Security at JoyLegal

JoyLegal's security model is built around the principle of minimal data exposure. When you upload a contract for analysis, the document is encrypted end-to-end using TLS 1.3 in transit and AES-256 at rest. Only the AI analysis pipeline processes the document content, and no human at JoyLegal has access to your contracts.

Our architecture ensures:

• End-to-end encryption — your contracts are encrypted before they leave your browser
• Isolated processing — each analysis runs in an isolated environment
• No persistent storage of raw documents — original files are deleted after analysis
• EU-only infrastructure — all servers are within the European Economic Area

When your contract is analyzed by our AI, only the extracted text is processed — never metadata, images, or formatting. The AI model receives anonymized text segments, analyzes them against Polish civil law, labor law, and the UOKiK abusive clause registry, and returns structured findings.

We contractually prohibit our AI providers from using your data for model training. Analysis results are stored encrypted and linked to your account only.

User authentication is handled by Clerk, an enterprise-grade identity platform providing:

• Secure password hashing with bcrypt
• Multi-factor authentication (MFA) support
• OAuth 2.0 / OpenID Connect social login
• Session management with secure, HttpOnly cookies
• Brute-force and bot protection
• SOC 2 Type II certified infrastructure

JoyLegal is designed to comply with:

• GDPR — EU General Data Protection Regulation
• AI Act — EU Artificial Intelligence Act
• ePrivacy Directive — EU electronic communications privacy
• CCPA — California Consumer Privacy Act

If you discover a security issue, please report it to security@joylegal.app. We commit to acknowledging reports within 48 hours and do not pursue legal action against good-faith security researchers.