Trust & Security

Your clients' data is sacred

FirmFirst is built with attorney-client privilege and data security at the core. Here's how we protect your practice.

Visit Trust Center Contact Us

FirmFirst mobile dashboard

New inquiry

Sarah Johnson

Family law consultation request

Tap to call View details

Email valid Phone verified

Privilege-first: All prospect data belongs to your firm. Period.
Encrypted everywhere: TLS 1.3 in transit. AES-256 at rest. No exceptions.
Continuously monitored: 24/7 infrastructure and access monitoring.

How we protect your practice

Security isn't a feature — it's the foundation everything else is built on.

Attorney-Client Privilege

Data belongs to your firm. We never share, sell, or use it beyond providing the FirmFirst service. Full data export and deletion on demand.

Encryption

AES-256 encryption at rest, TLS 1.3 in transit. Application-level encryption for tokens, keys, and sensitive credentials.

Infrastructure Security

Hosted on Google Cloud Platform (us-central1). SOC 2 certified infrastructure. Data never leaves the United States.

Access Control

Role-based access with least-privilege principles. Multi-factor authentication required for all team members. Audit logging on every access.

Monitoring & Incident Response

24/7 automated monitoring. Defined incident response procedures. Breach notification within 72 hours per GDPR requirements.

Third-Party Vendor Security

All sub-processors sign DPAs and meet SOC 2 or equivalent standards. Vendor security reviewed annually.

Privacy by Design

GDPR and CCPA compliant. Data minimization — we collect only what's needed. No tracking beyond essential analytics.

Backups & Recovery

Daily automated backups. Point-in-time recovery capability. Disaster recovery procedures tested regularly.

Compliance & certifications

SOC 2 Type II

In progress (Q4 2026)

Third-party audit of security, availability, and confidentiality controls.

GDPR Compliant

Yes

Data Processing Agreements available. Right to access, rectification, erasure, and portability supported.

CCPA Compliant

Yes

California Consumer Privacy Act compliance for California-based prospects.

ABA Model Rule 1.16

Aligned

Signal analysis and verification workflows help attorneys meet 'reasonable inquiry' obligations.

How we handle your data

Who owns prospect data?

Your firm owns all prospect data. FirmFirst stores it on your behalf to provide the service. You can export or delete it at any time.

Do you share data with third parties?

Only with vendors required to provide core features (email validation, phone validation, enrichment). All vendors sign Data Processing Agreements (DPAs) and are GDPR/CCPA compliant. We never sell or market with your data.

Where is data stored?

All data is stored in Google Cloud Platform (GCP) in US-based data centers (us-central1). Data never leaves the United States.

How long do you retain data?

Prospect data is retained as long as your FirmFirst account is active. After account cancellation, data is deleted within 30 days unless you request immediate deletion.

Can I export my data?

Yes. You can export all inquiry data as CSV or JSON at any time from your dashboard.