This page describes the security measures actually implemented in the Xycora platform. We describe what the software does — not aspirational policy.
1. Authentication
Passwords are stored using Argon2id, a memory-hard hashing algorithm recommended by OWASP — never in plaintext or with reversible encryption. New passwords must meet a strength policy (minimum length, mixed character classes) and are checked against known breach lists at registration and reset. Every authenticated API call carries a short-lived JWT access token (60-minute expiry); longer sessions are maintained with a rotating refresh token. Logging out immediately revokes the active token.
2. Access Control & Permissions
Access is governed by role-based access control. Each user holds a firm role (Owner, Admin, Lawyer, Paralegal, or Viewer) that determines what they can see and do. Matters can be shared with named colleagues at four cumulative permission levels — View, Comment, Contribute, and Manage — and every relevant action (reading a matter, adding notes, uploading documents, running AI, advancing a stage, editing matter details, deleting documents, and sharing) is enforced against the caller's effective permission on the server, not just hidden in the UI. All data is strictly isolated by tenant: a user can only ever reach records belonging to their own firm.
3. Audit Trail
Key actions are recorded in an append-only audit trail — including logins and failed login attempts, AI actions, document uploads, downloads and deletions, share grants and revocations, role changes, and matter creation, updates, and deletion. Each entry records the event type, a UTC timestamp, the acting user, the tenant, and relevant metadata, giving your firm a complete, chronological record of activity on every matter.
4. Encryption
All traffic between your browser and Xycora is encrypted in transit over TLS. In production, uploaded documents are stored in object storage with server-side encryption at rest (AES-256), and the metadata database is encrypted at rest by default. Document integrity is verified with a SHA-256 hash captured at upload time.
5. AI Data Handling
Xycora queries multiple AI providers (Claude, GPT, and Gemini) and synthesises their answers. Xycora does not use your matter data to train any AI model. Every AI output is presented as a draft for attorney review — each result carries a clear notice that it must be reviewed before professional reliance — and the model is instructed to flag any citation it cannot confirm and any inference it cannot ground in the source material.
6. Reporting a Security Issue
If you believe you have found a security vulnerability, please contact [email protected]. We welcome responsible disclosure and will work with you to verify and address any genuine issue.
For questions about Xycora's security posture or to discuss your firm's specific requirements, contact [email protected].