Skip to content

Security

CaseFlow is built to protect your firm's data and your clients' confidential information. This section covers the security features available to you and best practices for keeping your account safe.

Security features

FeatureAvailable on
Two-factor authentication (2FA)All plans
Brute force protectionAll plans
CSRF protectionAll plans
GDPR toolsAll plans
Encrypted sessionsAll plans
Per-tenant data isolationAll plans
Confidentiality email disclaimerAll plans
Tamper-evident audit logAll plans
Trust-account audit log (7-year retention)All plans
Per-matter audit trail tabGrowth and Multi-Practice
CSV exportGrowth and Multi-Practice
Tamper-sealed signed JSON exportMulti-Practice only
SIEM streaming (Splunk HEC + generic webhook)Growth and Multi-Practice
RFC 3161 daily timestamp signaturesMulti-Practice only
Granular permissionsMulti-Practice only
Ethical wallsMulti-Practice only

Data isolation

Each firm gets its own fully isolated workspace. There is no shared data between firms. Even if two firms run on the same server, one firm cannot access another's records — the isolation is enforced at the storage layer, not just in the application.

Encryption

  • Sessions are encrypted
  • Passwords are hashed (bcrypt)
  • All connections use HTTPS (TLS 1.2+)
  • Trust documents in the vault have additional encryption

What you control

As a firm administrator, you can:

  • Enable/disable 2FA for your own account (staff manage their own)
  • Set password requirements
  • Manage staff access and roles (Multi-Practice)
  • Export or delete client data (GDPR compliance)
  • View the general audit log on Growth and Multi-Practice
  • View the trust-account audit log on every plan (bar-mandatory)
  • Download daily RFC 3161 timestamp certificates on Multi-Practice

In this section