Built for legal matters, honest by default
Legal work deserves clear answers about where data lives and who can see it. This page sets out exactly what we do today, and what is still on the roadmap, without badges we have not earned.
The practices protecting your matters
Each of these is live in the product now.
Australian data residency
Matter data and documents are stored with Supabase in the Sydney region (ap-southeast-2). Your clients' information stays onshore.
Tenant isolation
Every firm is a separate tenant, enforced with Postgres row-level security in the database itself. One firm's data is never visible to another, even if application code misbehaves.
Encryption in transit and at rest
All traffic runs over TLS, and data is encrypted at rest on the underlying storage. Documents are additionally isolated to their matter.
Append-only audit log
Security-relevant actions (sign-ins, document access, matter changes, approvals) are written to an append-only audit log, so there is always a trail of who did what, when.
Role-based access
Access follows four roles: admin, lawyer, staff and client. Each sees only what their role and their matters allow; clients only ever see their own matters.
Data handling and retention
You keep ownership of what you upload. We process it only to provide the service, and we delete it on verified request. Formal, configurable retention schedules are planned.
Tailored output is held until a solicitor approves it
Anything tailored to a specific matter is held back until a named admitted Australian solicitor reviews and approves it. The gate fails closed: if the approval record is missing, does not match the content, or the reviewing firm cannot be verified, nothing is released. This is enforced in the release code path, not just in the interface.
Who we rely on
A short, deliberate list. Each provider processes data only to deliver its part of the service.
Application hosting and delivery
Database, authentication and file storage (Sydney, ap-southeast-2)
AI processing behind the supervision gate
Transactional email
What we do not claim
We do not currently hold ISO 27001 or SOC 2 certification, and we will not imply otherwise. Independent certification, formal penetration testing and configurable retention schedules are planned as the platform matures. When any of these lands, we will say so here.
Responsible disclosure
Found a vulnerability? Please tell us privately before publishing, and we will respond quickly and credit you if you wish.
security@newlaw.aiQuestions about security?
Ask us anything about data residency, isolation or the supervision gate. Straight answers, no badge-washing.
AI-assisted information, reviewed by an admitted Australian solicitor; not legal advice.