Security
Legal research involves privileged, sensitive information. Every architectural decision we make starts with the question: how do we protect it?
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
US-East
Primary data region
Data handling
What we collect and how we use it
TomLegal processes the queries you submit and the research context you provide in order to deliver relevant legal results. We do not use your queries or research data to train AI models.
Free-tier research is public by default — it may appear in aggregated, anonymised usage statistics. Pro and Team accounts keep all research fully private. Private research is never shared, aggregated, or made accessible to other users.
We collect minimal account data: email address, display name, and authentication tokens. Payment information is processed directly by Stripe and never touches our servers.
Encryption
Your data is encrypted at every stage
All data transmitted between your browser and TomLegal is encrypted with TLS 1.3. We enforce HSTS and reject downgrade attempts.
Data at rest — including your research history, chat messages, and account information — is encrypted using AES-256. Database backups are encrypted with the same standard before being stored in a separate, access-controlled location.
Encryption keys are managed through your cloud provider's key management service with automatic rotation. No encryption keys are stored in application code or environment variables.
Infrastructure
Where your data lives
TomLegal runs on cloud infrastructure in the US-East region. Our primary database is a hardened relational engine with row-level security policies enforcing strict data isolation between users and teams.
Application servers are stateless and deployed behind a CDN with DDoS protection. We use security headers including Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security across all responses.
File uploads are stored in access-controlled object storage with per-user path isolation. Temporary processing data is purged automatically and never persisted beyond the request lifecycle.
SOC 2
Compliance programme
TomLegal is actively pursuing SOC 2 Type II certification. Our controls cover the Trust Services Criteria for security, availability, and confidentiality.
We have implemented the organisational and technical controls required for certification, including access management, change control, incident response procedures, and continuous monitoring. Audit is expected to complete in 2026.
If you require a security questionnaire or need our current controls documentation for your procurement process, contact us at support[at]tomx.com.
GDPR
European data protection
TomLegal complies with the General Data Protection Regulation. We process personal data under lawful bases including contract performance and legitimate interest, and we do not sell personal data.
Data subjects have the right to access, rectify, erase, and port their personal data. These requests can be submitted through your account settings or by contacting support[at]tomx.com. We respond to all requests within 30 days.
For organisations requiring a Data Processing Agreement, we provide a standard DPA that covers our processing activities, sub-processor list, and data transfer mechanisms. Contact us to receive a copy.
Access control
Who can access what
Internal access to production systems follows the principle of least privilege. Engineers access infrastructure through short-lived credentials with mandatory multi-factor authentication. There is no standing access to customer data.
Team accounts include role-based access control: administrators manage billing and team membership, while members access only their own research. Admin visibility into team research is opt-in and logged.
All access to production databases and infrastructure is logged and subject to periodic review. We maintain an audit trail of administrative actions across the platform.
Incident response
When something goes wrong
We maintain a documented incident response plan covering detection, containment, eradication, and recovery. Security incidents are classified by severity with defined response times.
Affected customers are notified within 72 hours of a confirmed breach involving their personal data, consistent with GDPR requirements. Notifications include the nature of the breach, data affected, and remediation steps.
To report a security vulnerability, contact support[at]tomx.com. We acknowledge reports within 48 hours and do not pursue legal action against good-faith security researchers.
Have a security question?
We're happy to discuss our practices in detail.