Security

This page describes the practical security posture LegalKit is prepared to stand behind today.

Last updated: March 9, 2026

Current controls

  • Supabase Auth and scoped API keys are used for authenticated access.
  • Public APIs apply rate limiting, validation, and security headers.
  • Scanner and verification endpoints validate external URLs to reduce SSRF risk.
  • Policy versions, consent logs, and disclaimer acknowledgements create an audit trail.
  • Billing is delegated to Stripe so LegalKit does not directly handle raw payment card data.
  • Feature-dependent integrations such as email delivery and error monitoring are isolated behind environment configuration.

What we do not claim

  • LegalKit does not currently claim SOC 2, ISO 27001, HIPAA, or FedRAMP certification on this site.
  • High-risk or regulated use cases should undergo counsel and security review before production use.
  • Signed vendor paperwork, security questionnaires, and custom terms are handled case-by-case via legal review.

Security contact

Send security reports, questionnaires, or enterprise security requests to [email protected].