QanoonAI

Data Security

Last updated: February 2026

1. Our Security Commitment

QanoonAI handles sensitive legal data for Pakistan's judiciary, legal profession, and public. We implement government-grade security measures to protect the confidentiality, integrity, and availability of all data on our platform.

2. Encryption

  • At Rest: All data is encrypted using AES-256 encryption. Database encryption keys are managed through a dedicated key management service with automatic rotation.
  • In Transit: All communications between your browser and our servers are protected by TLS 1.3. API communications between internal services also use encrypted channels.
  • Judicial Data: Judicial user data uses separate encryption keys stored in isolated key vaults, ensuring complete cryptographic separation from other user data.

3. Access Controls

  • Role-based access control (RBAC) enforced at the application, API, and database layers.
  • Mandatory two-factor authentication (2FA) for all judicial accounts.
  • Judicial identity verification through official email domain checks and administrative approval.
  • Session management with automatic timeout and secure token handling (JWT with short-lived tokens).
  • Strict separation: judicial tools and lawyer tools operate in isolated workspaces with no cross-access.

4. Infrastructure Security

  • Application hosted on enterprise-grade cloud infrastructure with 99.9% uptime SLA.
  • Database hosted on Neon PostgreSQL with automated backups, point-in-time recovery, and geographic redundancy.
  • Network security includes firewalls, DDoS protection, and intrusion detection systems.
  • Regular security patches and vulnerability scanning across all infrastructure components.

5. Audit & Monitoring

  • All AI requests and document operations are logged with hash-chained immutable audit records.
  • Audit logs are retained for 7-10 years in compliance with legal record-keeping requirements.
  • Real-time monitoring for unauthorized access attempts and anomalous usage patterns.
  • Regular security audits and penetration testing by qualified security professionals.

6. AI & Data Processing

  • AI processing uses Retrieval-Augmented Generation (RAG) — the AI retrieves from verified court judgments rather than generating information from scratch.
  • Every AI-generated citation is verified against our database before being displayed to the user.
  • User documents are processed in isolated sessions and are not used to train AI models.
  • Embedding vectors are cached in encrypted Redis instances with automatic expiry.

7. Compliance

Our security practices are designed to comply with Pakistan's Electronic Transactions Ordinance (2002), the Prevention of Electronic Crimes Act (2016), and applicable data protection regulations. We maintain documentation and controls appropriate for handling legal and judicial data.

8. Incident Response

In the event of a security incident, we maintain a documented incident response plan that includes immediate containment, investigation, notification of affected users within 72 hours, and remediation. Critical security incidents involving judicial data trigger an escalated response protocol.

9. Contact

To report a security vulnerability or for security-related inquiries, contact our security team at security@qanoonai.pk.