Security
Your case files, documents, and client data are confidential by nature. OKLegal protects them with the same measures used by financial institutions.
TLS 1.3
Encryption in transit
AES-256
Encryption at rest
2FA
Multi-factor authentication
99.9%
Uptime target
Layered protection
All communication between your browser and OKLegal is encrypted with TLS 1.3, the most modern transport security standard. HSTS headers are enforced to prevent protocol downgrade attacks.
Sensitive data stored in the database — including e-signature tokens, confidential documents, and integration credentials — is encrypted with AES-256. Backup copies are also stored encrypted.
Protect your account with TOTP-based authentication (compatible with Google Authenticator, Authy, and any standard authenticator app). Firm administrators can enforce mandatory 2FA for all members of their organization.
Each user has a role (Administrator, Attorney, Assistant, Partner) with granular permissions. A case's data is only accessible to team members explicitly assigned to it. Privilege separation prevents accidental data exposure across matters.
Every sensitive action — login, document access, permission changes, signature events, case modifications — is logged with a timestamp, user, IP address, and event description. The audit log is immutable and includes CSV export for compliance purposes.
OKLegal implements a comprehensive set of security headers: strict Content Security Policy (CSP), X-Frame-Options (anti-clickjacking), X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Verified and rated A+ on securityheaders.com.
Registration, login, and password recovery forms are protected with Cloudflare Turnstile — the privacy-friendly alternative to reCAPTCHA. This prevents brute-force attacks and mass creation of fraudulent accounts without creating friction for legitimate users.
Each e-signature link token is unique, single-use, and individually encrypted in the database. A used or expired token cannot be reused. Signature links expire automatically and all opening and signing events are recorded in the case file.
Compliance
OKLegal complies with the Law on the Protection of Individuals Against the Processing of Their Personal Data. You are the Data Controller of your clients' data; OKLegal acts as a Data Processor following your firm's instructions.
Although OKLegal operates primarily in Latin America, we have adopted the principles of the EU General Data Protection Regulation as our baseline standard: data minimization, purpose limitation, transparency, and data subject rights.
The integration with Costa Rica's Digital Signature (Gaudi) complies with the Law on Certificates, Digital Signatures and Electronic Documents. Documents signed via Digital Signature carry full legal validity equivalent to a handwritten signature.
OKLegal was designed with the attorney's confidentiality obligations in mind. Access to each case's data is strictly segmented: not even the OKLegal team can access your clients' documents without your explicit authorization.
Infrastructure
OKLegal is hosted on leading cloud providers with data centers certified to SOC 2 Type II and ISO 27001. Data is stored in high-availability regions with geographic redundancy.
The database and stored files are backed up automatically. Backups are retained for a minimum of 30 days and can be restored with point-in-time recovery. Backups are encrypted and stored in a geographically separate location.
OKLegal's infrastructure is continuously monitored. Automated alerts detect performance anomalies, suspicious access attempts, and availability events in real time.
Each firm operates in a completely isolated data space, enforced through firm identifiers on all database queries. It is architecturally impossible for one firm's data to be accessed from another firm's account.
The OKLegal team applies security patches for critical dependencies within 72 hours of public disclosure. Platform updates are deployed with a zero-downtime strategy so they never interrupt your work.
Responsible disclosure
If you are a security researcher and discover a vulnerability in OKLegal, we ask that you report it to us responsibly before making it public. We commit to responding within 48 business hours and working with you to resolve the issue.
Report vulnerabilities to: [email protected]. Please include a description of the issue, steps to reproduce it, and the potential impact. Do not disclose the issue publicly until we have had the opportunity to address it.
OKLegal does not take legal action against researchers who follow a good-faith responsible disclosure process.
All these protections are active from day one, on every plan, at no additional cost.