Trust Center

FirmFirst Trust Center

Security, compliance, and privacy at FirmFirst — verified and up to date.

Last reviewed: February 2026

All systems operational

Compliance status

SOC 2 Type II

In Progress

Third-party audit of security, availability, and confidentiality controls.

Target: Q4 2026

GDPR

Compliant

Data Processing Agreements available. Right to access, rectification, erasure, and portability.

DPA available on request

CCPA

Compliant

California Consumer Privacy Act compliance for California-based prospects.

Effective since launch

ABA Model Rule 1.16

Compliant

Signal analysis and verification workflows help attorneys meet 'reasonable inquiry' obligations.

Aligned since launch

Security controls

Data Protection

  • Encryption at rest

    AES-256 encryption for all stored data

  • Encryption in transit

    TLS 1.3 for all data transmission

  • Application-level secret encryption

    Tokens, keys, and credentials encrypted separately

  • Daily automated backups

    Point-in-time recovery capability

Access Management

  • Role-based access control

    Permissions scoped to job function

  • Multi-factor authentication

    Required for all personnel

  • Least-privilege access

    Minimum necessary permissions by default

  • Access audit logging

    All access events recorded and retained

Infrastructure

  • Google Cloud Platform

    US data centers (us-central1)

  • Network segmentation

    Isolated production environments

  • DDoS protection

    Cloud-native DDoS mitigation

  • Automated vulnerability scanning

    Continuous dependency and infrastructure scanning

Operational

  • Incident response plan

    Documented procedures for security events

  • 72-hour breach notification

    Per GDPR requirements

  • Annual vendor security review

    Sub-processor compliance verification

  • Employee security training

    Mandatory onboarding and annual refresher

Sub-processors

Third-party vendors that process data on behalf of FirmFirst.

Vendor Purpose Data Processed DPA
Google Cloud Infrastructure & hosting All platform data Signed
Twilio SMS notifications Phone numbers Signed
Postmark Email delivery Email addresses Signed
IPQS Email & phone validation Email, phone, IP address Signed
Fingerprint.com Device & network analysis Device signals, IP address Signed
People Data Labs Person enrichment (premium) Name, email Signed

Documents

Privacy Policy

How we collect, use, and protect your data

Available View →
Terms of Service

Terms governing use of the FirmFirst platform

Available View →
Data Processing Agreement (DPA)

Standard DPA for GDPR compliance

Request Request →
Security Whitepaper

Detailed overview of security architecture and practices (Q3 2026)

Coming Soon
SOC 2 Type II Report

Independent audit report of security controls (Q4 2026)

Coming Soon

Have security questions?

Need to report a vulnerability or request security documentation?

security@firmfirst.com

← Back to Trust & Security