QanoonAI
Sign Up Free
Back to QanoonAI
Legal

Data Security

Last updated: March 2026

QanoonAI is built to handle sensitive legal data with the highest standards of security. This page describes our security architecture, encryption practices, access controls, and compliance measures.

1. Infrastructure Security

1.1 Cloud Infrastructure

QanoonAI is hosted on Amazon Web Services (AWS) in the ap-south-1 (Mumbai) region. Our infrastructure includes:

  • EC2 compute instances running containerized backend services via Docker Compose
  • PostgreSQL 16 databases with per-service isolation (7 separate databases)
  • S3 for encrypted document storage with service-level prefix isolation
  • ECR (Elastic Container Registry) for versioned, immutable container images

1.2 Network Security

  • Nginxprovides SSL/TLS termination with certificates managed by Certbot (Let's Encrypt) for all API and database administration endpoints.
  • Cloudflare provides DNS, DDoS protection, and an additional security layer for all public-facing domains.
  • Envoy Gateway acts as the API gateway, enforcing CORS policies, rate limiting, request routing, and JWT validation at the edge before requests reach backend services.
  • Backend services communicate internally on an isolated Docker network with no direct public exposure. Only the Envoy gateway is accessible from the host network.

1.3 Security Headers

All responses include security headers:

  • HTTP Strict Transport Security (HSTS)
  • X-Frame-Options: DENY (clickjacking protection)
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin

2. Encryption

2.1 In Transit

All data transmitted between clients and QanoonAI is encrypted using HTTPS/TLS. Internal service-to-service communication occurs within an isolated Docker network.

2.2 Authentication Tokens

Authentication uses JWT RS256 (RSA-2048 key pairs). Access tokens expire after 30 minutes. Refresh tokens are valid for 30 days with family-based rotation tracking per RFC 6819 to detect token reuse attacks. Public keys are distributed via a standard JWKS endpoint cached across all services.

2.3 At Rest

Database storage and S3 buckets use AWS-managed encryption at rest. Redis caches use password-authenticated connections in production.

3. Judicial Data Isolation

Judicial data receives the highest level of protection within our platform:

  • Separate database— Judicial data is stored in a dedicated PostgreSQL database (qanoon_judicial) with row-level security (RLS) enforced by judge ID. No other service can read or write to this database.
  • Separate encryption context— Judicial services use independent secret keys distinct from other services.
  • Multi-tenant vector isolation— Document chunks in our vector database (Weaviate) use multi-tenant isolation by judge ID, ensuring one judge's documents are never accessible to another.
  • Cross-service barriers— Lawyers cannot access judicial tools, and judges cannot access lawyer-specific drafting tools. This separation is enforced at the API gateway, backend, and frontend levels.
  • Read-only cross-database access— Where administrative oversight is required, dedicated read-only database users with SELECT-only permissions are used.

4. Authentication and Access Control

4.1 Role-Based Access Control (RBAC)

QanoonAI enforces strict role-based access control with four permission levels: PUBLIC, LAWYER, JUDGE, and ADMIN. Each role grants access only to its designated portal and tools. Role verification occurs at the API gateway (Envoy JWT validation), backend middleware, and frontend route protection.

4.2 Two-Factor Authentication

Two-factor authentication (2FA) is mandatory for all judicial users and available for all other roles. Admin users require TOTP-based MFA.

4.3 Session Security

  • Authentication tokens are stored in httpOnly, secure cookies inaccessible to client-side JavaScript
  • 30-second auth codes with HMAC-SHA256 signing for cross-portal authentication
  • Automatic token refresh on 401 responses with family-based rotation tracking
  • Rate limiting on authentication endpoints (60 requests per minute) to prevent brute-force attacks

5. Audit Trails

QanoonAI maintains comprehensive audit logs for accountability and compliance:

  • Authentication events— Login attempts (successful and failed), token refreshes, password changes, 2FA enrollment
  • Data access— Document views, search queries, AI tool usage, export events
  • Administrative actions— Role changes, account modifications, system configuration changes

5.1 Retention

  • Judicial audit logs: 7 to 10 years (in line with court record-keeping requirements)
  • General audit logs: 2 years
  • Audit logs are append-only and cannot be modified or deleted by any user, including administrators

6. Rate Limiting and Abuse Prevention

The Envoy API gateway enforces per-route rate limits to prevent abuse and ensure fair usage:

  • Authentication endpoints: 60 requests per minute
  • Judicial API: 100 requests per minute
  • Lawyer API: 200 requests per minute
  • Public/Tools API: 500 requests per minute
  • Admin API: 30 requests per minute

Additional per-tier daily usage limits are enforced at the application level. See our Acceptable Use Policy for details.

7. Compliance

7.1 Pakistani Law

QanoonAI is designed to comply with the Prevention of Electronic Crimes Act (PECA) 2016, the Electronic Transactions Ordinance 2002, and applicable rules governing electronic records and data protection in Pakistan.

7.2 Data Residency

Primary data storage and processing infrastructure is hosted on AWS in the ap-south-1 (Mumbai) region. While this is the nearest AWS region to Pakistan, we acknowledge that data physically resides in India. AI processing requests are routed to Anthropic and Voyage AI API endpoints. We are evaluating options for Pakistan-based or Middle Eastern data residency as infrastructure becomes available.

8. Incident Response

QanoonAI maintains a security incident response procedure:

  • Detection— Automated monitoring via Sentry error tracking and infrastructure health checks (every 30 seconds per service)
  • Assessment— Incidents are classified by severity and impact within 1 hour of detection
  • Containment— Affected services can be isolated or rolled back using immutable container images
  • Notification— Affected users will be notified within 72 hours of a confirmed data breach
  • Remediation— Root cause analysis and preventive measures are implemented and documented
  • Reporting— Relevant regulatory authorities will be notified as required by Pakistani law

9. Vulnerability Reporting

If you discover a security vulnerability in QanoonAI, please report it responsibly to support@qanoonai.pkwith the subject line "Security Vulnerability Report." We will acknowledge your report within 48 hours and work with you to address the issue.

10. Contact

For security-related inquiries, contact support@qanoonai.pk.