Security Policy

At Mowly, security is not an afterthought — it is fundamental to our architecture and operations. As a platform serving legal professionals who handle sensitive and privileged information, we understand that the highest standards of data security are non-negotiable. This Security Policy describes the technical and organizational measures we implement to protect your data, ensure service availability, and maintain the integrity of our systems.

Our platform is built on enterprise-grade cloud infrastructure with multiple layers of protection:

• Cloud hosting: Mowly is hosted on SOC 2 Type II certified cloud infrastructure within the European Union, ensuring data sovereignty and compliance with EU regulations
• Network isolation: Our production environment uses Virtual Private Clouds (VPCs) with strict network segmentation, ensuring that different components are isolated from each other
• Redundancy: Our infrastructure is designed with high availability in mind, with automatic failover capabilities and geographically distributed redundancy
• DDoS protection: Enterprise-grade DDoS mitigation is deployed at the network edge to protect against volumetric and application-layer attacks
• Firewall management: Web Application Firewalls (WAFs) and network firewalls are configured to filter malicious traffic and enforce security policies
• Environment separation: Development, staging, and production environments are strictly separated to prevent unauthorized access to production data

We apply strong encryption at every layer of our stack:

• Data in transit: All communications between clients and our servers are encrypted using TLS 1.3, the latest and most secure transport layer protocol. We enforce HSTS headers and use strong cipher suites
• Data at rest: All stored data is encrypted using AES-256 encryption, the industry standard for data-at-rest protection. Database encryption is enabled at the storage level
• Password security: User passwords are hashed using bcrypt with appropriate salt rounds. Passwords are never stored or transmitted in plain text
• API key encryption: User-provided API keys (e.g., for external AI providers) are encrypted using separate encryption keys before storage
• Key management: Encryption keys are managed using secure key management services with automatic rotation and strict access controls

We implement robust authentication mechanisms to protect user accounts:

• Secure authentication: User authentication uses industry-standard protocols with JWT tokens that have short expiration times and are automatically refreshed
• Session management: Sessions are monitored for suspicious activity. Inactive sessions are automatically terminated. Concurrent session limits are enforced
• OAuth 2.0 integration: Microsoft Office Add-ins use OAuth 2.0 for authentication, ensuring that credentials are never exposed to the Add-in
• Account lockout: Automated account lockout is triggered after multiple failed authentication attempts, with progressive delays to mitigate brute-force attacks
• Secure password policies: We enforce minimum password complexity requirements and check passwords against known breach databases

We enforce strict access controls across all systems:

• Principle of least privilege: All access permissions follow the principle of least privilege — employees and systems are granted only the minimum access necessary to perform their functions
• Role-based access control (RBAC): Our internal systems and customer-facing features use RBAC to ensure appropriate authorization levels
• Administrative access: Administrative access to production systems is restricted to a minimal number of senior engineers, requires multi-factor authentication, and is logged for audit purposes
• Regular access reviews: Access permissions are reviewed quarterly to ensure they remain appropriate and to revoke access for departed employees or changed roles
• API access controls: API access requires authentication tokens with defined scopes and rate limiting to prevent abuse

We implement specific measures to protect your data throughout its lifecycle:

• Temporary processing: Document content submitted for AI processing is held in memory only for the duration of the operation and is not written to persistent storage
• Data minimization: We collect and process only the minimum amount of data necessary to provide our services, in accordance with GDPR data minimization principles
• Data segregation: Customer data is logically separated using row-level security policies, ensuring that users can only access their own data
• Secure deletion: When data is deleted (upon account termination or at your request), we ensure it is irreversibly removed from all active systems and backups within documented timeframes
• Backup encryption: All backups are encrypted and stored in geographically separate locations within the EU

Our network security measures include multiple layers of defense:

• Intrusion Detection Systems (IDS): We deploy network and host-based intrusion detection systems that monitor for suspicious activity and potential threats in real time
• Traffic monitoring: All network traffic is monitored and analyzed for anomalies, unauthorized access attempts, and potential security threats
• DNS security: We implement DNSSEC and other DNS security measures to prevent DNS spoofing and related attacks
• API security: All API endpoints are protected with authentication, rate limiting, input validation, and output encoding to prevent common attack vectors
• Content Security Policy: We implement strict Content Security Policy (CSP) headers and other security headers to protect against XSS, clickjacking, and other web-based attacks

We maintain comprehensive monitoring and logging to detect and respond to security events:

• 24/7 monitoring: Our systems are monitored continuously for availability, performance, and security anomalies. Automated alerts are triggered for any deviation from normal patterns
• Security logging: All security-relevant events (authentication attempts, access control decisions, administrative actions, data access) are logged with tamper-evident logging mechanisms
• Log retention: Security logs are retained for 12 months in compliance with GDPR and applicable regulations. Logs are stored in append-only storage to prevent tampering
• Anomaly detection: We use automated anomaly detection systems to identify unusual patterns of behavior that may indicate a security threat
• Audit trails: Complete audit trails are maintained for all administrative actions and data access, enabling forensic investigation when required

We maintain a documented incident response plan to handle security incidents effectively:

• Incident response team: A dedicated incident response team is on call to handle security incidents. Team members are trained and conduct regular simulation exercises
• Response procedures: Our incident response procedures include identification, containment, eradication, recovery, and post-incident analysis phases
• Breach notification: In the event of a personal data breach, we will notify the competent supervisory authority (CNPD) within 72 hours as required by GDPR Article 33, and affected individuals without undue delay where required by Article 34
• Communication plan: We maintain a communication plan for notifying affected customers, regulatory authorities, and other stakeholders in the event of a significant security incident
• Post-incident review: Every security incident is followed by a thorough post-incident review to identify root causes and implement preventive measures

We are actively pursuing industry-recognized security certifications and maintain alignment with relevant standards and regulations. We are currently on the certification path to obtain ISO 27001, SOC 2, and GDPR certifications — these have not yet been achieved but represent a core commitment in our security roadmap:

• ISO 27001 (in progress): We are working towards ISO 27001 certification for our information security management system. Our internal processes and controls are being designed and implemented in alignment with ISO 27001 requirements
• SOC 2 (in progress): We are aligning our security practices with SOC 2 Trust Service Criteria for security, availability, and confidentiality, with the goal of completing a SOC 2 Type II audit
• GDPR compliance (in progress): Our security measures are being built to meet and exceed the technical and organizational requirements specified in GDPR Article 32, and we are on the path to formal GDPR compliance certification
• EU AI Act readiness: We are implementing the security requirements of the EU AI Act for AI systems used in professional contexts
• Regular assessments: We conduct regular security assessments, including vulnerability scanning, penetration testing, and code security reviews

We carefully evaluate and monitor the security practices of our third-party vendors:

• Vendor assessment: Before engaging any vendor that will have access to customer data, we conduct a thorough security assessment of their practices, certifications, and compliance status
• Contractual protections: All vendors with access to personal data are bound by Data Processing Agreements that include specific security obligations and audit rights
• AI provider security: Our AI providers (Google, OpenAI) are engaged through enterprise APIs with contractual guarantees regarding data security, non-use for training, and geographic data processing restrictions
• Ongoing monitoring: We continuously monitor our vendors' security posture and compliance status, and reassess periodically to ensure continued alignment with our standards

Our employees are trained and vetted to maintain the highest security standards:

• Background checks: All employees with access to customer data or production systems undergo background verification checks
• Security training: All employees receive security awareness training upon onboarding and regularly thereafter, covering topics such as phishing, social engineering, and data handling procedures
• Confidentiality agreements: All employees sign confidentiality and non-disclosure agreements that specifically address the handling of customer data
• Access deprovisioning: When employees leave the company or change roles, their access is promptly revoked and access logs are reviewed

We maintain robust plans to ensure service availability:

• Business continuity plan: We maintain a documented business continuity plan that is tested and updated regularly to ensure we can maintain critical operations during disruptions
• Automated backups: Database backups are performed automatically on a daily basis, with point-in-time recovery capability. Backups are encrypted and stored in separate geographic regions within the EU
• Recovery objectives: We target a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour for critical systems
• Disaster recovery testing: We conduct periodic disaster recovery tests to validate our ability to restore services within our stated objectives

If you discover a security vulnerability or have a security concern, please report it responsibly to security@mowly.com. We are committed to investigating and addressing all reported security issues promptly. We do not take legal action against security researchers who report vulnerabilities in good faith and in accordance with responsible disclosure practices. We aim to acknowledge receipt of vulnerability reports within 24 hours and to provide a substantive response within 72 hours.