Last updated 25 June 2026
Security
Nexal Legal is designed for regulated UK legal environments. This page summarises our security architecture and operational controls. For data processing details, see our Privacy Policy.
1. Authentication and access control
- Passwords are hashed using industry-standard algorithms; plain-text passwords are never stored
- Customer and operations portal sessions use separate, isolated HttpOnly cookies
- Role-based permissions control access to firm data, billing, and team management
- Single sign-on (SSO) to the ledger uses signed JWT tokens with expiry and replay protection
- Rate limiting protects authentication endpoints from brute-force attempts
2. Multi-tenant isolation
Each law firm operates in an isolated tenant environment. Firm data, ledger databases, and workspace paths are segregated so that one firm cannot access another firm's records. Cross-firm access is prevented at the application, database, and filesystem layers.
3. Encryption
- All traffic between your browser and Nexal Legal is encrypted using TLS (HTTPS)
- Database connections use encrypted transport where supported by infrastructure providers
- Session tokens and SSO secrets are stored securely and never exposed to client-side code
4. Audit and integrity
The platform maintains audit trails for firm approvals, subscription changes, user invitations, and security-sensitive operations. Ledger transactions support reconciliation workflows designed for SRA client money rules compliance.
5. Backups and recovery
Firm and platform data is backed up on a scheduled basis. Backup procedures are designed to support recovery in the event of hardware failure or data corruption. Operations staff can manage backup visibility through the operations portal.
6. Infrastructure
The customer portal is hosted on enterprise cloud infrastructure with industry-standard physical and network security controls. The ledger application runs on dedicated server infrastructure with restricted access. Environment secrets are managed outside of source code.
7. Vulnerability reporting
If you discover a security vulnerability, please report it responsibly to hello@nexallegal.co.uk. Do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and remediate.
8. Platform overview
For an overview of security capabilities on our marketing site, see the Security & Data Integrity section on our homepage.