Skip to content
  • For Businesses
  • For Individuals
  • Subscriptions
LawCrust

A multidisciplinary professional-services group, legal, finance, consulting, realty, and technology, serving individuals, NRIs, and businesses across 7 countries and 19+ offices.

Our Websites

Support

Business & Corporate

lawcrust.com · Business & Global

LawCrust One

Subscriptions · lawcrust.online

Group Companies

The LawCrust Group

Company

About the firm

LawCrust

Security & Compliance

Built for Western procurement.

We've designed our security posture against the controls that matter most to US and UK procurement teams. Audit reports and SOC 2 Type II evidence are available under NDA on request. The summary below is what most clients ask about in the first call.

SOC 2 Type II

Independent audit underway · controls aligned to AICPA TSC

ISO/IEC 27001:2022

Information Security Management System certification in progress

GDPR & UK GDPR

Standard Contractual Clauses; UK IDTA; client-side DPAs supported

India DPDP Act 2023

Notice + consent flows; data-fiduciary obligations mapped

HIPAA-aligned controls

For US healthcare clients; BAAs available on request

Cyber liability cover

£10M / USD 13M policy with first-party + third-party cover

Background-checked staff

Bar Council verification + police verification + reference checks

Air-gapped review rooms

For matters requiring physical isolation; CCTV, no removable media

Data handling

How client data flows.

Ingress. Client data enters via SFTP, managed S3, or directly into the client's hosted review platform (Relativity, Disco, etc.). We do not pull data into LawCrust-owned storage unless explicitly requested.

Processing. Reviewers work in the client's environment whenever possible. When LawCrust hosts the platform, the project sits in a per-engagement, isolated tenant with role-based access scoped to the engagement team.

At-rest. AES-256 encryption. Keys managed in AWS KMS or client-controlled HSMs depending on the matter sensitivity.

Egress. Output (memos, productions, exports) returns via the same secured channel. Production media (USB, hard drives) is air-gapped, courier-tracked, and destroyed-on-return per client instruction.

Retention. Default 30 days post-engagement; extended only at client request and with written instruction. Verifiable destruction certificates issued.

People

Who has access.

Background checks. All reviewers undergo Bar Council verification, criminal-record checks, address verification, and three-reference verification before client-data access is granted.

Access controls. Just-in-time access provisioned per engagement. Privileged access logged and reviewed quarterly. MFA required on all platforms.

Confidentiality. Engagement-specific NDAs in addition to employment-grade NDAs. Reviewers cannot work on competing matters in the same sector for 6 months post-engagement.

Physical security. Office floors swipe-card controlled. Air-gapped review rooms (CCTV-monitored, no removable media, no personal devices) available for matters requiring physical isolation.

Audit reports & DPAs

Available under NDA.

SOC 2 Type II report, ISO 27001:2022 statement of applicability, our standard DPA, sample BCP/DR documentation, and pen-test summaries are all available to procurement teams under a mutual NDA.

Request the audit pack →