1. Data residency and infrastructure
- Static marketing site on AWS
ap-southeast-1(Singapore). - No Lawgorithm-operated application database on the static site for visitor-submitted content; contact is via mailto from the browser.
- Product platform is designed with Singapore data residency as the default; customer-specific deployment terms apply when we engage commercially.
2. Encryption
- TLS 1.2 minimum in transit; TLS 1.3 where supported.
- Industry-standard symmetric encryption at rest (e.g. AES-256-class) in managed infrastructure.
- Key and credential rotation governed at the infrastructure and secrets-management layer.
3. Privacy-preserving architecture
- KAG-oriented anonymisation and masking patterns for document workflows.
- Role-based access concepts per workspace and entitlement tier.
- Audit trails for sensitive operations and queries where implemented.
- Legal content handled with privilege-aware defaults in product design.
4. Regulatory alignment
We design controls with reference to:
- Singapore Personal Data Protection Act 2012 (PDPA).
- Monetary Authority of Singapore Technology Risk Management Guidelines (MAS TRM).
- GDPR-appropriate patterns where EEA-facing processing is in scope.
Alignment is descriptive of intent and does not confirm completion of every supervisory expectation for every use case.
5. Compliance roadmap
- SOC 2 Type II: audit engagement in preparation.
- ISO/IEC 27001: ISMS scoping underway.
- PDPA-relevant impact assessments: internal reviews on a need basis.
Enterprise prospects needing a security questionnaire or supplemental representations during private beta may contact contact@lawgorithm.sg. We provide factual materials where appropriate; bespoke sign-offs may be subject to legal and commercial terms.
6. Access control
- Invite-led onboarding during private beta.
- Multi-factor authentication required for privileged infrastructure access.
- Least privilege and separation of duties as operational objectives.
7. Vulnerability management
- Dependency and supply-chain hygiene tracked in development.
- No server-side application runtime implemented by this static marketing repository.
8. Incident and breach handling
Security and personal-data incidents are triaged against Singapore’s PDPA notifiable data breach framework where applicable. Where notification to the Personal Data Protection Commission (PDPC) or affected individuals is required, we aim to act as soon as practicable under statute and internal procedures. Actual timing depends on facts, containment, forensics, and legal counsel. An internal objective may be to complete an initial triage within a few business days; that objective does not override legal deadlines or PDPC guidance.
9. Contact (security disclosure)
Email contact@lawgorithm.sg with subject line Security Disclosure. We target an acknowledgement within two calendar days from the next Singapore business day (excluding public holidays in Singapore and high-volume events), not a guarantee of remediation time or legal outcome.