legesis
Feature 06 / 06 · Security

Encryption at rest, encryption in transit, segregated tenancy, signed audit ledger. Compliance is the floor, not the ceiling.

Posture
EncryptionAES-256-GCM
TransportTLS 1.2+
IsolationPer tenant
AuditSOC 2 Type II
How it works

Four moves, one tidy trail.

Encrypt at rest.

Every document is encrypted with AES-256-GCM before it hits disk. Keys are scoped per tenant and rotated annually. Enterprise customers can bring their own KMS.

Encryption envelope
data-key: AES-256-GCM (random, 96-bit IV)
wrapped-by: KMS tenant CMK
rotation: annual / on-demand
✓ Documents unrecoverable without tenant CMK

Isolate by tenant.

Storage, database rows, event logs — all scoped by workspace at the query layer. A bug in our code cannot leak data across tenants.

Tenant scoping
SELECT * FROM envelopes
  WHERE tenant_id = :tenant
    AND id = :envelope;

Every query passes through a policy gate that enforces tenant_id scoping at the database layer.

Control who can act.

SSO / SAML on Enterprise, SCIM for automated provisioning, role-based access for everything else. Every privileged action is logged with actor, IP, and reason.

Role matrix
CapabilityAdminSenderViewer
Send envelope
Edit templates
Rotate keys
Read audit log

Prove it on demand.

SOC 2 Type II report, penetration test results, sub-processor list, and our incident response runbook all live in our trust portal. You don’t need to ask.

Trust portal
  • SOC 2 Type II (current)
  • Penetration test — Q1 2026
  • Sub-processor register
  • Incident response runbook
  • GDPR / CCPA DPA templates
Proof

Numbers the team actually checks.

AES-256
Encryption at rest

GCM mode, per-tenant keys

TLS 1.2+
In transit

TLS 1.3 in most regions

SOC 2
Type II audited

Annual audit, report on request

0
Cross-tenant incidents

Since inception

Compliance

SOC 2-ready on day one. Audited annually.

legesis’s security program is audited annually against SOC 2 Type II. GDPR, CCPA, and UK-GDPR Data Processing Addenda are available for every customer. HIPAA Business Associate Agreements are available on Enterprise.

We publish sub-processors, penetration test summaries, and our incident response runbook in the trust portal. For a deeper review, request access to our SOC 2 report and architecture documents — we hand them to customers inside one business day.

How teams use it

Legal & compliance

Privileged client communications, sealed and segregated at rest with per-matter access controls.

Real estate

Identity-verified signing with bank-grade KYC options for regulated property transactions.

Questions

Before you write it in.

  • Yes, on Enterprise. legesis supports BYOK via AWS KMS, GCP KMS, or Azure Key Vault. Revoke your key, and every legesis envelope becomes cryptographically inaccessible — including to us.
Start today

Five free envelopes, no credit card. You can upgrade, downgrade, or walk away — we designed it that way.

No card required · 5 free envelopes · Cancel anytime.