Security

Security controls, clearly stated

The barristers who trust CounselFlow with their practice data deserve a clear account of how it is protected. Security is not a footnote here — it shapes every technical decision we make.

Compliance assistance

CounselFlow is designed to support your professional and regulatory obligations.

GDPR

Data is stored in the EU, and the platform is designed to support your obligations under GDPR.

Professional data obligations

CounselFlow access controls and audit-oriented workflows are designed to support barrister data-handling requirements.

Data storage & ownership

You own your data

CounselFlow is a custodian, not an owner. Your data can be exported at any time.

Data stored in the EU

Production data is hosted on AWS infrastructure in the EU.

Encryption

All sensitive data is encrypted at the application layer using a dedicated encryption key before reaching the database.

In transit & at rest

  • All communication between your browser and CounselFlow uses HTTPS/TLS.
  • Data is encrypted at rest using AES-256 via our infrastructure provider.

Application-layer encryption

  • Financial identity fields (VAT number, BIC, IBAN) are encrypted with a dedicated key.
  • Personal data fields are encrypted with a separate PII key.
  • Searchable blind indexes via keyed HMAC, without exposing plaintext in the query layer.

Sensitive data items covered: VAT number, BIC, IBAN, case names, client names, party display names, party-role payloads on case documents, task descriptions, payment notes, contact emails, contact notes, and contact address fields (street, town, city, eircode).

Infrastructure

Supabase

SOC 2 compliant.

AWS

PCI DSS Level 1, ISO 27001, and FIPS 140-2 accreditations.

User account security

  • Two-factor authentication is available and recommended.
  • Cloudflare Turnstile bot protection is applied to public forms.
  • Rate limiting is applied across authentication endpoints.

What you can do

Good security practice starts with account hygiene.

  • Enable two-factor authentication.
  • Use a strong, unique password for your CounselFlow account.
  • Log out of shared devices.
  • Never share account credentials.

Coming soon

Roadmap items that are clearly separated from live controls.

  • Key-version rotation tooling and controlled migration for encrypted PII and financial fields.
  • Strengthened privileged-access audit trails for sensitive financial workflows and exports.
  • Further minimisation of third-party event payload metadata while preserving analytics quality.

Need a clear answer on a specific control?

Join the early access programme and tell us your exact governance requirements during onboarding.

Apply for early accessJoin the waitlist