure with strong regional controls

Network segmentation and DMZ

Network segmentation and firewalls

Web application firewall and DDoS protection

Infrastructure as code with CIS benchmarks

Default-deny security groups

Continuous vulnerability and patch management

Annual penetration testing

Intrusion detection and monitoring

06

Product security

Secure software development practices embedded across design, implementation, testing, release, and external validation.

10 controls

Secure software development lifecycle

Secure development lifecycle policy

Separation of development and production environments

Static code and dependency scanning

Peer code reviews

Automated dependency and secret scanning

Third-party penetration testing

Annual third-party penetration testing

Public bug bounty program

Bug bounty program

07

Business continuity and disaster recovery

Continuity planning, backup, replication, restoration, and recovery controls for major disruption scenarios.

9 controls

Documented disaster recovery plan

Disaster recovery policy with defined RTO / RPO

Automated backups and snapshots

Automated, encrypted backups with multi-region storage

Annual disaster recovery testing

Defined recovery time and point objectives

Multi-region replication

99.5% uptime service-level agreement

Business continuity framework based on ISO 22301

08

Employee security and awareness

People-focused controls for onboarding, training, acceptable use, secure development awareness, and offboarding.

10 controls

Pre-employment background checks

Mandatory background checks

Annual security awareness training

Security awareness training

Secure coding training

Acceptable use and confidentiality agreements

Terminations and offboarding controls

Progressive disciplinary policy

Certification reimbursement program

Disciplinary procedures for policy violations

09

Physical and environmental security

Facility, visitor, surveillance, media handling, and environmental safeguards for office and operational locations.

9 controls

Badge and biometric access controls

Badge-based access control and visitor management

Video surveillance and retention

CCTV surveillance

Visitor management and logging

Physical media and device protection

Fire detection and suppression systems

Fire suppression and environmental controls

Secure media disposal

10

Compliance and auditing

Independent assurance, regulatory alignment, internal reviews, and transparent privacy practices.

10 controls

SOC 2 Type II certification

ISO/IEC 27001:2022 certification

ISO / IEC 27001:2022 certification

SOC 2 Type II and SOC 3 attestation

AI governance alignment with ISO/IEC 42001:2023

GDPR, CCPA, and privacy regulation alignment

Vendor due diligence and compliance management

Cyber Essentials certification

Annual internal control reviews

Privacy policy transparency and data subject rights

11

Third-party and supply chain management

Vendor due diligence, contractual protections, ongoing reassessment, inventory, and subprocessor notification controls.

9 controls

Vendor due-diligence assessments

Due diligence and onboarding assessments

Annual vendor re-evaluation

Annual review and reassessment of vendors

Contractual data protection agreements

Non-disclosure agreements

Centralized vendor inventory

Published subprocessor list and notification process

Contractual security obligations

12

Device and endpoint security

Managed endpoint controls for inventory, encryption, malware protection, patching, screen lock, and removable media use.

9 controls

Mobile device management

Device inventory and management

Disk encryption

Antivirus and endpoint protection

Full disk encryption for endpoints

Next-generation antivirus and EDR

Forced operating system updates

Automatic screen lock and clear desk policy

Removable media restrictions

13

Change management

Change request, approval, testing, deployment, rollback, segregation, and configuration review controls.

9 controls

Infrastructure as code change process

Formal change management policy

Infrastructure as code for deployments

Automated rollback plans

Automated testing and rollback plans

Segregated environments

Separation of duties for code changes

Continuous configuration reviews

Comprehensive testing standards

14

Monitoring and logging

Centralized logging, security alerting, privileged activity review, intrusion detection, integrity monitoring, and SIEM controls.

9 controls

Centralized log aggregation

Centralized log collection and retention

Security operations center monitoring

Continuous security monitoring

Audit logging and privileged access monitoring

IDS / IPS coverage

File integrity monitoring

Integration with security event and information management (SIEM)

Automated alerting and ticketing

Security

Core controls

The security program is organized around practical controls that protect customer data and support resilient operations.

D

Data protection

Customer data is protected with modern encryption practices for transmission and storage.

A

Access management

Access is governed by least-privilege principles, role-based permissions, and periodic review.

S

Secure development

Code changes move through review, testing, and release controls before production deployment.

M

Monitoring

Operational telemetry, audit trails, and alerts support investigation and response workflows.

V

Vendor governance

Subprocessors are reviewed for security, privacy, and business criticality before use.

I

Incident response

Security events are triaged through defined escalation, containment, communication, and remediation steps.

Subprocessors

Active subprocessors

Lawpath uses the following third-party providers to deliver, operate, support, and improve its services.

AWS logo

Amazon Web Services

AWS

Cloud hosting, storage, and infrastructure operations.

Application data, account data, operational logs

AWS Asia Pacific (Sydney), Australia

Stripe logo

Stripe

Stripe

Payments, invoicing, and billing workflows.

Billing contacts, payment metadata, transaction records

Global infrastructure

Google logo

Google Workspace

Google

Business email, calendars, files, and collaboration.

Business contact data, support communications, documents

Global infrastructure

Intercom logo

Intercom

Intercom

Customer support messaging, help desk, and customer communications.

Contact details, support conversations, message metadata

Global infrastructure

Salesforce logo

Salesforce

Salesforce

Customer relationship management and customer operations.

Customer contacts, company records, sales and support notes

Global infrastructure

Twilio logo

Twilio

Twilio

Communications, messaging, and notification delivery.

Contact details, message metadata, delivery events

Global infrastructure