Security Overview
At APUA AI Private Limited, security is foundational to the ApuaLegal platform. Legal professionals entrust us with sensitive case data and client information, and we take that responsibility seriously. This page outlines the security measures we implement to protect your data.
1. Infrastructure
ApuaLegal is built on Google Cloud Platform (GCP) and deployed exclusively in the Mumbai region (asia-south1), ensuring all data remains within India.
- Region: asia-south1 (Mumbai, India)
- Availability: Multi-zone deployment for high availability and fault tolerance
- Network: Google's private global network with DDoS protection
- Isolation: Virtual Private Cloud (VPC) with network segmentation
2. Encryption
2.1 Data at Rest
All data stored on ApuaLegal is encrypted at rest using AES-256 encryption, the industry standard for data protection. This includes:
- Firestore database records (user data, case data, research history)
- Cloud Storage files (uploaded documents, generated drafts)
- Backups and snapshots
2.2 Data in Transit
All data transmitted to and from ApuaLegal is encrypted using TLS 1.3, the latest version of Transport Layer Security. This covers:
- Browser-to-server communication (HTTPS)
- API calls between services
- Internal service-to-service communication within our infrastructure
3. Authentication and Access Control
3.1 User Authentication
ApuaLegal uses Firebase Authentication for secure user identity management:
- Multi-factor authentication (MFA): Available for all users and recommended for enhanced security.
- Secure password policies: Minimum length, complexity requirements, and breach detection.
- Session management: Automatic session expiration and secure token handling.
- OAuth 2.0: Support for Google Sign-In for convenient and secure authentication.
3.2 Internal Access Controls
Access to production infrastructure and user data is strictly controlled:
- Principle of least privilege for all team members
- Role-based access control (RBAC) for administrative functions
- Audit logging of all administrative access
- Regular access reviews and deprovisioning
4. Compliance and Certifications
Our infrastructure leverages Google Cloud's industry-leading compliance posture:
| Certification | Scope | Status |
|---|---|---|
| SOC 2 Type II | Google Cloud infrastructure | Active |
| ISO 27001 | Google Cloud information security | Active |
| ISO 27017 | Cloud-specific security controls | Active |
| ISO 27018 | Protection of PII in cloud | Active |
| DPDP Act 2023 | ApuaLegal platform compliance | Compliant |
5. Vulnerability Management
5.1 Penetration Testing
We conduct regular security assessments to identify and remediate vulnerabilities:
- External penetration testing: Conducted annually by independent security firms.
- Automated vulnerability scanning: Continuous scanning of our infrastructure and application code.
- Dependency scanning: Automated checks for vulnerabilities in third-party libraries and packages.
5.2 Incident Response
We maintain a comprehensive incident response plan:
- 24/7 monitoring and alerting for security events
- Defined escalation procedures and response timelines
- Post-incident review and remediation process
- Notification of affected users within the timelines required by the DPDP Act 2023
6. Attorney-Client Privilege by Design
ApuaLegal is designed with the unique confidentiality requirements of the legal profession in mind:
- Data isolation: Each user's data is logically isolated. No user can access another user's case data, documents, or research history.
- No cross-user data sharing: We do not aggregate or share individual user data across accounts.
- Audit trails: Comprehensive audit logs track access to sensitive data, supporting compliance with professional conduct rules.
- Secure deletion: When you delete data, it is permanently removed from our systems within the retention period specified in our Privacy Policy.
7. AI Security
Our AI features are designed with security and privacy at their core:
- No training on user data: Your data is never used to train, fine-tune, or improve any AI or machine learning model.
- Real-time processing: AI queries are processed in real-time and are not stored or retained by the AI provider beyond the processing session.
- Data minimisation: Only the minimum necessary data is sent to AI services for processing.
- No third-party model access: AI processing occurs within our secured Google Cloud environment.
8. Application Security
- Secure development lifecycle: Security is integrated into every stage of our development process.
- Code reviews: All code changes undergo peer review with security focus.
- OWASP compliance: Our application is developed with OWASP Top 10 guidelines in mind.
- Content Security Policy: Strict CSP headers to prevent XSS and injection attacks.
- Rate limiting: API rate limiting to prevent abuse and brute-force attacks.
9. Business Continuity
- Automated backups: Regular automated backups with point-in-time recovery capability.
- Disaster recovery: Documented disaster recovery procedures with defined RTO and RPO.
- Multi-zone deployment: Infrastructure distributed across multiple availability zones for resilience.
10. Responsible Disclosure
If you discover a security vulnerability in ApuaLegal, we encourage responsible disclosure. Please report security issues to:
Email: grievance@apua.ai
Subject: Security Vulnerability Report
We will acknowledge your report within 72 hours and work to address verified vulnerabilities promptly. We do not pursue legal action against good-faith security researchers.
11. Contact
For security-related questions or concerns:
Email: grievance@apua.ai
Website: apualegal.com