Your documents carry weight. legesis is engineered so that weight is earned — every byte encrypted, every action audited, every tenant isolated, every incident rehearsed.
Three layers. No single point of failure.
Encryption
- AES-256-GCM at rest
- TLS 1.2+ in transit
- BYOK supported via AWS/GCP/Azure KMS
- Document keys rotated annually
Isolation
- Tenant scoping at the query layer
- Separate object-store buckets per tenant
- No shared credentials across workloads
- Region pinning (EU · US · APAC)
Access
- SSO / SAML 2.0 (Enterprise)
- SCIM 2.0 automated provisioning
- IP allowlisting per API key
- Every privileged action audit-logged
From upload to sealed envelope.
Every event, sealed and verifiable.
Chain heads are published to an independent append-only log every 24 hours. If we were ever to alter the record, the embedded chain head in your Evidence Certificate would no longer verify — and you’d know.
envelope: env_01h9k4xq9 seal: 2025-04-12T14:04:02Z chain: b601…72d4 (verified ✓) events: 6 actors: 2 signers · 1 cc keys: tenant-scoped CMK region: eu-west-1 retained: 10 years
Rehearsed. Published. Transparent.
We run tabletop incident exercises quarterly. Material incidents are disclosed to affected customers within 24 hours; personal data breaches within 72 hours per GDPR. Post-mortems are written for every Sev-2 and above, and are shared on request.
Request the SOC 2 report, architecture diagrams, sub-processor register, and our pen-test summary — delivered under NDA within one business day.
No card required · 5 free envelopes · Cancel anytime.