Your clients trust you with their most sensitive information. We protect it with independently audited infrastructure, end-to-end encryption, and defense-in-depth security controls.
Infrastructure
Every layer of our infrastructure stack has been independently audited and certified to SOC 2 Type 2 or PCI DSS standards.
| Provider | Purpose | Certification | Detail |
|---|---|---|---|
| Backblaze B2 | Document Storage | SOC 2 Type 2 | December 2025 audit, no exceptions noted |
| Neon | Database (PostgreSQL) | SOC 2 Type 2 | Continuous compliance with point-in-time recovery |
| Vercel | Hosting & Edge Network | SOC 2 Type 2 | Global edge network with automatic TLS |
| Stripe | Payment Processing | PCI DSS Level 1 | Highest level of payment security certification |
Security Controls
Multiple layers of security controls protect your data at every stage — at rest, in transit, and at the application layer.
All documents and sensitive fields are encrypted at rest using AES-256-GCM. Encryption keys are rotated and never stored alongside data.
Every connection is encrypted with TLS 1.3. HTTPS is enforced across all endpoints with HSTS headers.
TOTP-based 2FA with backup codes and trusted device management. Available for all user accounts.
Every sensitive operation is logged with user, timestamp, IP, and action detail. Immutable audit trail for compliance.
Six-role permission system with per-feature granularity. Every API route enforces authorization checks.
All database queries are scoped to firm ID. No cross-tenant data access is possible at the application layer.
All incoming webhooks (Stripe, Twilio, Clio) are cryptographically validated before processing.
Payment data never touches our servers. All billing flows through Stripe with PCI DSS Level 1 certification.
Application Audit
NYL application-level SOC 2 Type 1 audit in progress — Q3 2026
Our infrastructure providers are SOC 2 Type 2 certified. The NYL application itself is undergoing its own SOC 2 Type 1 audit, expected to complete in Q3 2026. We implement SOC 2-aligned controls across our entire application layer today.
Questions about security?
Our team is happy to discuss our security posture, provide documentation, or schedule a security review call.