Security

Encryption at rest

Every uploaded document is sealed under a fresh per-document Data Encryption Key (DEK). The DEK is wrapped under a server master key held in Azure Key Vault, accessed by the runtime via a Managed Identity scoped to get + list on a single vault. The plaintext document never persists; only the sealed bytes plus the wrapped DEK live on disk and in the database.

Encryption in transit

TLS 1.2+ on every public endpoint. HSTS enforced. Database connections require SSL.

Authentication

Magic-link tokens (256-bit cryptographic random). Tokens are stored only as SHA-256 hashes — the plaintext token exists only in the email it was issued in. Every token has a 30-day expiry. A new draft rotates every collaborator's token atomically, killing all prior links.

Optional recovery passphrase per document — the DEK is also wrapped under a PBKDF2-derived key from the passphrase. We never store the passphrase itself, only the wrapped DEK + IV + auth tag.

Audit log

Every access attempt (successful or failed) is recorded with timestamp, IP, user-agent, and document. The full evidence-chain export (downloadable from the dashboard) includes this log for any legal proceeding.

Infrastructure

• Microsoft Azure, East US 2.
• Compute: Azure Container Apps with min-2 replicas (rolling deploys never drop requests).
• Storage: Azure Managed Postgres with TLS-required + point-in-time recovery.
• Secrets: Azure Key Vault only; container env vars reference KV via Managed Identity.
• Payments: Stripe (PCI DSS Level 1). We never see card numbers.

Responsible disclosure

If you find a vulnerability please email support@redlines.law with full details. We will respond within 72 hours. Please do not publicly disclose until we have had a reasonable window to remediate.

What we are still building

We are working towards SOC 2 Type II. We do not yet have HIPAA / FedRAMP / ISO 27001 certifications. If your engagement requires a specific compliance regime, contact us before uploading.