Security
CaseFlow is built to protect your firm's data and your clients' confidential information. This section covers the security features available to you and best practices for keeping your account safe.
Security features
| Feature | Available on |
|---|---|
| Two-factor authentication (2FA) | All plans |
| Brute force protection | All plans |
| CSRF protection | All plans |
| GDPR tools | All plans |
| Encrypted sessions | All plans |
| Per-tenant data isolation | All plans |
| Confidentiality email disclaimer | All plans |
| Tamper-evident audit log | All plans |
| Trust-account audit log (7-year retention) | All plans |
| Per-matter audit trail tab | Growth and Multi-Practice |
| CSV export | Growth and Multi-Practice |
| Tamper-sealed signed JSON export | Multi-Practice only |
| SIEM streaming (Splunk HEC + generic webhook) | Growth and Multi-Practice |
| RFC 3161 daily timestamp signatures | Multi-Practice only |
| Granular permissions | Multi-Practice only |
| Ethical walls | Multi-Practice only |
Data isolation
Each firm gets its own fully isolated workspace. There is no shared data between firms. Even if two firms run on the same server, one firm cannot access another's records — the isolation is enforced at the storage layer, not just in the application.
Encryption
- Sessions are encrypted
- Passwords are hashed (bcrypt)
- All connections use HTTPS (TLS 1.2+)
- Trust documents in the vault have additional encryption
What you control
As a firm administrator, you can:
- Enable/disable 2FA for your own account (staff manage their own)
- Set password requirements
- Manage staff access and roles (Multi-Practice)
- Export or delete client data (GDPR compliance)
- View the general audit log on Growth and Multi-Practice
- View the trust-account audit log on every plan (bar-mandatory)
- Download daily RFC 3161 timestamp certificates on Multi-Practice