Document Format Options
You are viewing the interactive web version of this document. For a traditional legal document format suitable for records, printing, or legal review, use the options below.
Executive Summary
RUNO is an enterprise-grade legal intelligence platform designed to meet the stringent security and compliance requirements of law firms, corporate legal departments, and regulated industries. This document provides a comprehensive overview of our security architecture, data protection measures, and compliance framework.
Our platform is built with security-first principles, implementing industry-standard controls aligned with:
1. Platform Overview
1.1 Service Description
RUNO provides:
- AI-powered contract generation and intelligence (337+ contract types)
- Document intelligence and analysis
- Mergers & Acquisitions due diligence automation
- Legal practice management
- Corporate secretarial services
- Compliance management across 46+ jurisdictions
1.2 Deployment Model
Hosted on secure cloud infrastructure
Dedicated tenant environment
Self-hosted within client infrastructure
Combination of cloud and on-premise
2. Security Architecture
2.1 Multi-Tenant Isolation
RUNO employs strict logical separation between tenants:
- Database-Level Isolation: All data queries enforce tenant context through middleware
- Tenant ID Verification: Extracted exclusively from authenticated JWT tokens (never from request parameters)
- Cross-Tenant Protection: Automatic blocking and logging of any cross-tenant access attempts
- Resource Ownership Verification: All update/delete operations verify tenant ownership before execution
Implementation: Middleware-enforced at API layer
Verification: Automated security event logging for violation attempts
2.2 Authentication & Access Control
Multi-Factor Authentication (MFA)
- • TOTP Support: Google Authenticator, Authy, Microsoft Authenticator
- • Backup Codes: 10 single-use recovery codes at MFA enrollment
- • Device Trust: 30-day trusted device remembering (optional)
Password Security
- • Minimum Length: 12 characters (NIST 800-63B aligned)
- • Complexity: Uppercase, lowercase, numeric, special required
- • Hashing: bcrypt with automatic salt generation
- • History: Prevention of password reuse
Session Management
- • JWT Expiry: 24 hours (configurable)
- • Secure Cookies: HttpOnly, Secure, SameSite=Strict in production
- • Session Timeout: Configurable per tenant (default: 8 hours)
OAuth 2.0 Integration
- • Google Workspace SSO
- • Microsoft Azure AD SSO
- • Custom SAML integration (Enterprise tier)
2.3 Role-Based Access Control (RBAC)
| Role | Capabilities |
|---|---|
| Super Admin | Platform-wide administration |
| Tenant Admin | Tenant configuration, user management |
| User | Standard platform access per module permissions |
| Read Only | View-only access to authorized resources |
Module-level permissions include: Document Intelligence, Contracts, M&A Intelligence, Practice Management, Corporate Secretarial, Compliance, Administration
3. Data Protection
3.1 Data at Rest
- • Algorithm: AES-256-GCM (Galois/Counter Mode)
- • Key Management: Per-tenant encryption keys derived from master key
- • Key Derivation: PBKDF2 with SHA-512, 100,000 iterations
- • Key Rotation: Supported with automated re-encryption
3.1 Data in Transit
- • Protocol: TLS 1.2 minimum (TLS 1.3 preferred)
- • HSTS: Enabled with 1-year max-age, includeSubDomains, preload
- • Certificate Management: Automated renewal
Encryption Key Hierarchy
3.2 Data Classification
| Classification | Description | Protection Level |
|---|---|---|
| Confidential | Client data, contracts, legal documents | Encrypted, access-logged |
| Internal | Platform configuration, analytics | Encrypted, role-restricted |
| Public | Marketing materials, documentation | Standard protection |
3.3 Data Residency
- • Primary Region: European Union (GDPR-compliant)
- • Backup Region: Configurable per tenant
- • Data Sovereignty: Full support for jurisdiction-specific requirements
4. Compliance Framework
4.1 GDPR Compliance
RUNO implements full GDPR data subject rights:
Right to Access
Automated data export (JSON format)
Right to Rectification
Self-service data correction
Right to Erasure
Automated deletion with audit trail
Right to Restriction
Processing pause functionality
Right to Portability
Machine-readable data export
Right to Object
Consent withdrawal mechanism
Data Subject Access Request (DSAR) Handling
- • Automated request intake portal
- • 30-day response SLA (GDPR requirement)
- • Progress tracking and notifications
- • Compliance officer workflow
4.2 SOC 2 Type II Alignment
Our controls align with AICPA Trust Services Criteria:
Security (CC6)
Access control, encryption, network protection
Availability (CC7)
Uptime monitoring, disaster recovery
Processing Integrity (CC8)
Data validation, error handling
Confidentiality (CC9)
Data classification, encryption
Privacy
GDPR controls, consent management
4.3 Audit Logging
All security-relevant actions are logged with:
UTC with millisecond precision
User ID, tenant ID, session ID
CRUD operation, authentication events
Type and identifier
Client IP with proxy handling
Country, region, city
Automated anomaly detection (0-100)
HTTP status code
Retention Period: 7 years (regulatory best practice for financial services and legal industry compliance)
4.4 Supported Regulatory Frameworks
European Union
Post-Brexit UK
California
Brazil
South Africa
Nigeria
Ghana
Kenya
5. Infrastructure Security
5.1 Network Security
- Web Application Firewall (WAF): Protection against OWASP Top 10
- DDoS Protection: Automated mitigation
- CORS: Whitelist-based origin validation
Rate Limiting
- • General: 1,000 requests/15 minutes
- • Authentication: 5 attempts/15 minutes
- • API: 50 requests/minute
- • File Upload: 10 uploads/hour
5.2 Application Security
- Input Validation: Server-side validation on all inputs
- SQL Injection Protection: Parameterized queries (Prisma ORM) + pattern detection
- XSS Protection: Content Security Policy, output encoding
- CSRF Protection: Token-based protection
Security Headers (Helmet.js)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Strict-Transport-Security: max-age=31536000
5.3 Secure Development
Code Review
Mandatory peer review for all changes
Dependency Scanning
Automated vulnerability detection
Static Analysis
Security-focused code analysis
Penetration Testing
Annual third-party assessments
6. Business Continuity
6.1 Backup Strategy
- • Frequency: Daily automated backups
- • Retention: 30 days rolling, monthly archives for 1 year
- • Encryption: All backups encrypted at rest
- • Testing: Quarterly backup restoration tests
6.2 Disaster Recovery
RTO (Recovery Time Objective)
RPO (Recovery Point Objective)
Multi-region deployment available
6.3 Incident Response
- 1Detection: Automated monitoring and alerting
- 2Containment: Immediate isolation procedures
- 3Eradication: Root cause analysis and remediation
- 4Recovery: Service restoration with verification
- 5Post-Incident: Review and control improvements
7. Third-Party Security
7.1 Sub-Processors
All sub-processors undergo security assessment:
- Due diligence review
- Contractual data protection obligations
- Annual compliance verification
7.2 AI/LLM Security
- • Provider: Anthropic (Claude API)
- • Data Handling: No training on customer data
- • Prompt Security: Input sanitization and output filtering
- • Usage Logging: Full audit trail of AI interactions
8. Certifications & Attestations
Current Status
Cyber Essentials Plus
In Progress
Q2 2026
SOC 2 Type I
Planned
Q2 2026
SOC 2 Type II
Planned
Q4 2026
ISO 27001
Roadmap
2027
Security Assessments
Quarterly
Annual
Continuous
9. Contact Information
Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | January 2026 | Security Team | Initial release |
This document is provided for informational purposes and reflects our security practices as of the date indicated. For specific contractual commitments, please refer to your service agreement and Data Processing Agreement.