OmniLegislation
Back to Home
Legal

Security

At OmniLegislation™, protecting your data and maintaining the integrity of our platform is a core priority.

Last Updated: February 24, 2026

This page describes the security measures we have in place across our infrastructure, application, data handling, and operations.

Infrastructure Security

Hosting and Deployment

OmniLegislation™ is hosted on enterprise-grade cloud infrastructure within the United States. Our frontend and backend systems are deployed on separate, isolated environments to minimize risk and limit the impact of any single point of failure.

All servers run on modern, actively maintained operating systems with automatic security patches applied regularly.

Network Security

  • All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS) encryption.
  • All internal communication between our application services, databases, and task processing systems is encrypted in transit.
  • Access to production servers is restricted to authorized personnel through SSH key-based authentication. Password-based access is disabled.
  • Firewall rules limit inbound traffic to only the ports and services required for the platform to operate.

Application Security

Authentication

  • Subscriber accounts are secured through a dedicated authentication system with encrypted password storage using industry-standard hashing algorithms.
  • Session tokens are generated securely and expire after a period of inactivity.
  • All authentication flows are transmitted over HTTPS.

Access Controls

  • Subscriber access is restricted by subscription tier. Features, search limits, export capabilities, and Practice Area Monitor configurations are enforced at the application level based on your plan.
  • Administrative access to backend systems requires multi-factor authentication and is limited to authorized team members.

Anti-Scraping and Abuse Prevention

  • All portal searches are rate-limited per user based on subscription tier.
  • Pagination is enforced with a maximum of 50 results per page. There is no “show all” option.
  • CAPTCHA is triggered when export activity exceeds expected thresholds within a single session.
  • IP addresses and session patterns are monitored for suspicious or automated access behavior.
  • Accounts exhibiting patterns consistent with automated scraping or bulk data extraction are flagged for review and may be suspended.
  • All CSV exports contain embedded watermarks, including the subscriber's account identifier and export timestamp, to trace unauthorized redistribution.

Input Validation

  • All user inputs — including search queries, Practice Area Monitor configurations, and account settings — are validated and sanitized on both the client and server side to prevent injection attacks, cross-site scripting (XSS), and other common web vulnerabilities.

Data Security

Encryption

  • In Transit: All data moving between your browser, our servers, our database, and third-party services is encrypted using TLS/SSL.
  • At Rest: Database storage is encrypted at rest using AES-256 encryption provided by our hosting infrastructure.

Database Security

  • Our database is hosted on a managed platform with built-in encryption, automated backups, and access controls.
  • Database access is restricted to application services only. No direct external connections are permitted.
  • Database credentials are stored in environment variables and are never hardcoded in application code.
  • Automated daily backups are maintained with point-in-time recovery capability.

Payment Security

  • All payment processing is handled by Stripe, which is PCI-DSS Level 1 certified — the highest level of payment security compliance.
  • OmniLegislation™ does not store, process, or have access to full credit card numbers. All payment credentials are handled entirely within Stripe's secure environment.

Email Security

  • Alert emails are delivered through Resend, an enterprise email delivery platform with built-in spam protection, authentication (SPF, DKIM, DMARC), and encrypted transmission.
  • Email content is generated per subscriber based on their specific Practice Area Monitors. Subscriber alert content is never shared across accounts.

Data Collection Security

  • Our data collection systems access only publicly available government and court websites.
  • Collection processes include built-in rate limiting and respectful access patterns to avoid overloading source systems.
  • All collected data is validated and processed through automated deduplication and quality checks before being made available to subscribers.
  • Errors during data collection are logged and monitored. Failed collection attempts do not expose subscriber data or system credentials.

Operational Security

Team Access

  • Access to production systems, databases, and subscriber data is limited to authorized personnel on a need-to-know basis.
  • All administrative access requires multi-factor authentication.
  • Access permissions are reviewed regularly and revoked promptly when no longer needed.

Monitoring and Incident Response

  • Platform health, uptime, and error rates are monitored continuously.
  • Automated alerts notify our team of unusual activity, system errors, or potential security events.
  • In the event of a security incident, we will investigate promptly, take steps to contain and resolve the issue, and notify affected subscribers as required by applicable law.

Dependency Management

  • Third-party libraries and dependencies are reviewed and updated regularly to address known vulnerabilities.
  • We monitor security advisories for the frameworks and tools used in our platform.

Responsible Disclosure

If you believe you have discovered a security vulnerability in OmniLegislation™, we encourage you to report it responsibly. Please contact us at hello@omnilegislation.com with a description of the issue. We ask that you:

  • Provide sufficient detail for us to reproduce and verify the issue.
  • Allow us reasonable time to investigate and address the vulnerability before any public disclosure.
  • Do not access, modify, or delete data belonging to other subscribers during your research.

We appreciate the security research community and will acknowledge valid reports.

What We Do Not Do

To be transparent about the boundaries of our security practices:

  • We do not store credit card numbers or full payment credentials on our systems.
  • We do not provide API access or webhook delivery, reducing the attack surface of the platform.
  • We do not share, sell, or trade subscriber data with third parties for purposes unrelated to operating the Service.
  • We do not access sealed, restricted, or non-public court records.

Questions

If you have questions about our security practices, contact us at:

OmniLegislation™™

Email: hello@omnilegislation.com

Website: omnilegislation.com