Security, Encryption and POPIA Compliance

Security, Encryption and POPIA Compliance

Digiiworks Legal is built with security at every layer. Here's how your data is protected.

Encryption

• 256-bit AES-GCM encryption is applied to all sensitive data (client PII, matter details, documents) before it reaches the database.
• Encryption keys are stored in secure environment variables — they never touch the database or application code.
• Documents are encrypted at rest and served via signed URLs that expire after 1 hour.

Authentication

• Magic link login — No passwords to remember or leak. Users authenticate via a secure email link.
• Auto-logout — Portal sessions expire after 30 minutes of inactivity. When your session expires, you'll see a login screen and need to request a new magic link. Any unsaved work in progress is preserved where possible.
• No shared credentials — Every team member has their own account with individual access logging.

What If My Magic Link Doesn't Arrive?

• Check your spam/junk folder.
• Ensure the email address matches your account exactly.
• Magic links expire after 1 hour — request a new one if needed.
• If issues persist, ask your firm's owner to verify your email under Settings → Team Members, or submit a support ticket (see Submitting Support Tickets).

Data Isolation

• Row Level Security (RLS) ensures every database query is scoped to your firm. One firm can never see another firm's data — this is enforced at the database level, not just the application layer.
• Multi-tenant architecture with strict firm_id filtering on every table and every query.

POPIA Compliance

As a South African platform, we take POPIA seriously:

• Data minimisation — We only collect what's necessary for legal practice management.
• Right of access — Clients can request their data through the portal.
• Data retention — Configure retention periods under Settings → Compliance.
• Breach notification — Our incident response plan includes client notification within 72 hours as required.

Best Practices

• Enable two-factor authentication on your email account (used for magic links).
• Review the access log under Settings → Security periodically.
• Train your team on POPIA obligations — we provide a compliance checklist under Settings → Compliance.
• See User Roles and Permissions for how to manage who has access to what.