SoloMatter

Security & Compliance

Last updated: February 24, 2026

Security is foundational to SoloMatter. As a platform that handles sensitive legal practice data, we implement multiple layers of protection to ensure your information remains confidential, available, and uncompromised.

1. Our Commitment

We take a defense-in-depth approach to security, applying controls at the network, application, and data layers. Our architecture is designed so that no single point of failure can expose your data, and every significant action is logged for accountability.

2. Encryption in Transit

All connections to SoloMatter are encrypted using TLS 1.2 or higher. This includes:

  • Browser-to-server communication (HTTPS enforced via Cloudflare).
  • API requests between the application and database.
  • Connections to third-party services (Google, Square, Anthropic).

3. Encryption at Rest

Database storage is encrypted at the filesystem level. Documents stored in Google Drive benefit from Google's own encryption at rest, which uses AES-256.

4. Authentication & Access Controls

SoloMatter uses Supabase Auth for authentication with the following measures:

  • Email and password authentication with secure password hashing.
  • JWT-based sessions with short-lived access tokens and automatic refresh.
  • Role-based access control (RBAC) with three permission levels:
    • Admin — full access including invoice approval, audit logs, and firm settings.
    • Staff — manage matters, tasks, time entries, and documents.
    • Client — read-only access to their own matters, invoices, and intake forms.
  • Middleware-enforced authorization that blocks mutation requests from client-role users at the HTTP level.

5. Multi-Tenant Architecture

SoloMatter is a multi-tenant platform where each law firm's data is logically isolated. Tenant separation is enforced at the database level using PostgreSQL Row-Level Security (RLS) policies. Every query is scoped to the authenticated user's tenant, ensuring firms cannot access each other's data even in the event of an application-level bug.

6. Data Isolation

Row-Level Security policies enforce the following isolation rules:

  • Clients can only view matters, invoices, and tasks explicitly associated with them.
  • Staff and admin users can access data within their own firm only.
  • All RLS policies use security-definer functions to prevent policy recursion.

All data mutations (creates, updates, deletes) are recorded in a comprehensive audit log that captures the user, action, timestamp, and affected record.

7. Backup & Recovery

We perform regular automated backups of the database. Backups are stored separately from the production environment. Documents stored in Google Drive benefit from Google's built-in redundancy and version history.

8. Audit Logging

SoloMatter maintains an immutable audit trail of all significant actions:

  • Matter creation, stage changes, and updates.
  • Time entry and invoice operations.
  • Client account creation and role changes.
  • Document uploads and sharing.
  • AI assistant interactions and tool invocations.
  • Authentication events (sign-in, sign-out).

Audit logs are accessible to firm administrators through the platform and can be exported on request.

9. Incident Response

Our incident response process follows four phases:

  1. Detection — continuous monitoring of application logs, error rates, and authentication anomalies.
  2. Containment — immediate isolation of affected systems and revocation of compromised credentials.
  3. Notification — affected firm administrators are notified within 72 hours of confirmed breach discovery, with details on scope and impact.
  4. Post-mortem — root cause analysis and implementation of preventive measures, with a summary shared with affected parties.

10. Infrastructure

SoloMatter runs on self-hosted infrastructure:

  • Application and database run in Docker containers.
  • Cloudflare provides edge security including DDoS protection, WAF rules, and TLS termination.
  • Traffic routes through Cloudflare Tunnel, meaning the origin server IP is not publicly exposed.
  • The infrastructure is maintained directly by the SoloMatter team, giving us full control over security configuration and updates.

11. Contact

If you have questions about our security practices, wish to report a vulnerability, or need to discuss specific compliance requirements, contact us at [email protected].

We welcome responsible disclosure of security vulnerabilities and will work with researchers to address confirmed issues promptly.