← BACK TO HOME
SECURITY BLUEPRINT

Information Security at Archis

Last updated: June 25, 2026

At Archis Technologies, we recognize that law practices process highly sensitive, confidential, and attorney-client privileged data. This document outlines the actual security measures, operational procedures, and architectural limitations of the Archis practice management platform, providing a transparent review of our data protection controls.

1. Technical Security Measures

We implement the following technical controls to protect data stored on our platform:

  • Data Isolation (Row-Level Security):The Service uses a shared-database multi-tenant architecture. Workspace isolation is enforced directly at the database engine layer using PostgreSQL Row-Level Security (RLS) policies. Every database query, insert, update, or delete is automatically scoped and restricted based on the authenticated user's verified `firm_id` session variable.
  • Encryption in Transit and at Rest:
    • Encryption in Transit: All network communications between the user's web browser and our servers are encrypted using Transport Layer Security (TLS 1.3).
    • Encryption at Rest: Databases, transaction logs, and file storage buckets are encrypted at rest using Advanced Encryption Standard (AES-256) through our cloud infrastructure provider.
  • Role-Based Access Control (RBAC): The application checks and enforces role definitions programmatically in client routes, API endpoints, and database triggers.
    • Lawyers possess full administrative permissions, enabling them to manage the roster, delete clients/cases/tasks/documents, and manage billing.
    • Paralegals can view cases, tasks, and documents, upload files, and log or edit their own unbilled hours. They are blocked from delete operations, editing task metadata (except task status), and viewing invoices.
    • Secretaries can manage client contact details, upload files, and log own unbilled hours. They are blocked from case tracking and billing details.
  • Private Document Storage: Document binaries are stored in private cloud storage buckets. Access to documents is restricted and requires a cryptographically signed URL. Signed URLs are temporary and automatically expire after one (1) hour. Uploads are subject to a client-side file size limit of 50 MB and workspace quota restrictions (defaulting to 1 GB unless customized).
  • Session and Cookie Security: Authentication sessions are managed using JSON Web Tokens (JWT). The tokens (`sb-access-token` and `sb-refresh-token`) are stored client-side in browser storage to verify requests sent to the server. They are transmitted securely, but because they are managed via client-side libraries, they do not utilize the `HttpOnly` flag.
  • Billing and Payment Integrity: Invoice status transitions are strictly governed by database triggers that enforce an authorized workflow state machine.

2. Operational Procedures

  • Administrator & Support Access:
    • Database Controls: Standard administrative access is restricted. The database RLS policies enforce `SELECT`-only permissions for designated "Super Admins," preventing them from modifying or deleting Customer Data within standard client applications.
    • System Operations: To maintain the platform, perform system migrations, and execute team invitation flows, platform operators utilize the Supabase Service Role key or direct database connection credentials. This access bypasses database RLS policies and is strictly restricted to authorized platform administrators for maintenance, compliance, and emergency support.
    • Support Requests: Support staff will only access case files or metadata when explicitly requested by a Customer for technical support or troubleshooting.
  • User Invitation & Credential Setup:
    • Invitation Flow: Workspace invitations are initiated by a Lawyer and processed server-side via a secure API route using administrative credentials.
    • Password Management: User passwords are encrypted and hashed by the authentication provider. Workspace invitations generate a secure, cryptographically random temporary password which is transmitted to the creator. The invited user is forced to create a new password immediately upon their first login before they can access any workspace features.
  • Data Retention and Deletion:
    • Account Deletion: Customer-initiated account cancellation deletes the subscription. Data is retained for thirty (30) days in an inactive state to allow for customer export.
    • Permanent Purge: After the 30-day grace period, all databases entries and storage files associated with the workspace are permanently deleted.

3. Platform Limitations

When designing your firm's compliance and risk policies, please note the following technical characteristics of the Service:

  • Case History Audit Trails:
    • Case change logs (such as status updates or court date shifts) are recorded in the `case_history` table. These logs are generated programmatically by the client application on update events, rather than automatically by database-level triggers. The timestamp (`changed_at`) is forced to server-time upon insertion.
    • Immutability: Standard users cannot update or delete entries in the `case_history` table.
    • Hard-Deletion Cascade: If a case is deleted, all related case history entries are automatically deleted from the database.
    • No Read Logs: The platform does not log read operations (SELECT statements) on case records or client files.
  • Data Backups:
    • Database backups are managed at the infrastructure provider level. The database provider performs automated daily backups.
    • No Custom Recovery: Archis does not maintain independent, off-site, third-party backups or provide a custom Recovery Point Objective (RPO) guarantee. Customers are responsible for periodically exporting client and billing registers if they require local archival copies.
  • Email Notification Limitations:
    • The Service handles workspace authentication and token rotation. However, it does not send automatic email/SMS alerts for task deadlines, upcoming court dates, or billing reminders. Workspace users must monitor their dashboards to track deadlines.

Have Questions?

If your firm’s IT or compliance department requires a deeper technical review, or if you need to complete a vendor security questionnaire, please contact our security team at technologyarchis@gmail.com.