Skip to main content

Architecture

At Sonar Legal, protecting your sensitive data is our highest priority. We implement robust, industry-leading security measures to ensure that your data is secure. Sonar Legal focuses on drafting: it is not a contract management or document management solution. Therefore, the amount of truly sensitive data is very limited—especially when users implement their own knowledge base stored locally. For cases where the knowledge base is hosted remotely, we strongly encourage anonymizing sensitive data before upload. Although we do not recommend storing client-sensitive data in your knowledge base, our entire architecture is built on the assumption that, if highly sensitive data is ever saved on Sonar Legal's database, it will be protected by rigorous security controls.

Processing

Sonar Legal is a JavaScript-based MS Word add-in that processes most data locally on your device:

  • Client-Side Processing: The majority of the add-in's functionality is processed locally on your device without any data being transmitted to our servers.
  • Secure API Communication: The application makes secure API calls to our backend services over HTTPS for all AI workflows like Knowledge Base Search and AI-assisted drafting.

Data transmission & Session Management

Sonar Legal operates as an MS Word add-in that connects securely to our backend services. For static workflows, the application makes HTTPS API calls. For dynamic features like AI-assisted drafting, we maintain a secure WebSocket connection (WSS) that enables real-time interactions. All data exchanged between the client and server is encrypted and protected against Cross-Site Request Forgery (CSRF) attacks.

Session management is handled through secure cookies that expire after 7 days. These cookies can be invalidated remotely on a per-user basis if needed, requiring users to re-authenticate. User preferences and session data are stored securely in the browser, with sensitive information properly encrypted.

Development & Internal Security Practices

Our development and security operations follow industry-leading practices and frameworks:

  • Secure Development Lifecycle (SDL): We implement Microsoft's SDL framework with regular security testing, code reviews, and automated vulnerability scanning.
  • OWASP Compliance: Our development practices strictly adhere to OWASP Top 10 and SANS Top 25 security guidelines to prevent common vulnerabilities.
  • Access Control: We enforce the principle of least privilege (PoLP) and role-based access control (RBAC) across all systems.
  • Device Management: All development devices are managed through Mobile Device Management (MDM) with:
    • Full-disk encryption (AES-256)
    • Automatic security updates
    • Remote wipe capabilities
  • Authentication & Authorization:
    • Mandatory multi-factor authentication (MFA) using FIDO2-compliant security keys
    • Regular access reviews and automated account deprovisioning
  • Secure Infrastructure:
    • End-to-end encryption for all communications
    • Zero-trust network architecture
    • Regular security audits and penetration testing

For any further details or inquiries regarding our security measures, please contact contact@auto-dox.com