Security
CaseFlow is built to protect your firm's data and your clients' confidential information. This section covers the security features available to you and best practices for keeping your account safe.
Security features
| Feature | Available on |
|---|---|
| Two-factor authentication (2FA) | All plans |
| Brute force protection | All plans |
| CSRF protection | All plans |
| GDPR tools | All plans |
| Encrypted sessions | All plans |
| Per-tenant data isolation | All plans |
| Confidentiality email disclaimer | All plans |
| Granular permissions | Multi-Practice only |
| Ethical walls | Multi-Practice only |
Data isolation
Each firm gets its own fully isolated workspace. There is no shared data between firms. Even if two firms run on the same server, one firm cannot access another's records — the isolation is enforced at the storage layer, not just in the application.
Encryption
- Sessions are encrypted
- Passwords are hashed (bcrypt)
- All connections use HTTPS (TLS 1.2+)
- Trust documents in the vault have additional encryption
What you control
As a firm administrator, you can:
- Enable/disable 2FA for your own account (staff manage their own)
- Set password requirements
- Manage staff access and roles (Multi-Practice)
- Export or delete client data (GDPR compliance)
- View audit logs of system activity (Multi-Practice)